diff options
209 files changed, 2166 insertions, 1319 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 53066013d..fc74640d4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -22,7 +22,8 @@ _Describe the bug_ | |||
22 | 22 | ||
23 | _Steps to reproduce the behavior_ | 23 | _Steps to reproduce the behavior_ |
24 | 24 | ||
25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) | 25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent |
26 | output in English that can be understood by everybody) | ||
26 | 2. Click on '....' | 27 | 2. Click on '....' |
27 | 3. Scroll down to '....' | 28 | 3. Scroll down to '....' |
28 | 4. See error `ERROR` | 29 | 4. See error `ERROR` |
@@ -37,7 +38,8 @@ _What actually happened_ | |||
37 | 38 | ||
38 | ### Behavior without a profile | 39 | ### Behavior without a profile |
39 | 40 | ||
40 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ | 41 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a |
42 | terminal?_ | ||
41 | 43 | ||
42 | ### Additional context | 44 | ### Additional context |
43 | 45 | ||
@@ -47,7 +49,8 @@ _Any other detail that may help to understand/debug the problem_ | |||
47 | 49 | ||
48 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") | 50 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") |
49 | - Firejail version (`firejail --version`). | 51 | - Firejail version (`firejail --version`). |
50 | - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). | 52 | - If you use a development version of firejail, also the commit from which it |
53 | was compiled (`git rev-parse HEAD`). | ||
51 | 54 | ||
52 | ### Checklist | 55 | ### Checklist |
53 | 56 | ||
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index a723cdbde..ce1b70e39 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md | |||
@@ -4,6 +4,7 @@ about: Suggest an idea for this project | |||
4 | title: '' | 4 | title: '' |
5 | labels: '' | 5 | labels: '' |
6 | assignees: '' | 6 | assignees: '' |
7 | |||
7 | --- | 8 | --- |
8 | 9 | ||
9 | ### Is your feature request related to a problem? Please describe. | 10 | ### Is your feature request related to a problem? Please describe. |
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3c256dd87..4a7998e87 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,17 +1,21 @@ | |||
1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 1 | If your PR isn't about profiles or you have no idea how to do one of these, |
2 | skip the following and go ahead with this PR. | ||
2 | 3 | ||
3 | If you submit a PR for new profiles or changing profiles, please do the following: | 4 | If you submit a PR for new profiles or changing profiles, please do the |
4 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 5 | following: |
5 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. | ||
6 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | ||
7 | The path to it depends on your distro: | ||
8 | 6 | ||
9 | | Distro | Path | | 7 | - The ordering of options follow the rules described in |
10 | | ------ | ---- | | 8 | [etc/templates/profile.template](../blob/master/etc/templates/profile.template) |
11 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | 9 | (/usr/share/doc/firejail/profile.template when installed). |
12 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | 10 | - Order the arguments of options alphabetically. You can easily do this with |
13 | | local git clone | `contrib/sort.py` | | 11 | [sort.py](../blob/master/contrib/sort.py). |
14 | 12 | ||
15 | Note also that the sort.py script exists only since firejail `0.9.61`. | 13 | The path to it depends on your distro: |
16 | 14 | ||
17 | See also [CONTRIBUTING.md](/CONTRIBUTING.md). | 15 | | Distro | Path | |
16 | | ------ | ---- | | ||
17 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | ||
18 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | ||
19 | | local git clone | `contrib/sort.py` | | ||
20 | |||
21 | See also [CONTRIBUTING.md](../blob/master/CONTRIBUTING.md). | ||
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index f7d0bb479..c812e4572 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -2,7 +2,6 @@ name: Build-extra CI | |||
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | ||
6 | paths-ignore: | 5 | paths-ignore: |
7 | - '.github/ISSUE_TEMPLATE/*' | 6 | - '.github/ISSUE_TEMPLATE/*' |
8 | - 'contrib/syntax/**' | 7 | - 'contrib/syntax/**' |
@@ -12,6 +11,7 @@ on: | |||
12 | - .git-blame-ignore-revs | 11 | - .git-blame-ignore-revs |
13 | - .github/dependabot.yml | 12 | - .github/dependabot.yml |
14 | - .github/pull_request_template.md | 13 | - .github/pull_request_template.md |
14 | - .github/workflows/build.yml | ||
15 | - .github/workflows/codeql-analysis.yml | 15 | - .github/workflows/codeql-analysis.yml |
16 | - .github/workflows/profile-checks.yml | 16 | - .github/workflows/profile-checks.yml |
17 | - .gitignore | 17 | - .gitignore |
@@ -24,7 +24,6 @@ on: | |||
24 | - SECURITY.md | 24 | - SECURITY.md |
25 | - src/firecfg/firecfg.config | 25 | - src/firecfg/firecfg.config |
26 | pull_request: | 26 | pull_request: |
27 | branches: [ master ] | ||
28 | paths-ignore: | 27 | paths-ignore: |
29 | - '.github/ISSUE_TEMPLATE/*' | 28 | - '.github/ISSUE_TEMPLATE/*' |
30 | - 'contrib/syntax/**' | 29 | - 'contrib/syntax/**' |
@@ -34,6 +33,7 @@ on: | |||
34 | - .git-blame-ignore-revs | 33 | - .git-blame-ignore-revs |
35 | - .github/dependabot.yml | 34 | - .github/dependabot.yml |
36 | - .github/pull_request_template.md | 35 | - .github/pull_request_template.md |
36 | - .github/workflows/build.yml | ||
37 | - .github/workflows/codeql-analysis.yml | 37 | - .github/workflows/codeql-analysis.yml |
38 | - .github/workflows/profile-checks.yml | 38 | - .github/workflows/profile-checks.yml |
39 | - .gitignore | 39 | - .gitignore |
@@ -54,17 +54,23 @@ jobs: | |||
54 | runs-on: ubuntu-22.04 | 54 | runs-on: ubuntu-22.04 |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 57 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
61 | azure.archive.ubuntu.com:80 | 61 | azure.archive.ubuntu.com:80 |
62 | github.com:443 | 62 | github.com:443 |
63 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 63 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
64 | - name: update package information | ||
65 | run: sudo apt-get update | ||
64 | - name: install dependencies | 66 | - name: install dependencies |
65 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 67 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
68 | - name: print env | ||
69 | run: ./ci/printenv.sh | ||
66 | - name: configure | 70 | - name: configure |
67 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux | 71 | run: > |
72 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
73 | --enable-selinux | ||
68 | - name: make | 74 | - name: make |
69 | run: make | 75 | run: make |
70 | - name: make install | 76 | - name: make install |
@@ -75,63 +81,80 @@ jobs: | |||
75 | runs-on: ubuntu-22.04 | 81 | runs-on: ubuntu-22.04 |
76 | steps: | 82 | steps: |
77 | - name: Harden Runner | 83 | - name: Harden Runner |
78 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 84 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
79 | with: | 85 | with: |
80 | egress-policy: block | 86 | egress-policy: block |
81 | allowed-endpoints: > | 87 | allowed-endpoints: > |
82 | azure.archive.ubuntu.com:80 | 88 | azure.archive.ubuntu.com:80 |
83 | github.com:443 | 89 | github.com:443 |
84 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 90 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
91 | - name: update package information | ||
92 | run: sudo apt-get update | ||
85 | - name: install clang-tools-14 and dependencies | 93 | - name: install clang-tools-14 and dependencies |
86 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 94 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
95 | - name: print env | ||
96 | run: ./ci/printenv.sh | ||
87 | - name: configure | 97 | - name: configure |
88 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux | 98 | run: > |
99 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
100 | --enable-selinux | ||
89 | - name: scan-build | 101 | - name: scan-build |
90 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make | 102 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make |
91 | cppcheck: | 103 | cppcheck: |
92 | runs-on: ubuntu-22.04 | 104 | runs-on: ubuntu-22.04 |
93 | steps: | 105 | steps: |
94 | - name: Harden Runner | 106 | - name: Harden Runner |
95 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 107 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
96 | with: | 108 | with: |
97 | egress-policy: block | 109 | egress-policy: block |
98 | allowed-endpoints: > | 110 | allowed-endpoints: > |
99 | azure.archive.ubuntu.com:80 | 111 | azure.archive.ubuntu.com:80 |
100 | github.com:443 | 112 | github.com:443 |
101 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 113 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
114 | - name: update package information | ||
115 | run: sudo apt-get update | ||
102 | - name: install cppcheck | 116 | - name: install cppcheck |
103 | run: sudo apt-get install cppcheck | 117 | run: sudo apt-get install cppcheck |
118 | - run: cppcheck --version | ||
104 | - name: cppcheck | 119 | - name: cppcheck |
105 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c . | 120 | run: > |
106 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also | 121 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance |
107 | # with older cppcheck version from ubuntu 20.04. | 122 | -i src/firejail/checkcfg.c -i src/firejail/main.c . |
123 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
124 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
108 | cppcheck_old: | 125 | cppcheck_old: |
109 | runs-on: ubuntu-20.04 | 126 | runs-on: ubuntu-20.04 |
110 | steps: | 127 | steps: |
111 | - name: Harden Runner | 128 | - name: Harden Runner |
112 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 129 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
113 | with: | 130 | with: |
114 | egress-policy: block | 131 | egress-policy: block |
115 | allowed-endpoints: > | 132 | allowed-endpoints: > |
116 | azure.archive.ubuntu.com:80 | 133 | azure.archive.ubuntu.com:80 |
117 | github.com:443 | 134 | github.com:443 |
118 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 135 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
136 | - name: update package information | ||
137 | run: sudo apt-get update | ||
119 | - name: install cppcheck | 138 | - name: install cppcheck |
120 | run: sudo apt-get install cppcheck | 139 | run: sudo apt-get install cppcheck |
140 | - run: cppcheck --version | ||
121 | - name: cppcheck | 141 | - name: cppcheck |
122 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 142 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
123 | codespell: | 143 | codespell: |
124 | runs-on: ubuntu-22.04 | 144 | runs-on: ubuntu-22.04 |
125 | steps: | 145 | steps: |
126 | - name: Harden Runner | 146 | - name: Harden Runner |
127 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 147 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
128 | with: | 148 | with: |
129 | egress-policy: block | 149 | egress-policy: block |
130 | allowed-endpoints: > | 150 | allowed-endpoints: > |
131 | azure.archive.ubuntu.com:80 | 151 | azure.archive.ubuntu.com:80 |
132 | github.com:443 | 152 | github.com:443 |
133 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 153 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
154 | - name: update package information | ||
155 | run: sudo apt-get update | ||
134 | - name: install dependencies | 156 | - name: install dependencies |
135 | run: sudo apt-get install codespell | 157 | run: sudo apt-get install codespell |
158 | - run: codespell --version | ||
136 | - name: codespell | 159 | - name: codespell |
137 | run: make codespell | 160 | run: make codespell |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9f2072c74..e896ba8e0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -2,12 +2,12 @@ name: Build CI | |||
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | ||
6 | paths-ignore: | 5 | paths-ignore: |
7 | - '.github/ISSUE_TEMPLATE/*' | 6 | - '.github/ISSUE_TEMPLATE/*' |
8 | - .git-blame-ignore-revs | 7 | - .git-blame-ignore-revs |
9 | - .github/dependabot.yml | 8 | - .github/dependabot.yml |
10 | - .github/pull_request_template.md | 9 | - .github/pull_request_template.md |
10 | - .github/workflows/build-extra.yml | ||
11 | - .github/workflows/codeql-analysis.yml | 11 | - .github/workflows/codeql-analysis.yml |
12 | - .github/workflows/profile-checks.yml | 12 | - .github/workflows/profile-checks.yml |
13 | - .gitignore | 13 | - .gitignore |
@@ -19,12 +19,12 @@ on: | |||
19 | - RELNOTES | 19 | - RELNOTES |
20 | - SECURITY.md | 20 | - SECURITY.md |
21 | pull_request: | 21 | pull_request: |
22 | branches: [ master ] | ||
23 | paths-ignore: | 22 | paths-ignore: |
24 | - '.github/ISSUE_TEMPLATE/*' | 23 | - '.github/ISSUE_TEMPLATE/*' |
25 | - .git-blame-ignore-revs | 24 | - .git-blame-ignore-revs |
26 | - .github/dependabot.yml | 25 | - .github/dependabot.yml |
27 | - .github/pull_request_template.md | 26 | - .github/pull_request_template.md |
27 | - .github/workflows/build-extra.yml | ||
28 | - .github/workflows/codeql-analysis.yml | 28 | - .github/workflows/codeql-analysis.yml |
29 | - .github/workflows/profile-checks.yml | 29 | - .github/workflows/profile-checks.yml |
30 | - .gitignore | 30 | - .gitignore |
@@ -42,58 +42,58 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
42 | jobs: | 42 | jobs: |
43 | build_and_test: | 43 | build_and_test: |
44 | runs-on: ubuntu-22.04 | 44 | runs-on: ubuntu-22.04 |
45 | env: | ||
46 | SHELL: /bin/bash | ||
45 | steps: | 47 | steps: |
46 | - name: Harden Runner | 48 | - name: Harden Runner |
47 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 49 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
48 | with: | 50 | with: |
49 | egress-policy: block | 51 | egress-policy: block |
50 | allowed-endpoints: > | 52 | allowed-endpoints: > |
53 | 1.1.1.1:1025 | ||
51 | azure.archive.ubuntu.com:80 | 54 | azure.archive.ubuntu.com:80 |
52 | debian.org:80 | 55 | debian.org:80 |
56 | dns.quad9.net:53 | ||
53 | github.com:443 | 57 | github.com:443 |
54 | packages.microsoft.com:443 | 58 | packages.microsoft.com:443 |
55 | ppa.launchpadcontent.net:443 | 59 | ppa.launchpadcontent.net:443 |
60 | whois.pir.org:43 | ||
56 | www.debian.org:443 | 61 | www.debian.org:443 |
57 | www.debian.org:80 | 62 | www.debian.org:80 |
58 | yahoo.com:1025 | 63 | yahoo.com:1025 |
59 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 64 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
60 | - name: update package information | 65 | - name: update package information |
61 | run: sudo apt-get update | 66 | run: sudo apt-get update |
62 | - name: install dependencies | 67 | - name: install dependencies |
63 | run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois bridge-utils | 68 | run: > |
69 | sudo apt-get install | ||
70 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois | ||
71 | bridge-utils | ||
72 | - name: print env | ||
73 | run: ./ci/printenv.sh | ||
64 | - name: configure | 74 | - name: configure |
65 | run: CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux | 75 | run: > |
76 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
77 | --enable-analyzer --enable-apparmor --enable-selinux | ||
66 | - name: make | 78 | - name: make |
67 | run: make | 79 | run: make |
68 | - name: make install | 80 | - name: make install |
69 | run: sudo make install | 81 | run: sudo make install |
70 | - name: print firejail version | 82 | - name: print firejail version |
71 | run: command -V firejail && firejail --version | 83 | run: command -V firejail && firejail --version |
72 | - name: lab setup | 84 | - run: make lab-setup |
73 | run: SHELL=/bin/bash make lab-setup | 85 | - run: make test-seccomp-extra |
74 | - name: run firecfg tests | 86 | - run: make test-firecfg |
75 | run: SHELL=/bin/bash make test-firecfg | 87 | - run: make test-capabilities |
76 | - name: run apparmor tests | 88 | - run: make test-apparmor |
77 | run: SHELL=/bin/bash make test-apparmor | 89 | - run: make test-appimage |
78 | - name: run network tests | 90 | - run: make test-chroot |
79 | run: SHELL=/bin/bash make test-network | 91 | - run: make test-sysutils |
80 | - name: run appimage tests | 92 | - run: make test-private-etc |
81 | run: SHELL=/bin/bash make test-appimage | 93 | - run: make test-profiles |
82 | - name: run chroot tests | 94 | - run: make test-fcopy |
83 | run: SHELL=/bin/bash make test-chroot | 95 | - run: make test-fnetfilter |
84 | - name: run sysutils tests | 96 | - run: make test-fs |
85 | run: SHELL=/bin/bash make test-sysutils | 97 | - run: make test-utils |
86 | - name: run private-etc tests | 98 | - run: make test-environment |
87 | run: SHELL=/bin/bash make test-private-etc | 99 | - run: make test-network |
88 | - name: run profile tests | ||
89 | run: SHELL=/bin/bash make test-profiles | ||
90 | - name: run fcopy tests | ||
91 | run: SHELL=/bin/bash make test-fcopy | ||
92 | - name: run fnetfilter tests | ||
93 | run: SHELL=/bin/bash make test-fnetfilter | ||
94 | - name: run fs tests | ||
95 | run: SHELL=/bin/bash make test-fs | ||
96 | - name: run utils tests | ||
97 | run: SHELL=/bin/bash make test-utils | ||
98 | - name: run environment tests | ||
99 | run: SHELL=/bin/bash make test-environment | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index edf8dad19..68f14d729 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -7,7 +7,6 @@ name: "CodeQL" | |||
7 | 7 | ||
8 | on: | 8 | on: |
9 | push: | 9 | push: |
10 | branches: [ master ] | ||
11 | paths-ignore: | 10 | paths-ignore: |
12 | - '.github/ISSUE_TEMPLATE/*' | 11 | - '.github/ISSUE_TEMPLATE/*' |
13 | - 'contrib/syntax/**' | 12 | - 'contrib/syntax/**' |
@@ -17,6 +16,8 @@ on: | |||
17 | - .git-blame-ignore-revs | 16 | - .git-blame-ignore-revs |
18 | - .github/dependabot.yml | 17 | - .github/dependabot.yml |
19 | - .github/pull_request_template.md | 18 | - .github/pull_request_template.md |
19 | - .github/workflows/build-extra.yml | ||
20 | - .github/workflows/build.yml | ||
20 | - .github/workflows/profile-checks.yml | 21 | - .github/workflows/profile-checks.yml |
21 | - .gitignore | 22 | - .gitignore |
22 | - .gitlab-ci.yml | 23 | - .gitlab-ci.yml |
@@ -28,8 +29,6 @@ on: | |||
28 | - SECURITY.md | 29 | - SECURITY.md |
29 | - src/firecfg/firecfg.config | 30 | - src/firecfg/firecfg.config |
30 | pull_request: | 31 | pull_request: |
31 | # The branches below must be a subset of the branches above | ||
32 | branches: [ master ] | ||
33 | paths-ignore: | 32 | paths-ignore: |
34 | - '.github/ISSUE_TEMPLATE/*' | 33 | - '.github/ISSUE_TEMPLATE/*' |
35 | - 'contrib/syntax/**' | 34 | - 'contrib/syntax/**' |
@@ -39,6 +38,8 @@ on: | |||
39 | - .git-blame-ignore-revs | 38 | - .git-blame-ignore-revs |
40 | - .github/dependabot.yml | 39 | - .github/dependabot.yml |
41 | - .github/pull_request_template.md | 40 | - .github/pull_request_template.md |
41 | - .github/workflows/build-extra.yml | ||
42 | - .github/workflows/build.yml | ||
42 | - .github/workflows/profile-checks.yml | 43 | - .github/workflows/profile-checks.yml |
43 | - .gitignore | 44 | - .gitignore |
44 | - .gitlab-ci.yml | 45 | - .gitlab-ci.yml |
@@ -74,21 +75,25 @@ jobs: | |||
74 | 75 | ||
75 | steps: | 76 | steps: |
76 | - name: Harden Runner | 77 | - name: Harden Runner |
77 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 78 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
78 | with: | 79 | with: |
79 | disable-sudo: true | 80 | disable-sudo: true |
80 | egress-policy: block | 81 | egress-policy: block |
81 | allowed-endpoints: > | 82 | allowed-endpoints: > |
82 | api.github.com:443 | 83 | api.github.com:443 |
83 | github.com:443 | 84 | github.com:443 |
85 | objects.githubusercontent.com:443 | ||
84 | uploads.github.com:443 | 86 | uploads.github.com:443 |
85 | 87 | ||
86 | - name: Checkout repository | 88 | - name: Checkout repository |
87 | uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 89 | uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
90 | |||
91 | - name: print env | ||
92 | run: ./ci/printenv.sh | ||
88 | 93 | ||
89 | # Initializes the CodeQL tools for scanning. | 94 | # Initializes the CodeQL tools for scanning. |
90 | - name: Initialize CodeQL | 95 | - name: Initialize CodeQL |
91 | uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 | 96 | uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f |
92 | with: | 97 | with: |
93 | languages: ${{ matrix.language }} | 98 | languages: ${{ matrix.language }} |
94 | # If you wish to specify custom queries, you can do so here or in a config file. | 99 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -99,7 +104,7 @@ jobs: | |||
99 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 104 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
100 | # If this step fails, then you should remove it and run the build manually (see below) | 105 | # If this step fails, then you should remove it and run the build manually (see below) |
101 | - name: Autobuild | 106 | - name: Autobuild |
102 | uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 | 107 | uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f |
103 | 108 | ||
104 | # ℹ️ Command-line programs to run using the OS shell. | 109 | # ℹ️ Command-line programs to run using the OS shell. |
105 | # 📚 https://git.io/JvXDl | 110 | # 📚 https://git.io/JvXDl |
@@ -113,4 +118,4 @@ jobs: | |||
113 | # make release | 118 | # make release |
114 | 119 | ||
115 | - name: Perform CodeQL Analysis | 120 | - name: Perform CodeQL Analysis |
116 | uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 | 121 | uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 97e5378fd..8500481cd 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -2,7 +2,6 @@ name: Profile Checks | |||
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | ||
6 | paths: | 5 | paths: |
7 | - 'ci/check/profiles/**' | 6 | - 'ci/check/profiles/**' |
8 | - 'etc/**' | 7 | - 'etc/**' |
@@ -10,7 +9,6 @@ on: | |||
10 | - contrib/sort.py | 9 | - contrib/sort.py |
11 | - src/firecfg/firecfg.config | 10 | - src/firecfg/firecfg.config |
12 | pull_request: | 11 | pull_request: |
13 | branches: [ master ] | ||
14 | paths: | 12 | paths: |
15 | - 'ci/check/profiles/**' | 13 | - 'ci/check/profiles/**' |
16 | - 'etc/**' | 14 | - 'etc/**' |
@@ -26,20 +24,32 @@ jobs: | |||
26 | runs-on: ubuntu-latest | 24 | runs-on: ubuntu-latest |
27 | steps: | 25 | steps: |
28 | - name: Harden Runner | 26 | - name: Harden Runner |
29 | uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 | 27 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
30 | with: | 28 | with: |
31 | disable-sudo: true | 29 | disable-sudo: true |
32 | egress-policy: block | 30 | egress-policy: block |
33 | allowed-endpoints: > | 31 | allowed-endpoints: > |
34 | github.com:443 | 32 | github.com:443 |
35 | 33 | ||
36 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | 34 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
35 | - name: print env | ||
36 | run: ./ci/printenv.sh | ||
37 | - run: python3 --version | ||
38 | |||
37 | # - name: sort.py | 39 | # - name: sort.py |
38 | # run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 40 | # run: > |
41 | # ./ci/check/profiles/sort.py | ||
42 | # etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
39 | # Currently broken (see #5610) | 43 | # Currently broken (see #5610) |
40 | # - name: private-etc-always-required.sh | 44 | # - name: private-etc-always-required.sh |
41 | # run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 45 | # run: > |
46 | # ./ci/check/profiles/private-etc-always-required.sh | ||
47 | # etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
42 | - name: sort-disable-programs.sh | 48 | - name: sort-disable-programs.sh |
43 | run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc | 49 | run: > |
50 | ./ci/check/profiles/sort-disable-programs.sh | ||
51 | etc/inc/disable-programs.inc | ||
44 | - name: sort-firecfg.config.sh | 52 | - name: sort-firecfg.config.sh |
45 | run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config | 53 | run: > |
54 | ./ci/check/profiles/sort-firecfg.config.sh | ||
55 | src/firecfg/firecfg.config | ||
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6dcb40e67..38d121c49 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -5,21 +5,33 @@ | |||
5 | # and fedora:latest for new setups | 5 | # and fedora:latest for new setups |
6 | # 3. Alpine for installing directly from source | 6 | # 3. Alpine for installing directly from source |
7 | # Also builds apparmor package for Ubuntu LTS | 7 | # Also builds apparmor package for Ubuntu LTS |
8 | |||
8 | build_ubuntu_package: | 9 | build_ubuntu_package: |
9 | image: ubuntu:rolling | 10 | image: ubuntu:rolling |
10 | script: | 11 | script: |
11 | - apt-get update -qq | 12 | - apt-get update -qq |
12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk | 13 | - > |
13 | - ./configure && make deb && dpkg -i firejail*.deb | 14 | DEBIAN_FRONTEND=noninteractive apt-get install -y -qq |
15 | build-essential lintian libapparmor-dev pkg-config python3 gawk | ||
16 | - ./ci/printenv.sh | ||
17 | - ./configure | ||
18 | - make deb | ||
19 | - dpkg -i firejail*.deb | ||
14 | - command -V firejail && firejail --version | 20 | - command -V firejail && firejail --version |
15 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 21 | # - python3 --version |
22 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
16 | 23 | ||
17 | build_debian_package: | 24 | build_debian_package: |
18 | image: debian:stretch | 25 | image: debian:buster |
19 | script: | 26 | script: |
20 | - apt-get update -qq | 27 | - apt-get update -qq |
21 | - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk | 28 | - > |
22 | - ./configure && make deb && dpkg -i firejail*.deb | 29 | apt-get install -y -qq |
30 | build-essential lintian libapparmor-dev pkg-config gawk | ||
31 | - ./ci/printenv.sh | ||
32 | - ./configure | ||
33 | - make deb | ||
34 | - dpkg -i firejail*.deb | ||
23 | - command -V firejail && firejail --version | 35 | - command -V firejail && firejail --version |
24 | 36 | ||
25 | build_redhat_package: | 37 | build_redhat_package: |
@@ -27,7 +39,10 @@ build_redhat_package: | |||
27 | script: | 39 | script: |
28 | - dnf update -y | 40 | - dnf update -y |
29 | - dnf install -y rpm-build gcc make | 41 | - dnf install -y rpm-build gcc make |
30 | - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm | 42 | - ./ci/printenv.sh |
43 | - ./configure --prefix=/usr | ||
44 | - make rpms | ||
45 | - rpm -i firejail*.rpm | ||
31 | - command -V firejail && firejail --version | 46 | - command -V firejail && firejail --version |
32 | 47 | ||
33 | build_fedora_package: | 48 | build_fedora_package: |
@@ -35,9 +50,13 @@ build_fedora_package: | |||
35 | script: | 50 | script: |
36 | - dnf update -y | 51 | - dnf update -y |
37 | - dnf install -y rpm-build gcc make | 52 | - dnf install -y rpm-build gcc make |
38 | - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm | 53 | - ./ci/printenv.sh |
54 | - ./configure --prefix=/usr | ||
55 | - make rpms | ||
56 | - rpm -i firejail*.rpm | ||
39 | - command -V firejail && firejail --version | 57 | - command -V firejail && firejail --version |
40 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 58 | # - python3 --version |
59 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
41 | 60 | ||
42 | build_src_package: | 61 | build_src_package: |
43 | image: alpine:latest | 62 | image: alpine:latest |
@@ -45,16 +64,26 @@ build_src_package: | |||
45 | - apk update | 64 | - apk update |
46 | - apk upgrade | 65 | - apk upgrade |
47 | - apk add build-base linux-headers python3 gawk | 66 | - apk add build-base linux-headers python3 gawk |
48 | - ./configure --prefix=/usr && make && make install-strip | 67 | - ./ci/printenv.sh |
68 | - ./configure --prefix=/usr | ||
69 | - make | ||
70 | - make install-strip | ||
49 | - command -V firejail && firejail --version | 71 | - command -V firejail && firejail --version |
50 | # - python3 contrib/sort.py etc/*.{profile,inc} | 72 | # - python3 --version |
73 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
51 | 74 | ||
52 | build_no_apparmor: | 75 | build_no_apparmor: |
53 | image: ubuntu:latest | 76 | image: ubuntu:latest |
54 | script: | 77 | script: |
55 | - apt-get update -qq | 78 | - apt-get update -qq |
56 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config gawk | 79 | - > |
57 | - ./configure && make dist && ./mkdeb.sh --disable-apparmor && dpkg -i firejail*.deb | 80 | DEBIAN_FRONTEND=noninteractive apt-get install -y -qq |
81 | build-essential lintian pkg-config gawk | ||
82 | - ./ci/printenv.sh | ||
83 | - ./configure | ||
84 | - make dist | ||
85 | - ./mkdeb.sh --disable-apparmor | ||
86 | - dpkg -i firejail*.deb | ||
58 | - command -V firejail && firejail --version | 87 | - command -V firejail && firejail --version |
59 | - firejail --version | grep -F 'AppArmor support is disabled' | 88 | - firejail --version | grep -F 'AppArmor support is disabled' |
60 | 89 | ||
@@ -64,20 +93,36 @@ debian_ci: | |||
64 | DEBFULLNAME: "$GITLAB_USER_NAME" | 93 | DEBFULLNAME: "$GITLAB_USER_NAME" |
65 | DEBEMAIL: "$GITLAB_USER_EMAIL" | 94 | DEBEMAIL: "$GITLAB_USER_EMAIL" |
66 | before_script: | 95 | before_script: |
67 | - git checkout -B ci_build $CI_COMMIT_SHA | 96 | - git checkout -B ci_build "$CI_COMMIT_SHA" |
68 | - gitlab-ci-enable-sid | 97 | - gitlab-ci-enable-sid |
69 | - gitlab-ci-enable-experimental | 98 | - gitlab-ci-enable-experimental |
70 | - echo "deb-src http://deb.debian.org/debian sid main" >> /etc/apt/sources.list | 99 | - | |
71 | - echo "deb-src http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list | 100 | cat >>/etc/apt/sources.list <<EOF |
101 | deb-src http://deb.debian.org/debian sid main | ||
102 | deb-src http://deb.debian.org/debian experimental main | ||
103 | EOF | ||
72 | - apt-get update | 104 | - apt-get update |
73 | - git config user.email "$GITLAB_USER_NAME" && git config user.name "$GITLAB_USER_EMAIL" | 105 | - git config user.name "$DEBFULLNAME" |
74 | - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) | 106 | - git config user.email "$DEBEMAIL" |
75 | - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* | 107 | - | |
108 | cd "$CI_PROJECT_DIR/.." | ||
109 | apt-get source --download-only -t experimental firejail || | ||
110 | apt-get source --download-only firejail | ||
111 | - | | ||
112 | cd "$CI_PROJECT_DIR" | ||
113 | tar xf ../firejail_*.debian.tar.* | ||
76 | - rm -rf debian/patches/ | 114 | - rm -rf debian/patches/ |
77 | - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar | 115 | - | |
78 | - git add debian && git commit -m "add debian/" | 116 | VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)" |
79 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) | 117 | dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.' |
118 | git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD | ||
119 | pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build | ||
120 | git branch -m pristine-tar origin/pristine-tar | ||
121 | - git add debian | ||
122 | - git commit -m 'add debian/' | ||
123 | - export CI_COMMIT_SHA="$(git rev-parse HEAD)" | ||
80 | script: | 124 | script: |
81 | - apt-get --no-install-recommends install -y -qq gawk | 125 | - apt-get --no-install-recommends install -y -qq gawk |
126 | - ./ci/printenv.sh | ||
82 | - gitlab-ci-git-buildpackage | 127 | - gitlab-ci-git-buildpackage |
83 | - gitlab-ci-lintian | 128 | - gitlab-ci-lintian |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 76d3e709b..1ae293264 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -1,38 +1,58 @@ | |||
1 | # Contributing | ||
2 | |||
1 | Welcome to firejail, and thank you for your interest in contributing! | 3 | Welcome to firejail, and thank you for your interest in contributing! |
2 | 4 | ||
3 | # Opening an issue: | 5 | ## Opening an issue |
4 | We welcome issues, whether to ask a question, provide information, request a new profile or | 6 | |
5 | feature, or to report a suspected bug or problem. | 7 | We welcome issues, whether to ask a question, provide information, request a |
8 | new profile or feature, or to report a suspected bug or problem. | ||
9 | |||
10 | If you want to request a program profile that we don't already have, please add | ||
11 | a comment in our dedicated issue: | ||
6 | 12 | ||
7 | If you want to request a program profile that we don't already have, please add a comment in | 13 | - [Profile requests](https://github.com/netblue30/firejail/issues/1139) |
8 | our [dedicated issue](https://github.com/netblue30/firejail/issues/1139). | ||
9 | 14 | ||
10 | When submitting a bug report, please provide the following information so that | 15 | When submitting a bug report, please provide the following information so that |
11 | we can handle the report more easily: | 16 | we can handle the report more easily: |
12 | - firejail version. If you're not sure, open a terminal and type `firejail --version`. | 17 | |
18 | - firejail version. If you're not sure, open a terminal and type `firejail | ||
19 | --version`. | ||
13 | - Linux distribution (so that we can try to reproduce it, if necessary). | 20 | - Linux distribution (so that we can try to reproduce it, if necessary). |
14 | - If you know that the problem did not exist in an earlier version of firejail, please mention it. | 21 | - If you know that the problem did not exist in an earlier version of firejail, |
15 | - If you are reporting that a program does not work with firejail, please also run firejail with | 22 | please mention it. |
16 | the `--noprofile` argument. | 23 | - If you are reporting that a program does not work with firejail, please also |
17 | For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and | 24 | run firejail with the `--noprofile` argument. For example, if `firejail |
18 | let us know if it runs correctly or not. | 25 | firefox` does not work, please also run `firejail --noprofile firefox` and |
19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. | 26 | let us know if it runs correctly or not. |
20 | 27 | - You may also try disabling various options provided in | |
21 | Please note: if you are running Debian, Ubuntu, Linux Mint, or another related | 28 | `/etc/firejail/<ProgramName.profile>` until you find out which one causes |
29 | problems. It will significantly help in finding a solution for your issue. | ||
30 | |||
31 | Please note: If you are running Debian, Ubuntu, Linux Mint, or another related | ||
22 | distribution and you installed firejail from your distro's repositories, please | 32 | distribution and you installed firejail from your distro's repositories, please |
23 | ensure that **both** of the following were installed: | 33 | ensure that **all** of the following packages were installed: |
24 | `firejail` and `firejail-profiles`. A common source of issues is that | 34 | |
25 | firejail-profiles was not installed when installing firejail. | 35 | - firejail |
36 | - firejail-profiles | ||
26 | 37 | ||
27 | We take security bugs very seriously. If you believe you have found one, please report it by | 38 | A common source of issues is that firejail-profiles was not installed when |
28 | emailing us at netblue30@protonmail.com | 39 | installing firejail. |
40 | |||
41 | ## Security vulnerabilities | ||
42 | |||
43 | See [SECURITY.md](SECURITY.md). | ||
44 | |||
45 | ## Opening a pull request | ||
29 | 46 | ||
30 | # Opening an pull request: | ||
31 | Pull requests with enhancements, bugfixes or new profiles are very welcome. | 47 | Pull requests with enhancements, bugfixes or new profiles are very welcome. |
32 | 48 | ||
33 | If you want to write a new profile, the easiest way to do this is to use the | 49 | If you want to write a new profile, the easiest way to do this is to use the |
34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 50 | profile template: |
35 | If you have already written a profile, please make sure it follows the rules described in the template. | 51 | |
52 | - [etc/templates/profile.template](etc/templates/profile.template) | ||
53 | |||
54 | If you have already written a profile, please make sure it follows the rules | ||
55 | described in the template. | ||
36 | 56 | ||
37 | If you add a new command, here's the checklist: | 57 | If you add a new command, here's the checklist: |
38 | 58 | ||
@@ -41,6 +61,7 @@ If you add a new command, here's the checklist: | |||
41 | - [ ] Update syntax files (run `make syntax` or just `make`) | 61 | - [ ] Update syntax files (run `make syntax` or just `make`) |
42 | - [ ] Update --help | 62 | - [ ] Update --help |
43 | 63 | ||
44 | # Editing the wiki | 64 | ## Editing the wiki |
45 | 65 | ||
46 | You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). | 66 | You are highly encouraged to add your own tips and tricks to the |
67 | [wiki](https://github.com/netblue30/firejail/wiki). | ||
@@ -314,7 +314,7 @@ mkman.sh \ | |||
314 | platform \ | 314 | platform \ |
315 | src | 315 | src |
316 | 316 | ||
317 | DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils | 317 | DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/capabilities test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils |
318 | 318 | ||
319 | .PHONY: dist | 319 | .PHONY: dist |
320 | dist: config.mk | 320 | dist: config.mk |
@@ -364,11 +364,15 @@ scan-build: clean | |||
364 | codespell: clean | 364 | codespell: clean |
365 | codespell --ignore-regex "UE|creat|shotcut|ether" src test | 365 | codespell --ignore-regex "UE|creat|shotcut|ether" src test |
366 | 366 | ||
367 | .PHONY: print-env | ||
368 | print-env: | ||
369 | ./ci/printenv.sh | ||
370 | |||
367 | # | 371 | # |
368 | # make test | 372 | # make test |
369 | # | 373 | # |
370 | 374 | ||
371 | TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc | 375 | TESTS=profiles capabilities apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc seccomp-extra |
372 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) | 376 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) |
373 | 377 | ||
374 | $(TEST_TARGETS): | 378 | $(TEST_TARGETS): |
@@ -378,7 +382,7 @@ $(TEST_TARGETS): | |||
378 | # extract some data about the testing setup: kernel, network connectivity, user | 382 | # extract some data about the testing setup: kernel, network connectivity, user |
379 | lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc | 383 | lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc |
380 | 384 | ||
381 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 385 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-seccomp-extra |
382 | echo "TEST COMPLETE" | 386 | echo "TEST COMPLETE" |
383 | 387 | ||
384 | test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 388 | test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
@@ -1,13 +1,14 @@ | |||
1 | Firejail is a SUID sandbox program that reduces the risk of security | 1 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
2 | breaches by restricting the running environment of untrusted applications | 2 | by restricting the running environment of untrusted applications using Linux |
3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for | 3 | namespaces and seccomp-bpf. |
4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, | 4 | |
5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. | 5 | It includes sandbox profiles for many programs, including Iceweasel/Mozilla |
6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, | 6 | Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious, |
7 | Pidgin, Quassel, and XChat. | 7 | Clementine, Rhythmbox, Totem, Deluge, qBittorrent, DeaDBeeF, Dropbox, Empathy, |
8 | FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat. | ||
8 | 9 | ||
9 | Firejail also expands the restricted shell facility found in bash by adding | 10 | Firejail also expands the restricted shell facility found in bash by adding |
10 | Linux namespace support. It supports sandboxing specific users upon login. | 11 | Linux namespace support. It supports sandboxing specific users upon login. |
11 | 12 | ||
12 | Download: https://sourceforge.net/projects/firejail/files/ | 13 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 14 | Build and install: ./configure && make && sudo make install |
@@ -17,30 +18,33 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | |||
17 | Development: https://github.com/netblue30/firejail | 18 | Development: https://github.com/netblue30/firejail |
18 | License: GPL v2 | 19 | License: GPL v2 |
19 | 20 | ||
20 | Please report all security vulnerabilities at netblue30@protonmail.com | 21 | Please report all security vulnerabilities to: |
22 | |||
23 | * <netblue30@protonmail.com> | ||
21 | 24 | ||
22 | Compile and install mainline version from GitHub: | 25 | Compile and install the mainline version from GitHub: |
23 | 26 | ||
24 | $ git clone https://github.com/netblue30/firejail.git | 27 | git clone https://github.com/netblue30/firejail.git |
25 | $ cd firejail | 28 | cd firejail |
26 | $ ./configure && make && sudo make install-strip | 29 | ./configure && make && sudo make install-strip |
27 | 30 | ||
28 | On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | 31 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development |
29 | development libraries and pkg-config are required when using --enable-apparmor | 32 | libraries and pkg-config are required when using the --enable-apparmor |
30 | ./configure option: | 33 | ./configure option: |
31 | 34 | ||
32 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk | 35 | sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
33 | 36 | ||
34 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). | 37 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). |
35 | 38 | ||
36 | We build our release firejail.tar.xz and firejail.deb packages using the following command: | 39 | We build our release firejail.tar.xz and firejail.deb packages using the |
37 | $ make distclean && ./configure && make deb | 40 | following commands: |
38 | 41 | ||
42 | make distclean && ./configure && make deb | ||
39 | 43 | ||
40 | Maintainer: | 44 | Maintainer: |
41 | - netblue30 (netblue30@protonmail.com) | 45 | - netblue30 (netblue30@protonmail.com) |
42 | 46 | ||
43 | Committers | 47 | Committers: |
44 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 48 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
45 | - crass (https://github.com/crass) | 49 | - crass (https://github.com/crass) |
46 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | 50 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) |
@@ -55,15 +59,16 @@ Committers | |||
55 | - rusty-snake (https://github.com/rusty-snake) | 59 | - rusty-snake (https://github.com/rusty-snake) |
56 | - smitsohu (https://github.com/smitsohu) | 60 | - smitsohu (https://github.com/smitsohu) |
57 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 61 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
58 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) | 62 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches |
63 | maintainer) | ||
59 | - Topi Miettinen (https://github.com/topimiettinen) | 64 | - Topi Miettinen (https://github.com/topimiettinen) |
60 | - veloute (https://github.com/veloute) | 65 | - veloute (https://github.com/veloute) |
61 | - Vincent43 (https://github.com/Vincent43) | 66 | - Vincent43 (https://github.com/Vincent43) |
62 | - netblue30 (netblue30@protonmail.com) | 67 | - netblue30 (netblue30@protonmail.com) |
63 | 68 | ||
69 | --- | ||
64 | 70 | ||
65 | 71 | Firejail Authors (alphabetical order): | |
66 | Firejail Authors (alphabetical order) | ||
67 | 72 | ||
68 | 0x7969 (https://github.com/0x7969) | 73 | 0x7969 (https://github.com/0x7969) |
69 | - fix wire-desktop.profile | 74 | - fix wire-desktop.profile |
@@ -313,7 +318,8 @@ curiosityseeker (https://github.com/curiosityseeker - new) | |||
313 | - updated keypassxc profile | 318 | - updated keypassxc profile |
314 | - added syscalls.sh, which determine the necessary syscalls for a program | 319 | - added syscalls.sh, which determine the necessary syscalls for a program |
315 | - fixed conky profile | 320 | - fixed conky profile |
316 | - thunderbird.profile: harden and enable the rules necessary to make Firefox open links | 321 | - thunderbird.profile: harden and enable the rules necessary to make |
322 | Firefox open links | ||
317 | da2x (https://github.com/da2x) | 323 | da2x (https://github.com/da2x) |
318 | - matched RPM license tag | 324 | - matched RPM license tag |
319 | Daan Bakker (https://github.com/dbakker) | 325 | Daan Bakker (https://github.com/dbakker) |
@@ -358,7 +364,8 @@ Disconnect3d (https://github.com/disconnect3d) | |||
358 | dm9pZCAq (https://github.com/dm9pZCAq) | 364 | dm9pZCAq (https://github.com/dm9pZCAq) |
359 | - fix for compilation under musl | 365 | - fix for compilation under musl |
360 | dmfreemon (https://github.com/dmfreemon) | 366 | dmfreemon (https://github.com/dmfreemon) |
361 | - add sandbox name or name of private directory to the window title when xpra is used | 367 | - add sandbox name or name of private directory to the window title |
368 | when xpra is used | ||
362 | - handle malloc() failures; use gnu_basename() instead of basenaem() | 369 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
363 | Dmitriy Chestnykh (https://github.com/chestnykh) | 370 | Dmitriy Chestnykh (https://github.com/chestnykh) |
364 | - add ability to disable user profiles at compile time | 371 | - add ability to disable user profiles at compile time |
@@ -720,6 +727,7 @@ Manuel Dipolt (https://github.com/xeniter) | |||
720 | - stack alignment for the ARM Architecture | 727 | - stack alignment for the ARM Architecture |
721 | Marek Küthe (https://github.com/marek22k) | 728 | Marek Küthe (https://github.com/marek22k) |
722 | - allow loading plugins in gajim | 729 | - allow loading plugins in gajim |
730 | - allow bsfilter in email-common.profile | ||
723 | Martin Carpenter (https://github.com/mcarpenter) | 731 | Martin Carpenter (https://github.com/mcarpenter) |
724 | - security audit and bug fixes | 732 | - security audit and bug fixes |
725 | - Centos 6.x support | 733 | - Centos 6.x support |
@@ -780,6 +788,8 @@ Neo00001 (https://github.com/Neo00001) | |||
780 | - update telegram profile | 788 | - update telegram profile |
781 | - add spectacle profile | 789 | - add spectacle profile |
782 | - add kdiff3 profile | 790 | - add kdiff3 profile |
791 | Neotamandua (https://github.com/Neotamandua) | ||
792 | - add Discord PTB profile | ||
783 | netcarver (https://github.com/netcarver) | 793 | netcarver (https://github.com/netcarver) |
784 | - prevent access to LUKS keyfile | 794 | - prevent access to LUKS keyfile |
785 | NetSysFire (https://github.com/NetSysFire) | 795 | NetSysFire (https://github.com/NetSysFire) |
@@ -1027,7 +1037,8 @@ soredake (https://github.com/soredake) | |||
1027 | - add localtime to private-etc to make qtox show correct time | 1037 | - add localtime to private-etc to make qtox show correct time |
1028 | - fixes for the keepassxc 2.2.5 version | 1038 | - fixes for the keepassxc 2.2.5 version |
1029 | SkewedZeppelin (https://github.com/SkewedZeppelin) | 1039 | SkewedZeppelin (https://github.com/SkewedZeppelin) |
1030 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | 1040 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, |
1041 | Lollypop, MultiMC5 profiles | ||
1031 | - added PDFSam, Pithos, and Xonotic profiles | 1042 | - added PDFSam, Pithos, and Xonotic profiles |
1032 | - disabled Go, Rust, and OpenSSL in disable-devel.conf | 1043 | - disabled Go, Rust, and OpenSSL in disable-devel.conf |
1033 | - added dino profile | 1044 | - added dino profile |
@@ -1045,7 +1056,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin) | |||
1045 | - added IntelliJ IDEA and Android Studio profiles | 1056 | - added IntelliJ IDEA and Android Studio profiles |
1046 | - added arm profile | 1057 | - added arm profile |
1047 | - lots of profile improvements/tightening | 1058 | - lots of profile improvements/tightening |
1048 | - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img, | 1059 | - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, |
1060 | sdat2img, | ||
1049 | soundconverter, sqlitebrowser, and truecraft profiles | 1061 | soundconverter, sqlitebrowser, and truecraft profiles |
1050 | - added gnome-twitch profile | 1062 | - added gnome-twitch profile |
1051 | - Unified all 341 profiles | 1063 | - Unified all 341 profiles |
@@ -1082,10 +1094,12 @@ SYN-cook (https://github.com/SYN-cook) | |||
1082 | - gnome-calculator changes | 1094 | - gnome-calculator changes |
1083 | startx2017 (https://github.com/startx2017) | 1095 | startx2017 (https://github.com/startx2017) |
1084 | - syscall list update | 1096 | - syscall list update |
1085 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 1097 | - updated default seccomp filters - added bpf, clock_settime, |
1086 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 1098 | personality, process_vm_writev, query_module, settimeofday, stime, |
1099 | umount, userfaultfd, ustat, vm86, and vm86old | ||
1087 | - enable/disable join support in /etc/firejail/firejail.config | 1100 | - enable/disable join support in /etc/firejail/firejail.config |
1088 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 1101 | - firecfg fix: create ~/.local/share/applications directory if it |
1102 | doesn't exist | ||
1089 | - firejail.config cleanup | 1103 | - firejail.config cleanup |
1090 | - --quiet fixes | 1104 | - --quiet fixes |
1091 | - bugfixes branches maintainer | 1105 | - bugfixes branches maintainer |
@@ -1107,6 +1121,8 @@ thewisenerd (https://github.com/thewisenerd) | |||
1107 | - allow multiple private-home commands | 1121 | - allow multiple private-home commands |
1108 | - use $SHELL variable if the shell is not specified | 1122 | - use $SHELL variable if the shell is not specified |
1109 | - appimage: pass commandline arguments | 1123 | - appimage: pass commandline arguments |
1124 | Thijs Raymakers (https://github.com/ThijsRay) | ||
1125 | - keepassxc: Allow offering the Secret Service | ||
1110 | Thomas Jarosch (https://github.com/thomasjfox) | 1126 | Thomas Jarosch (https://github.com/thomasjfox) |
1111 | - disable keepassx in disable-passwdmgr.inc | 1127 | - disable keepassx in disable-passwdmgr.inc |
1112 | - added uudeview profile | 1128 | - added uudeview profile |
@@ -1245,10 +1261,9 @@ Zack Weinberg (https://github.com/zackw) | |||
1245 | - wait_for_other function rewrite | 1261 | - wait_for_other function rewrite |
1246 | - Xvfb X11 server support | 1262 | - Xvfb X11 server support |
1247 | - Xvfb and Xephyr profiles, modified Xpra profile | 1263 | - Xvfb and Xephyr profiles, modified Xpra profile |
1248 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started | 1264 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes |
1249 | with firejail --x11 | 1265 | when started with firejail --x11 |
1250 | - support for xpra-extra-params in firejail.config | 1266 | - support for xpra-extra-params in firejail.config |
1251 | |||
1252 | zupatisc (https://github.com/zupatisc) | 1267 | zupatisc (https://github.com/zupatisc) |
1253 | - patch-util fix | 1268 | - patch-util fix |
1254 | 1269 | ||
@@ -1,79 +1,91 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) | 2 | |
3 | [![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) | 3 | [![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) |
4 | [![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) | 4 | [![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) |
5 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 5 | [![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) |
6 | 6 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | |
7 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting | 7 | |
8 | the running environment of untrusted applications using Linux namespaces, seccomp-bpf | 8 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
9 | and Linux capabilities. It allows a process and all its descendants to have their own private | 9 | by restricting the running environment of untrusted applications using Linux |
10 | view of the globally shared kernel resources, such as the network stack, process table, mount table. | 10 | namespaces, seccomp-bpf and Linux capabilities. It allows a process and all |
11 | Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups. | 11 | its descendants to have their own private view of the globally shared kernel |
12 | 12 | resources, such as the network stack, process table, mount table. Firejail can | |
13 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel | 13 | work in a SELinux or AppArmor environment, and it is integrated with Linux |
14 | version or newer. It can sandbox any type of processes: servers, graphical applications, and even | 14 | Control Groups. |
15 | user login sessions. The software includes sandbox profiles for a number of more common Linux programs, | 15 | |
16 | Written in C with virtually no dependencies, the software runs on any Linux | ||
17 | computer with a 3.x kernel version or newer. It can sandbox any type of | ||
18 | processes: servers, graphical applications, and even user login sessions. The | ||
19 | software includes sandbox profiles for a number of more common Linux programs, | ||
16 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 20 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
17 | 21 | ||
18 | The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, | 22 | The sandbox is lightweight, the overhead is low. There are no complicated |
19 | no socket connections open, no daemons running in the background. All security features are | 23 | configuration files to edit, no socket connections open, no daemons running in |
20 | implemented directly in Linux kernel and available on any Linux computer. | 24 | the background. All security features are implemented directly in Linux kernel |
25 | and available on any Linux computer. | ||
26 | |||
27 | ## Videos | ||
21 | 28 | ||
22 | <table><tr> | 29 | <table> |
30 | <tr> | ||
23 | 31 | ||
24 | <td> | 32 | <td> |
25 | <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> | 33 | <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> |
26 | <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" | 34 | <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" |
27 | alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a> | 35 | alt="Advanced Browser Security" width="240" height="142" border="10" /> |
36 | <br/>Advanced Browser Security | ||
37 | </a> | ||
28 | </td> | 38 | </td> |
29 | 39 | ||
30 | <td> | 40 | <td> |
31 | <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> | 41 | <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> |
32 | <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" | 42 | <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" |
33 | alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a> | 43 | alt="How To Disable Network Access" width="240" height="142" border="10" /> |
44 | <br/>How To Disable Network Access | ||
45 | </a> | ||
34 | </td> | 46 | </td> |
35 | 47 | ||
36 | <td> | 48 | <td> |
37 | <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> | 49 | <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> |
38 | <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" | 50 | <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" |
39 | alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> | 51 | alt="Deep Dive" width="240" height="142" border="10" /> |
52 | <br/>Deep Dive | ||
53 | </a> | ||
40 | </td> | 54 | </td> |
41 | 55 | ||
42 | </tr></table> | 56 | </tr> |
43 | 57 | </table> | |
44 | Project webpage: https://firejail.wordpress.com/ | ||
45 | |||
46 | IRC: https://web.libera.chat/#firejail | ||
47 | |||
48 | Download and Installation: https://firejail.wordpress.com/download-2/ | ||
49 | |||
50 | Features: https://firejail.wordpress.com/features-3/ | ||
51 | |||
52 | Documentation: https://firejail.wordpress.com/documentation-2/ | ||
53 | 58 | ||
54 | FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | 59 | ## Links |
55 | 60 | ||
56 | Wiki: https://github.com/netblue30/firejail/wiki | 61 | * Project webpage: <https://firejail.wordpress.com/> |
57 | 62 | * IRC: <https://web.libera.chat/#firejail> | |
58 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | 63 | * Download and Installation: <https://firejail.wordpress.com/download-2/> |
59 | 64 | * Features: <https://firejail.wordpress.com/features-3/> | |
60 | Video Channel: https://odysee.com/@netblue30:9?order=new | 65 | * Documentation: <https://firejail.wordpress.com/documentation-2/> |
61 | 66 | * FAQ: <https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions> | |
62 | Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | 67 | * Wiki: <https://github.com/netblue30/firejail/wiki> |
68 | * GitHub Actions: <https://github.com/netblue30/firejail/actions> | ||
69 | * GitLab CI: <https://gitlab.com/Firejail/firejail_ci/pipelines> | ||
70 | * Video Channel: <https://odysee.com/@netblue30:9?order=new> | ||
71 | * Backup Video Channel: <https://www.bitchute.com/profile/JSBsA1aoQVfW/> | ||
63 | 72 | ||
64 | ## Security vulnerabilities | 73 | ## Security vulnerabilities |
65 | 74 | ||
66 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com | 75 | See [SECURITY.md](SECURITY.md). |
67 | 76 | ||
68 | ## Installing | 77 | ## Installing |
69 | 78 | ||
70 | ### Debian | 79 | ### Debian |
71 | 80 | ||
72 | Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. | 81 | Debian stable (bullseye): We recommend to use the |
82 | [backports](https://packages.debian.org/bullseye-backports/firejail) package. | ||
73 | 83 | ||
74 | ### Ubuntu | 84 | ### Ubuntu |
75 | 85 | ||
76 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | 86 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly |
87 | advised** to use the | ||
88 | [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | ||
77 | 89 | ||
78 | How to add and install from the PPA: | 90 | How to add and install from the PPA: |
79 | 91 | ||
@@ -83,140 +95,200 @@ sudo apt-get update | |||
83 | sudo apt-get install firejail firejail-profiles | 95 | sudo apt-get install firejail firejail-profiles |
84 | ``` | 96 | ``` |
85 | 97 | ||
86 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad: | 98 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to |
99 | CVE-2021-26910 for months after a patch for it was posted on Launchpad: | ||
87 | 100 | ||
88 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | 101 | * [CVE-2021-26910](https://github.com/advisories/GHSA-2q4h-h5jp-942w) |
102 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to | ||
103 | CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | ||
89 | 104 | ||
90 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: | 105 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: |
91 | 106 | ||
92 | > What software is supported by the Ubuntu Security team? | 107 | > What software is supported by the Ubuntu Security team? |
93 | > | 108 | > |
94 | > Ubuntu is currently divided into four components: main, restricted, universe | 109 | > Ubuntu is currently divided into four components: main, restricted, universe |
95 | > and multiverse. All binary packages in main and restricted are supported by | 110 | > and multiverse. All binary packages in main and restricted are supported by |
96 | > the Ubuntu Security team for the life of an Ubuntu release, while binary | 111 | > the Ubuntu Security team for the life of an Ubuntu release, while binary |
97 | > packages in universe and multiverse are supported by the Ubuntu community. | 112 | > packages in universe and multiverse are supported by the Ubuntu community. |
98 | 113 | ||
99 | Additionally, the PPA version is likely to be more recent and to contain more profile fixes. | 114 | Additionally, the PPA version is likely to be more recent and to contain more |
115 | profile fixes. | ||
100 | 116 | ||
101 | See the following discussions for details: | 117 | See the following discussions for details: |
102 | 118 | ||
103 | * [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666) | 119 | * [Should I keep using the version of firejail available in my distro |
104 | * [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663) | 120 | repos?](https://github.com/netblue30/firejail/discussions/4666) |
121 | * [How to install the latest version on Ubuntu and | ||
122 | derivatives](https://github.com/netblue30/firejail/discussions/4663) | ||
105 | 123 | ||
106 | ### Other | 124 | ### Other |
107 | 125 | ||
108 | Firejail is included in a large number of Linux distributions. | 126 | Firejail is available in multiple Linux distributions: |
127 | |||
128 | <details> | ||
129 | <summary>Repology</summary> | ||
130 | <p> | ||
131 | |||
132 | [![Packaging status (Repology)](https://repology.org/badge/vertical-allrepos/firejail.svg)](https://repology.org/project/firejail/versions) | ||
133 | |||
134 | </p> | ||
135 | </details> | ||
136 | |||
137 | Other than the [aforementioned exceptions](#installing), as long as your | ||
138 | distribution provides a [supported version](SECURITY.md) of firejail, it's | ||
139 | generally a good idea to install it from the distribution. | ||
109 | 140 | ||
110 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: | 141 | The version can be checked with `firejail --version` after installing. |
111 | 142 | ||
112 | ````` | 143 | You can also install one of the [released |
113 | $ git clone https://github.com/netblue30/firejail.git | 144 | packages](https://github.com/netblue30/firejail/releases). |
114 | $ cd firejail | 145 | |
115 | $ ./configure && make && sudo make install-strip | 146 | Or clone the source code from our git repository and build manually: |
116 | ````` | 147 | |
117 | On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | 148 | ```sh |
118 | development libraries and pkg-config are required when using `--enable-apparmor` | 149 | git clone https://github.com/netblue30/firejail.git |
150 | cd firejail | ||
151 | ./configure && make && sudo make install-strip | ||
152 | ``` | ||
153 | |||
154 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development | ||
155 | libraries and pkg-config are required when using the `--enable-apparmor` | ||
119 | ./configure option: | 156 | ./configure option: |
120 | ````` | 157 | |
121 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk | 158 | ```sh |
122 | ````` | 159 | sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
160 | ``` | ||
161 | |||
123 | For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). | 162 | For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). |
124 | 163 | ||
125 | Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). | 164 | Detailed information on using firejail from git is available on the |
165 | [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). | ||
126 | 166 | ||
127 | ## Running the sandbox | 167 | ## Running the sandbox |
128 | 168 | ||
129 | To start the sandbox, prefix your command with `firejail`: | 169 | To start the sandbox, prefix your command with `firejail`: |
130 | 170 | ||
131 | ````` | 171 | ```sh |
132 | $ firejail firefox # starting Mozilla Firefox | 172 | firejail firefox # starting Mozilla Firefox |
133 | $ firejail transmission-gtk # starting Transmission BitTorrent | 173 | firejail transmission-gtk # starting Transmission BitTorrent |
134 | $ firejail vlc # starting VideoLAN Client | 174 | firejail vlc # starting VideoLAN Client |
135 | $ sudo firejail /etc/init.d/nginx start | 175 | sudo firejail /etc/init.d/nginx start |
136 | ````` | 176 | ``` |
137 | Run `firejail --list` in a terminal to list all active sandboxes. Example: | 177 | |
138 | ````` | 178 | Run `firejail --list` in a terminal to list all active sandboxes. Example: |
179 | |||
180 | ```console | ||
139 | $ firejail --list | 181 | $ firejail --list |
140 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr | 182 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr |
141 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt | 183 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt |
142 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator | 184 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator |
143 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 | 185 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 |
144 | 7916:netblue:firejail --list | 186 | 7916:netblue:firejail --list |
145 | ````` | 187 | ``` |
146 | 188 | ||
147 | ## Desktop integration | 189 | ## Desktop integration |
148 | 190 | ||
149 | Integrate your sandbox into your desktop by running the following two commands: | 191 | Integrate your sandbox into your desktop by running the following two commands: |
150 | ````` | ||
151 | $ firecfg --fix-sound | ||
152 | $ sudo firecfg | ||
153 | ````` | ||
154 | 192 | ||
155 | The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. | 193 | ```sh |
156 | The second command integrates Firejail into your desktop. You would need to logout and login back to apply | 194 | firecfg --fix-sound |
157 | PulseAudio changes. | 195 | sudo firecfg |
196 | ``` | ||
197 | |||
198 | The first command solves some shared memory/PID namespace bugs in PulseAudio | ||
199 | software prior to version 9. The second command integrates Firejail into your | ||
200 | desktop. You would need to logout and login back to apply PulseAudio changes. | ||
158 | 201 | ||
159 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. | 202 | Start your programs the way you are used to: desktop manager menus, file |
160 | The integration applies to any program supported by default by Firejail. There are about 250 default applications | 203 | manager, desktop launchers. |
161 | in current Firejail version, and the number goes up with every new release. | 204 | |
162 | We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. | 205 | The integration applies to any program supported by default by Firejail. There |
206 | are over 900 default applications in the current Firejail version, and the | ||
207 | number goes up with every new release. | ||
208 | |||
209 | We keep the application list in | ||
210 | [src/firecfg/firecfg.config](src/firecfg/firecfg.config) | ||
211 | (/etc/firejail/firecfg.config when installed). | ||
163 | 212 | ||
164 | ## Security profiles | 213 | ## Security profiles |
165 | 214 | ||
166 | Most Firejail command line options can be passed to the sandbox using profile files. | 215 | Most Firejail command line options can be passed to the sandbox using profile |
167 | You can find the profiles for all supported applications in [/etc/firejail](https://github.com/netblue30/firejail/tree/master/etc) directory. | 216 | files. |
217 | |||
218 | You can find the profiles for all supported applications in [etc/](etc/) | ||
219 | (/etc/firejail/ when installed). | ||
220 | |||
221 | We also keep a list of profile fixes for previous released versions in | ||
222 | [etc-fixes/](etc-fixes/). | ||
223 | |||
224 | If you keep additional Firejail security profiles in a public repository, | ||
225 | please give us a link: | ||
226 | |||
227 | * <https://github.com/chiraag-nataraj/firejail-profiles> | ||
228 | * <https://github.com/triceratops1/fe> | ||
229 | |||
230 | Use this issue to request new profiles: | ||
231 | |||
232 | * [Profile requests](https://github.com/netblue30/firejail/issues/1139) | ||
233 | |||
234 | You can also use this tool to get a list of syscalls needed by a program: | ||
168 | 235 | ||
169 | If you keep additional Firejail security profiles in a public repository, please give us a link: | 236 | * [contrib/syscalls.sh](contrib/syscalls.sh) |
170 | 237 | ||
171 | * https://github.com/chiraag-nataraj/firejail-profiles | 238 | ## Uninstalling |
172 | 239 | ||
173 | * https://github.com/triceratops1/fe | 240 | firecfg creates symlinks in /usr/local/bin, so to fully remove firejail, run |
241 | the following before uninstalling: | ||
174 | 242 | ||
175 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 243 | ```sh |
244 | sudo firecfg --clean | ||
245 | ``` | ||
176 | 246 | ||
177 | You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh). | 247 | See `man firecfg` for details. |
178 | 248 | ||
179 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 249 | Note: Broken symlinks are ignored when searching for an executable in `$PATH`, |
250 | so uninstalling without doing the above should not cause issues. | ||
180 | 251 | ||
181 | ## Latest released version: 0.9.72 | 252 | ## Latest released version: 0.9.72 |
182 | 253 | ||
183 | ## Current development version: 0.9.73 | 254 | ## Current development version: 0.9.73 |
184 | 255 | ||
185 | ### --keep-shell-rc | 256 | ### --keep-shell-rc |
186 | ````` | 257 | |
258 | ```text | ||
187 | --keep-shell-rc | 259 | --keep-shell-rc |
188 | By default, when using a private home directory, firejail copies | 260 | By default, when using a private home directory, firejail copies |
189 | files from the system's user home template (/etc/skel) into it, | 261 | files from the system's user home template (/etc/skel) into it, |
190 | which overrides attempts to whitelist the original files (such | 262 | which overrides attempts to whitelist the original files (such |
191 | as ~/.bashrc and ~/.zshrc). This option disables this feature, | 263 | as ~/.bashrc and ~/.zshrc). This option disables this feature, |
192 | and enables the user to whitelist the original files. | 264 | and enables the user to whitelist the original files. |
193 | 265 | ``` | |
194 | ````` | ||
195 | 266 | ||
196 | ### private-etc rework | 267 | ### private-etc rework |
197 | ````` | 268 | |
269 | ```text | ||
198 | --private-etc, --private-etc=file,directory,@group | 270 | --private-etc, --private-etc=file,directory,@group |
199 | The files installed by --private-etc are copies of the original | 271 | The files installed by --private-etc are copies of the original |
200 | system files from /etc directory. By default, the command | 272 | system files from /etc directory. By default, the command |
201 | brings in a skeleton of files and directories used by most con‐ | 273 | brings in a skeleton of files and directories used by most |
202 | sole tools: | 274 | console tools: |
203 | 275 | ||
204 | $ firejail --private-etc dig debian.org | 276 | $ firejail --private-etc dig debian.org |
205 | 277 | ||
206 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame‐ | 278 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a |
207 | ter. Example: | 279 | parameter. Example: |
208 | 280 | ||
209 | $ firejail --private-etc=@x11,gcrypt,python* gimp | 281 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
210 | 282 | ||
211 | gcrypt and /etc/python* directories are not part of the generic | 283 | gcrypt and /etc/python* directories are not part of the generic |
212 | @x11 group. File globbing is supported. | 284 | @x11 group. File globbing is supported. |
213 | 285 | ||
214 | For games, add @games group: | 286 | For games, add @games group: |
215 | 287 | ||
216 | $ firejail --private-etc=@games,@x11 warzone2100 | 288 | $ firejail --private-etc=@games,@x11 warzone2100 |
217 | 289 | ||
218 | Sound and networking files are included automatically, unless | 290 | Sound and networking files are included automatically, unless |
219 | --nosound or --net=none are specified. Files for encrypted | 291 | --nosound or --net=none are specified. Files for encrypted |
220 | TLS/SSL protocol are in @tls-ca group. | 292 | TLS/SSL protocol are in @tls-ca group. |
221 | 293 | ||
222 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org | 294 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org |
@@ -225,22 +297,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
225 | by your program is using strace utility: | 297 | by your program is using strace utility: |
226 | 298 | ||
227 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | 299 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc |
300 | ``` | ||
228 | 301 | ||
229 | ````` | 302 | We keep the list of groups in |
230 | We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h) | 303 | [src/include/etc_groups.h](src/include/etc_groups.h). |
231 | Discussion: https://github.com/netblue30/firejail/discussions/5610 | 304 | |
305 | Discussion: | ||
306 | |||
307 | * [private-etc rework](https://github.com/netblue30/firejail/discussions/5610) | ||
232 | 308 | ||
233 | ### Profile Statistics | 309 | ### Profile Statistics |
234 | 310 | ||
235 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 311 | A small tool to print profile statistics. Compile and install as usual. The |
312 | tool is installed in the /usr/lib/firejail directory. | ||
313 | |||
236 | Run it over the profiles in /etc/profiles: | 314 | Run it over the profiles in /etc/profiles: |
237 | ``` | 315 | |
316 | ```console | ||
238 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile | 317 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
239 | No include .local found in /etc/firejail/noprofile.profile | 318 | No include .local found in /etc/firejail/noprofile.profile |
240 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 319 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
241 | 320 | ||
242 | Stats: | 321 | Stats: |
243 | profiles 1209 | 322 | profiles 1209 |
244 | include local profile 1208 (include profile-name.local) | 323 | include local profile 1208 (include profile-name.local) |
245 | include globals 1181 (include globals.local) | 324 | include globals 1181 (include globals.local) |
246 | blacklist ~/.ssh 1079 (include disable-common.inc) | 325 | blacklist ~/.ssh 1079 (include disable-common.inc) |
@@ -266,5 +345,4 @@ Stats: | |||
266 | dbus-user filter 141 | 345 | dbus-user filter 141 |
267 | dbus-system none 851 | 346 | dbus-system none 851 |
268 | dbus-system filter 12 | 347 | dbus-system filter 12 |
269 | |||
270 | ``` | 348 | ``` |
@@ -4,28 +4,41 @@ firejail (0.9.73) baseline; urgency=low | |||
4 | * feature: Print the argument when failing with "too long arguments" (#5677) | 4 | * feature: Print the argument when failing with "too long arguments" (#5677) |
5 | * feature: a random hostname is assigned to each sandbox unless | 5 | * feature: a random hostname is assigned to each sandbox unless |
6 | overwritten using --hostname command | 6 | overwritten using --hostname command |
7 | * feature: add IPv6 support for --net.print option | ||
7 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 8 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
8 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 9 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
9 | from containing only digits (#5578) | 10 | from containing only digits (#5578) |
10 | * modif: Escape control characters of the command line (#5613) | 11 | * modif: Escape control characters of the command line (#5613) |
11 | * modif: Allow only letters and digits for sandbox name (--name=) and | 12 | * modif: Allow only letters and digits for sandbox name (--name=) and |
12 | host name (--hostname=) | 13 | host name (--hostname=) |
13 | * bugfix: fix --hostname and --hosts-file commands | 14 | * modif: remove firemon --interface option (duplicating --net.print option) |
14 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 | 15 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 |
15 | #5618) | 16 | #5618) |
17 | * bugfix: fix --hostname and --hosts-file commands | ||
18 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | ||
16 | * build: auto-generate syntax files (#5627) | 19 | * build: auto-generate syntax files (#5627) |
17 | * build: mark most phony targets as such (#5637) | 20 | * build: mark most phony targets as such (#5637) |
18 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 21 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
19 | * build: deb: enable apparmor by default & remove deb-apparmor (#5668) | 22 | * build: deb: enable apparmor by default & remove deb-apparmor (#5668) |
20 | * build: Fix whitespace and add .editorconfig (#5674) | 23 | * build: Fix whitespace and add .editorconfig (#5674) |
24 | * ci: always update the package db before installing packages (#5742) | ||
25 | * ci: fix codeql unable to download its own bundle (#5783) | ||
26 | * ci: split configure/build/install commands on gitlab (#5784) | ||
27 | * ci: fix swapped name/email arguments in debian_ci (#5795) | ||
28 | * ci: formatting and misc improvements (#5802) | ||
29 | * ci: run for every branch instead of just master (#5815) | ||
30 | * ci: upgrade debian:stretch to debian:buster (#5818) | ||
21 | * test: split individual test groups in github workflows | 31 | * test: split individual test groups in github workflows |
22 | * test: add chroot, appimage and network tests in github workflows | 32 | * test: add chroot, appimage and network tests in github workflows |
23 | * docs: remove apparmor options in --help when building without apparmor | 33 | * docs: remove apparmor options in --help when building without apparmor |
24 | support (#5589) | 34 | support (#5589) |
25 | * docs: selinux.c: Split Copyright notice & use same license as upstream | 35 | * docs: fix typos (#5693) |
36 | * docs: markdown formatting and misc improvements (#5757) | ||
37 | * docs: add uninstall instructions to README.md (#5812) | ||
38 | * legal: selinux.c: Split Copyright notice & use same license as upstream | ||
26 | (#5667) | 39 | (#5667) |
27 | * new profiles: fix-qdf, qpdf, zlib-flate | 40 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
28 | -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500 | 41 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
29 | 42 | ||
30 | firejail (0.9.72) baseline; urgency=low | 43 | firejail (0.9.72) baseline; urgency=low |
31 | * feature: On failing to remount a fuse filesystem, give warning instead of | 44 | * feature: On failing to remount a fuse filesystem, give warning instead of |
diff --git a/SECURITY.md b/SECURITY.md index 734d04ccf..2a9cc7f6f 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -26,4 +26,8 @@ | |||
26 | 26 | ||
27 | ## Security vulnerabilities | 27 | ## Security vulnerabilities |
28 | 28 | ||
29 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com | 29 | We take security bugs very seriously. |
30 | |||
31 | If you believe you have found one, please report it to: | ||
32 | |||
33 | * <netblue30@protonmail.com> | ||
diff --git a/ci/printenv.sh b/ci/printenv.sh new file mode 100755 index 000000000..4b7e03fa7 --- /dev/null +++ b/ci/printenv.sh | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/bin/sh | ||
2 | # Print information that may be useful for debugging CI. | ||
3 | |||
4 | test -f /etc/os-release && . /etc/os-release | ||
5 | |||
6 | cat <<EOF | ||
7 | nproc: $(nproc) | ||
8 | kernel: $(uname -srvm) | ||
9 | distro: $PRETTY_NAME | ||
10 | sh: $(ls -l /bin/sh | sed 's|.* /bin|/bin|') | ||
11 | user: $(id | cut -f -2 -d ' ') | ||
12 | |||
13 | [/etc/os-release] | ||
14 | $(cat /etc/os-release) | ||
15 | EOF | ||
16 | |||
17 | if test -z "$CI_VERBOSE"; then | ||
18 | exit | ||
19 | fi | ||
20 | |||
21 | cat <<EOF | ||
22 | |||
23 | [env] | ||
24 | $(env | LC_ALL=C sort) | ||
25 | EOF | ||
diff --git a/config.mk.in b/config.mk.in index cfef6b8d3..6b6cf1b99 100644 --- a/config.mk.in +++ b/config.mk.in | |||
@@ -21,7 +21,6 @@ docdir=@docdir@ | |||
21 | mandir=@mandir@ | 21 | mandir=@mandir@ |
22 | sysconfdir=@sysconfdir@ | 22 | sysconfdir=@sysconfdir@ |
23 | 23 | ||
24 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
25 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ | 24 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ |
26 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ | 25 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ |
27 | HAVE_SUID=@HAVE_SUID@ | 26 | HAVE_SUID=@HAVE_SUID@ |
@@ -38,6 +37,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
38 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 37 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
39 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | 38 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ |
40 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 39 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
40 | HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@ | ||
41 | HAVE_IDS=@HAVE_IDS@ | 41 | HAVE_IDS=@HAVE_IDS@ |
42 | HAVE_GCOV=@HAVE_GCOV@ | 42 | HAVE_GCOV=@HAVE_GCOV@ |
43 | HAVE_SELINUX=@HAVE_SELINUX@ | 43 | HAVE_SELINUX=@HAVE_SELINUX@ |
@@ -49,7 +49,7 @@ HAVE_LTS=@HAVE_LTS@ | |||
49 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | 49 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ |
50 | HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ | 50 | HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ |
51 | 51 | ||
52 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 52 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_PRIVATE_LIB) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
53 | 53 | ||
54 | # User variables - should not be modified in the code (as they are reserved for | 54 | # User variables - should not be modified in the code (as they are reserved for |
55 | # the user building the package); see the following for details: | 55 | # the user building the package); see the following for details: |
@@ -641,6 +641,7 @@ HAVE_USERNS | |||
641 | HAVE_NETWORK | 641 | HAVE_NETWORK |
642 | HAVE_GLOBALCFG | 642 | HAVE_GLOBALCFG |
643 | HAVE_CHROOT | 643 | HAVE_CHROOT |
644 | HAVE_PRIVATE_LIB | ||
644 | HAVE_PRIVATE_HOME | 645 | HAVE_PRIVATE_HOME |
645 | HAVE_FIRETUNNEL | 646 | HAVE_FIRETUNNEL |
646 | HAVE_GAWK | 647 | HAVE_GAWK |
@@ -719,6 +720,7 @@ enable_usertmpfs | |||
719 | enable_man | 720 | enable_man |
720 | enable_firetunnel | 721 | enable_firetunnel |
721 | enable_private_home | 722 | enable_private_home |
723 | enable_private_lib | ||
722 | enable_chroot | 724 | enable_chroot |
723 | enable_globalcfg | 725 | enable_globalcfg |
724 | enable_network | 726 | enable_network |
@@ -1380,6 +1382,7 @@ Optional Features: | |||
1380 | --disable-man disable man pages | 1382 | --disable-man disable man pages |
1381 | --enable-firetunnel enable firetunnel | 1383 | --enable-firetunnel enable firetunnel |
1382 | --disable-private-home disable private home feature | 1384 | --disable-private-home disable private home feature |
1385 | --disable-private-lib disable private lib feature | ||
1383 | --disable-chroot disable chroot | 1386 | --disable-chroot disable chroot |
1384 | --disable-globalcfg if the global config file firejail.config is not | 1387 | --disable-globalcfg if the global config file firejail.config is not |
1385 | present, continue the program using defaults | 1388 | present, continue the program using defaults |
@@ -3485,6 +3488,19 @@ if test "x$enable_private_home" != "xno"; then : | |||
3485 | 3488 | ||
3486 | fi | 3489 | fi |
3487 | 3490 | ||
3491 | HAVE_PRIVATE_LIB="" | ||
3492 | |||
3493 | # Check whether --enable-private-lib was given. | ||
3494 | if test "${enable_private_lib+set}" = set; then : | ||
3495 | enableval=$enable_private_lib; | ||
3496 | fi | ||
3497 | |||
3498 | if test "x$enable_private_lib" = "xyes"; then : | ||
3499 | |||
3500 | HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB" | ||
3501 | |||
3502 | fi | ||
3503 | |||
3488 | HAVE_CHROOT="" | 3504 | HAVE_CHROOT="" |
3489 | 3505 | ||
3490 | # Check whether --enable-chroot was given. | 3506 | # Check whether --enable-chroot was given. |
@@ -3674,6 +3690,7 @@ if test "x$enable_lts" = "xyes"; then : | |||
3674 | HAVE_MAN="-DHAVE_MAN" | 3690 | HAVE_MAN="-DHAVE_MAN" |
3675 | HAVE_FIRETUNNEL="" | 3691 | HAVE_FIRETUNNEL="" |
3676 | HAVE_PRIVATE_HOME="" | 3692 | HAVE_PRIVATE_HOME="" |
3693 | HAVE_PRIVATE_LIB="" | ||
3677 | HAVE_CHROOT="" | 3694 | HAVE_CHROOT="" |
3678 | HAVE_GLOBALCFG="" | 3695 | HAVE_GLOBALCFG="" |
3679 | HAVE_USERNS="" | 3696 | HAVE_USERNS="" |
@@ -5291,6 +5308,7 @@ Features: | |||
5291 | network: $HAVE_NETWORK | 5308 | network: $HAVE_NETWORK |
5292 | overlayfs support: $HAVE_OVERLAYFS | 5309 | overlayfs support: $HAVE_OVERLAYFS |
5293 | private home support: $HAVE_PRIVATE_HOME | 5310 | private home support: $HAVE_PRIVATE_HOME |
5311 | private lib support: $HAVE_PRIVATE_LIB | ||
5294 | SELinux labeling support: $HAVE_SELINUX | 5312 | SELinux labeling support: $HAVE_SELINUX |
5295 | user namespace: $HAVE_USERNS | 5313 | user namespace: $HAVE_USERNS |
5296 | X11 sandboxing support: $HAVE_X11 | 5314 | X11 sandboxing support: $HAVE_X11 |
diff --git a/configure.ac b/configure.ac index 2dd49bcb2..357d1da45 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -147,6 +147,14 @@ AS_IF([test "x$enable_private_home" != "xno"], [ | |||
147 | HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" | 147 | HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" |
148 | ]) | 148 | ]) |
149 | 149 | ||
150 | HAVE_PRIVATE_LIB="" | ||
151 | AC_SUBST([HAVE_PRIVATE_LIB]) | ||
152 | AC_ARG_ENABLE([private-lib], | ||
153 | [AS_HELP_STRING([--disable-private-lib], [disable private lib feature])]) | ||
154 | AS_IF([test "x$enable_private_lib" = "xyes"], [ | ||
155 | HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB" | ||
156 | ]) | ||
157 | |||
150 | HAVE_CHROOT="" | 158 | HAVE_CHROOT="" |
151 | AC_SUBST([HAVE_CHROOT]) | 159 | AC_SUBST([HAVE_CHROOT]) |
152 | AC_ARG_ENABLE([chroot], | 160 | AC_ARG_ENABLE([chroot], |
@@ -268,6 +276,7 @@ AS_IF([test "x$enable_lts" = "xyes"], [ | |||
268 | HAVE_MAN="-DHAVE_MAN" | 276 | HAVE_MAN="-DHAVE_MAN" |
269 | HAVE_FIRETUNNEL="" | 277 | HAVE_FIRETUNNEL="" |
270 | HAVE_PRIVATE_HOME="" | 278 | HAVE_PRIVATE_HOME="" |
279 | HAVE_PRIVATE_LIB="" | ||
271 | HAVE_CHROOT="" | 280 | HAVE_CHROOT="" |
272 | HAVE_GLOBALCFG="" | 281 | HAVE_GLOBALCFG="" |
273 | HAVE_USERNS="" | 282 | HAVE_USERNS="" |
@@ -324,6 +333,7 @@ Features: | |||
324 | network: $HAVE_NETWORK | 333 | network: $HAVE_NETWORK |
325 | overlayfs support: $HAVE_OVERLAYFS | 334 | overlayfs support: $HAVE_OVERLAYFS |
326 | private home support: $HAVE_PRIVATE_HOME | 335 | private home support: $HAVE_PRIVATE_HOME |
336 | private lib support: $HAVE_PRIVATE_LIB | ||
327 | SELinux labeling support: $HAVE_SELINUX | 337 | SELinux labeling support: $HAVE_SELINUX |
328 | user namespace: $HAVE_USERNS | 338 | user namespace: $HAVE_USERNS |
329 | X11 sandboxing support: $HAVE_X11 | 339 | X11 sandboxing support: $HAVE_X11 |
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index e7236b0bc..557204d75 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
@@ -1,12 +1,12 @@ | |||
1 | # Site-specific additions and overrides for 'firejail-default'. | 1 | # Site-specific additions and overrides for 'firejail-default'. |
2 | # For more details, please see /etc/apparmor.d/local/README. | 2 | # For more details, please see /etc/apparmor.d/local/README. |
3 | 3 | ||
4 | # Here are some examples to allow running programs from home directory. | 4 | # Here are some examples to allow running programs from your home directory. |
5 | # Don't enable all of these, just pick a specific one or write a custom rule | 5 | # Don't enable all of these, just pick a specific one or write a custom rule |
6 | # instead as done below for torbrowser-launcher. | 6 | # instead as done below for torbrowser-launcher. |
7 | #owner @HOME/** ix, | 7 | #owner @HOME/** ix, |
8 | #owner @HOME/bin/** ix | 8 | #owner @HOME/bin/** ix, |
9 | #owner @HOME/.local/bin/** ix | 9 | #owner @HOME/.local/bin/** ix, |
10 | 10 | ||
11 | # Uncomment to opt-in to apparmor for brave + ipfs | 11 | # Uncomment to opt-in to apparmor for brave + ipfs |
12 | #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix, | 12 | #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix, |
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc index b0525e2e1..0d4ab8c35 100644 --- a/etc/inc/allow-python2.inc +++ b/etc/inc/allow-python2.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-python2.local | 3 | include allow-python2.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.local/lib/python2* | ||
5 | noblacklist ${PATH}/python2* | 6 | noblacklist ${PATH}/python2* |
6 | noblacklist /usr/include/python2* | 7 | noblacklist /usr/include/python2* |
7 | noblacklist /usr/lib/python2* | 8 | noblacklist /usr/lib/python2* |
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc index d968886b0..0693fb7e7 100644 --- a/etc/inc/allow-python3.inc +++ b/etc/inc/allow-python3.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-python3.local | 3 | include allow-python3.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.local/lib/python3* | ||
5 | noblacklist ${PATH}/python3* | 6 | noblacklist ${PATH}/python3* |
6 | noblacklist /usr/include/python3* | 7 | noblacklist /usr/include/python3* |
7 | noblacklist /usr/lib/python3* | 8 | noblacklist /usr/lib/python3* |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 65159b951..4277100ce 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc | |||
69 | blacklist /etc/X11/Xsession.d | 69 | blacklist /etc/X11/Xsession.d |
70 | blacklist /etc/xdg/autostart | 70 | blacklist /etc/xdg/autostart |
71 | read-only ${HOME}/.Xauthority | 71 | read-only ${HOME}/.Xauthority |
72 | read-only ${HOME}/.config/awesome/autorun.sh | ||
73 | read-only ${HOME}/.config/openbox/autostart | ||
74 | read-only ${HOME}/.config/openbox/environment | ||
72 | 75 | ||
73 | # Session manager | 76 | # Session manager |
74 | # see #3358 | 77 | # see #3358 |
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc | |||
123 | read-only ${HOME}/.config/kiorc | 126 | read-only ${HOME}/.config/kiorc |
124 | read-only ${HOME}/.config/kioslaverc | 127 | read-only ${HOME}/.config/kioslaverc |
125 | read-only ${HOME}/.config/ksslcablacklist | 128 | read-only ${HOME}/.config/ksslcablacklist |
129 | read-only ${HOME}/.config/lxqt | ||
126 | read-only ${HOME}/.kde/share/apps/konsole | 130 | read-only ${HOME}/.kde/share/apps/konsole |
127 | read-only ${HOME}/.kde/share/apps/kssl | 131 | read-only ${HOME}/.kde/share/apps/kssl |
128 | read-only ${HOME}/.kde/share/config/*notifyrc | 132 | read-only ${HOME}/.kde/share/config/*notifyrc |
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d | |||
329 | # Initialization files that allow arbitrary command execution | 333 | # Initialization files that allow arbitrary command execution |
330 | read-only ${HOME}/.caffrc | 334 | read-only ${HOME}/.caffrc |
331 | read-only ${HOME}/.cargo/env | 335 | read-only ${HOME}/.cargo/env |
336 | read-only ${HOME}/.config/mpv | ||
332 | read-only ${HOME}/.config/nano | 337 | read-only ${HOME}/.config/nano |
333 | read-only ${HOME}/.config/nvim | 338 | read-only ${HOME}/.config/nvim |
334 | read-only ${HOME}/.config/pkcs11 | 339 | read-only ${HOME}/.config/pkcs11 |
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks | |||
337 | read-only ${HOME}/.emacs | 342 | read-only ${HOME}/.emacs |
338 | read-only ${HOME}/.emacs.d | 343 | read-only ${HOME}/.emacs.d |
339 | read-only ${HOME}/.exrc | 344 | read-only ${HOME}/.exrc |
345 | read-only ${HOME}/.gnupg/gpg.conf | ||
340 | read-only ${HOME}/.gvimrc | 346 | read-only ${HOME}/.gvimrc |
341 | read-only ${HOME}/.homesick | 347 | read-only ${HOME}/.homesick |
342 | read-only ${HOME}/.iscreenrc | 348 | read-only ${HOME}/.iscreenrc |
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term | |||
345 | read-only ${HOME}/.local/share/nvim | 351 | read-only ${HOME}/.local/share/nvim |
346 | read-only ${HOME}/.local/state/nvim | 352 | read-only ${HOME}/.local/state/nvim |
347 | read-only ${HOME}/.mailcap | 353 | read-only ${HOME}/.mailcap |
354 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
348 | read-only ${HOME}/.msmtprc | 355 | read-only ${HOME}/.msmtprc |
349 | read-only ${HOME}/.mutt/muttrc | 356 | read-only ${HOME}/.mutt/muttrc |
350 | read-only ${HOME}/.muttrc | 357 | read-only ${HOME}/.muttrc |
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc | |||
366 | read-only ${HOME}/_vimrc | 373 | read-only ${HOME}/_vimrc |
367 | read-only ${HOME}/dotfiles | 374 | read-only ${HOME}/dotfiles |
368 | 375 | ||
376 | # System package managers and AUR helpers | ||
377 | blacklist ${HOME}/.config/cower | ||
378 | read-only ${HOME}/.config/cower/config | ||
379 | |||
369 | # Make directories commonly found in $PATH read-only | 380 | # Make directories commonly found in $PATH read-only |
370 | read-only ${HOME}/.bin | 381 | read-only ${HOME}/.bin |
371 | read-only ${HOME}/.cargo/bin | 382 | read-only ${HOME}/.cargo/bin |
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs | |||
391 | read-only ${HOME}/.config/user-dirs.locale | 402 | read-only ${HOME}/.config/user-dirs.locale |
392 | read-only ${HOME}/.local/share/mime | 403 | read-only ${HOME}/.local/share/mime |
393 | 404 | ||
405 | # Configuration files that do not allow arbitrary command execution but that | ||
406 | # are intended to be modified manually (in a text editor and/or by a program | ||
407 | # dedicated to managing them) | ||
408 | read-only ${HOME}/.config/MangoHud | ||
409 | |||
394 | # Write-protection for thumbnailer dir | 410 | # Write-protection for thumbnailer dir |
395 | read-only ${HOME}/.local/share/thumbnailers | 411 | read-only ${HOME}/.local/share/thumbnailers |
396 | 412 | ||
@@ -556,6 +572,7 @@ blacklist ${PATH}/ss | |||
556 | blacklist ${PATH}/traceroute | 572 | blacklist ${PATH}/traceroute |
557 | 573 | ||
558 | # other SUID binaries | 574 | # other SUID binaries |
575 | blacklist /opt/microsoft/msedge*/msedge-sandbox | ||
559 | blacklist /usr/lib/virtualbox | 576 | blacklist /usr/lib/virtualbox |
560 | blacklist /usr/lib64/virtualbox | 577 | blacklist /usr/lib64/virtualbox |
561 | 578 | ||
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index ca43e5ed9..4e3590fed 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -61,6 +61,7 @@ blacklist /usr/lib64/ruby | |||
61 | 61 | ||
62 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus | 62 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus |
63 | # Python 2 | 63 | # Python 2 |
64 | blacklist ${HOME}/.local/lib/python2* | ||
64 | blacklist ${PATH}/python2* | 65 | blacklist ${PATH}/python2* |
65 | blacklist /usr/include/python2* | 66 | blacklist /usr/include/python2* |
66 | blacklist /usr/lib/python2* | 67 | blacklist /usr/lib/python2* |
@@ -70,6 +71,7 @@ blacklist /usr/share/python2* | |||
70 | # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) | 71 | # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) |
71 | 72 | ||
72 | # Python 3 | 73 | # Python 3 |
74 | blacklist ${HOME}/.local/lib/python3* | ||
73 | blacklist ${PATH}/python3* | 75 | blacklist ${PATH}/python3* |
74 | blacklist /usr/include/python3* | 76 | blacklist /usr/include/python3* |
75 | blacklist /usr/lib/python3* | 77 | blacklist /usr/lib/python3* |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 3eb6c03d5..211111aaa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -51,6 +51,7 @@ blacklist ${HOME}/.bibletime | |||
51 | blacklist ${HOME}/.bitcoin | 51 | blacklist ${HOME}/.bitcoin |
52 | blacklist ${HOME}/.blobby | 52 | blacklist ${HOME}/.blobby |
53 | blacklist ${HOME}/.bogofilter | 53 | blacklist ${HOME}/.bogofilter |
54 | blacklist ${HOME}/.bsfilter | ||
54 | blacklist ${HOME}/.bundle | 55 | blacklist ${HOME}/.bundle |
55 | blacklist ${HOME}/.bzf | 56 | blacklist ${HOME}/.bzf |
56 | blacklist ${HOME}/.cache/0ad | 57 | blacklist ${HOME}/.cache/0ad |
@@ -83,6 +84,7 @@ blacklist ${HOME}/.cache/Tox | |||
83 | blacklist ${HOME}/.cache/Zeal | 84 | blacklist ${HOME}/.cache/Zeal |
84 | blacklist ${HOME}/.cache/agenda | 85 | blacklist ${HOME}/.cache/agenda |
85 | blacklist ${HOME}/.cache/akonadi* | 86 | blacklist ${HOME}/.cache/akonadi* |
87 | blacklist ${HOME}/.cache/ani-cli | ||
86 | blacklist ${HOME}/.cache/atril | 88 | blacklist ${HOME}/.cache/atril |
87 | blacklist ${HOME}/.cache/attic | 89 | blacklist ${HOME}/.cache/attic |
88 | blacklist ${HOME}/.cache/audacity | 90 | blacklist ${HOME}/.cache/audacity |
@@ -318,6 +320,7 @@ blacklist ${HOME}/.config/PacmanLogViewer | |||
318 | blacklist ${HOME}/.config/PawelStolowski | 320 | blacklist ${HOME}/.config/PawelStolowski |
319 | blacklist ${HOME}/.config/Philipp Schmieder | 321 | blacklist ${HOME}/.config/Philipp Schmieder |
320 | blacklist ${HOME}/.config/Pinta | 322 | blacklist ${HOME}/.config/Pinta |
323 | blacklist ${HOME}/.config/Postman | ||
321 | blacklist ${HOME}/.config/QGIS | 324 | blacklist ${HOME}/.config/QGIS |
322 | blacklist ${HOME}/.config/QMediathekView | 325 | blacklist ${HOME}/.config/QMediathekView |
323 | blacklist ${HOME}/.config/QQ | 326 | blacklist ${HOME}/.config/QQ |
@@ -399,7 +402,6 @@ blacklist ${HOME}/.config/cmus | |||
399 | blacklist ${HOME}/.config/cointop | 402 | blacklist ${HOME}/.config/cointop |
400 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | 403 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle |
401 | blacklist ${HOME}/.config/corebird | 404 | blacklist ${HOME}/.config/corebird |
402 | blacklist ${HOME}/.config/cower | ||
403 | blacklist ${HOME}/.config/coyim | 405 | blacklist ${HOME}/.config/coyim |
404 | blacklist ${HOME}/.config/d-feet | 406 | blacklist ${HOME}/.config/d-feet |
405 | blacklist ${HOME}/.config/darktable | 407 | blacklist ${HOME}/.config/darktable |
@@ -410,6 +412,7 @@ blacklist ${HOME}/.config/digikam | |||
410 | blacklist ${HOME}/.config/digikamrc | 412 | blacklist ${HOME}/.config/digikamrc |
411 | blacklist ${HOME}/.config/discord | 413 | blacklist ${HOME}/.config/discord |
412 | blacklist ${HOME}/.config/discordcanary | 414 | blacklist ${HOME}/.config/discordcanary |
415 | blacklist ${HOME}/.config/discordptb | ||
413 | blacklist ${HOME}/.config/dkl | 416 | blacklist ${HOME}/.config/dkl |
414 | blacklist ${HOME}/.config/dnox | 417 | blacklist ${HOME}/.config/dnox |
415 | blacklist ${HOME}/.config/dolphin-emu | 418 | blacklist ${HOME}/.config/dolphin-emu |
@@ -477,6 +480,7 @@ blacklist ${HOME}/.config/inox | |||
477 | blacklist ${HOME}/.config/iridium | 480 | blacklist ${HOME}/.config/iridium |
478 | blacklist ${HOME}/.config/itch | 481 | blacklist ${HOME}/.config/itch |
479 | blacklist ${HOME}/.config/jami | 482 | blacklist ${HOME}/.config/jami |
483 | blacklist ${HOME}/.config/jami.net | ||
480 | blacklist ${HOME}/.config/jd-gui.cfg | 484 | blacklist ${HOME}/.config/jd-gui.cfg |
481 | blacklist ${HOME}/.config/jgit | 485 | blacklist ${HOME}/.config/jgit |
482 | blacklist ${HOME}/.config/k3brc | 486 | blacklist ${HOME}/.config/k3brc |
@@ -517,6 +521,7 @@ blacklist ${HOME}/.config/leafpad | |||
517 | blacklist ${HOME}/.config/libreoffice | 521 | blacklist ${HOME}/.config/libreoffice |
518 | blacklist ${HOME}/.config/liferea | 522 | blacklist ${HOME}/.config/liferea |
519 | blacklist ${HOME}/.config/linphone | 523 | blacklist ${HOME}/.config/linphone |
524 | blacklist ${HOME}/.config/lobster | ||
520 | blacklist ${HOME}/.config/lugaru | 525 | blacklist ${HOME}/.config/lugaru |
521 | blacklist ${HOME}/.config/lutris | 526 | blacklist ${HOME}/.config/lutris |
522 | blacklist ${HOME}/.config/lximage-qt | 527 | blacklist ${HOME}/.config/lximage-qt |
@@ -952,6 +957,7 @@ blacklist ${HOME}/.local/share/kwrite | |||
952 | blacklist ${HOME}/.local/share/kxmlgui5/* | 957 | blacklist ${HOME}/.local/share/kxmlgui5/* |
953 | blacklist ${HOME}/.local/share/liferea | 958 | blacklist ${HOME}/.local/share/liferea |
954 | blacklist ${HOME}/.local/share/linphone | 959 | blacklist ${HOME}/.local/share/linphone |
960 | blacklist ${HOME}/.local/share/lobster | ||
955 | blacklist ${HOME}/.local/share/local-mail | 961 | blacklist ${HOME}/.local/share/local-mail |
956 | blacklist ${HOME}/.local/share/lollypop | 962 | blacklist ${HOME}/.local/share/lollypop |
957 | blacklist ${HOME}/.local/share/love | 963 | blacklist ${HOME}/.local/share/love |
@@ -1027,6 +1033,7 @@ blacklist ${HOME}/.local/share/wormux | |||
1027 | blacklist ${HOME}/.local/share/xplayer | 1033 | blacklist ${HOME}/.local/share/xplayer |
1028 | blacklist ${HOME}/.local/share/xreader | 1034 | blacklist ${HOME}/.local/share/xreader |
1029 | blacklist ${HOME}/.local/share/zathura | 1035 | blacklist ${HOME}/.local/share/zathura |
1036 | blacklist ${HOME}/.local/state/ani-cli | ||
1030 | blacklist ${HOME}/.local/state/audacity | 1037 | blacklist ${HOME}/.local/state/audacity |
1031 | blacklist ${HOME}/.local/state/pipewire | 1038 | blacklist ${HOME}/.local/state/pipewire |
1032 | blacklist ${HOME}/.lv2 | 1039 | blacklist ${HOME}/.lv2 |
@@ -1177,6 +1184,7 @@ blacklist ${HOME}/Arduino | |||
1177 | blacklist ${HOME}/Monero/wallets | 1184 | blacklist ${HOME}/Monero/wallets |
1178 | blacklist ${HOME}/Nextcloud | 1185 | blacklist ${HOME}/Nextcloud |
1179 | blacklist ${HOME}/Nextcloud/Notes | 1186 | blacklist ${HOME}/Nextcloud/Notes |
1187 | blacklist ${HOME}/Postman | ||
1180 | blacklist ${HOME}/Seafile/.seafile-data | 1188 | blacklist ${HOME}/Seafile/.seafile-data |
1181 | blacklist ${HOME}/SoftMaker | 1189 | blacklist ${HOME}/SoftMaker |
1182 | blacklist ${HOME}/Standard Notes Backups | 1190 | blacklist ${HOME}/Standard Notes Backups |
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index c9f21b2dc..cae059f89 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc | |||
10 | whitelist ${HOME}/.config/ibus | 10 | whitelist ${HOME}/.config/ibus |
11 | whitelist ${HOME}/.config/mimeapps.list | 11 | whitelist ${HOME}/.config/mimeapps.list |
12 | whitelist ${HOME}/.config/pkcs11 | 12 | whitelist ${HOME}/.config/pkcs11 |
13 | read-only ${HOME}/.config/pkcs11 | ||
14 | whitelist ${HOME}/.config/user-dirs.dirs | 13 | whitelist ${HOME}/.config/user-dirs.dirs |
15 | read-only ${HOME}/.config/user-dirs.dirs | ||
16 | whitelist ${HOME}/.config/user-dirs.locale | 14 | whitelist ${HOME}/.config/user-dirs.locale |
17 | read-only ${HOME}/.config/user-dirs.locale | ||
18 | whitelist ${HOME}/.drirc | 15 | whitelist ${HOME}/.drirc |
19 | whitelist ${HOME}/.icons | 16 | whitelist ${HOME}/.icons |
20 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit | 17 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit |
21 | whitelist ${HOME}/.local/share/applications | 18 | whitelist ${HOME}/.local/share/applications |
22 | read-only ${HOME}/.local/share/applications | ||
23 | whitelist ${HOME}/.local/share/icons | 19 | whitelist ${HOME}/.local/share/icons |
24 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
25 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals | |||
68 | whitelist ${HOME}/.config/kio_httprc | 64 | whitelist ${HOME}/.config/kio_httprc |
69 | whitelist ${HOME}/.config/kioslaverc | 65 | whitelist ${HOME}/.config/kioslaverc |
70 | whitelist ${HOME}/.config/ksslcablacklist | 66 | whitelist ${HOME}/.config/ksslcablacklist |
67 | whitelist ${HOME}/.config/lxqt | ||
71 | whitelist ${HOME}/.config/qt5ct | 68 | whitelist ${HOME}/.config/qt5ct |
72 | whitelist ${HOME}/.config/qt6ct | 69 | whitelist ${HOME}/.config/qt6ct |
73 | whitelist ${HOME}/.config/qtcurve | 70 | whitelist ${HOME}/.config/qtcurve |
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile new file mode 100644 index 000000000..4570f0103 --- /dev/null +++ b/etc/profile-a-l/DiscordPTB.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for DiscordPTB | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include DiscordPTB.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include discord-ptb.profile | ||
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 7a36302f1..9ebbf1cb0 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc | |||
28 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | hostname agetpkg | ||
32 | ipc-namespace | 31 | ipc-namespace |
33 | machine-id | 32 | machine-id |
34 | netfilter | 33 | netfilter |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile new file mode 100644 index 000000000..f05653719 --- /dev/null +++ b/etc/profile-a-l/ani-cli.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for ani-cli | ||
2 | # Description: Shell script to watch Anime from the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ani-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.cache/ani-cli | ||
12 | noblacklist ${HOME}/.local/state/ani-cli | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-proc.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/ani-cli | ||
21 | mkdir ${HOME}/.local/state/ani-cli | ||
22 | whitelist ${HOME}/.cache/ani-cli | ||
23 | whitelist ${HOME}/.local/state/ani-cli | ||
24 | include whitelist-run-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | #machine-id | ||
28 | nodvd | ||
29 | noprinters | ||
30 | notv | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc | ||
34 | #private-cache | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include mpv.profile | ||
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 0655c2e6f..cc9c893de 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for apostrophe | 1 | # Firejail profile for apostrophe |
2 | # Description: Distraction free Markdown editor for GNU/Linux made with GTK+ | 2 | # Description: Distraction free Markdown editor for GNU/Linux made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include apostrophe.local | 5 | include apostrophe.local |
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index ef875c5b7..487e0c5f8 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
@@ -23,7 +23,6 @@ include disable-shell.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | hostname archiver | ||
27 | ipc-namespace | 26 | ipc-namespace |
28 | machine-id | 27 | machine-id |
29 | net none | 28 | net none |
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile | |||
@@ -16,5 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
20 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile new file mode 100644 index 000000000..c092a9746 --- /dev/null +++ b/etc/profile-a-l/blink-common-hardened.inc.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include blink-common-hardened.inc.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
10 | |||
11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile new file mode 100644 index 000000000..ff17dc479 --- /dev/null +++ b/etc/profile-a-l/blink-common.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for blink-common | ||
2 | # Description: Common profile for Blink-based applications | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blink-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | include whitelist-common.inc | ||
19 | #include whitelist-run-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | # If your kernel allows the creation of user namespaces by unprivileged users | ||
25 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | ||
26 | # can add the next line to your blink-common.local. | ||
27 | #include blink-common-hardened.inc.profile | ||
28 | |||
29 | apparmor | ||
30 | caps.keep sys_admin,sys_chroot | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | noinput | ||
35 | notv | ||
36 | |||
37 | disable-mnt | ||
38 | private-cache | ||
39 | |||
40 | dbus-system none | ||
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile index d24f76262..e65f76a60 100644 --- a/etc/profile-a-l/bluefish.profile +++ b/etc/profile-a-l/bluefish.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for bluefish | 1 | # Firejail profile for bluefish |
2 | # Description: Advanced Gtk+ text editor for web and software development | 2 | # Description: Advanced GTK text editor for web and software development |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include bluefish.local | 5 | include bluefish.local |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 7b0f7bdf0..9f83b8232 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for celluloid | 1 | # Firejail profile for celluloid |
2 | # Description: Simple GTK+ frontend for mpv | 2 | # Description: Simple GTK frontend for mpv |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include celluloid.local | 5 | include celluloid.local |
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile index 72f79681d..f21a34f36 100644 --- a/etc/profile-a-l/chafa.profile +++ b/etc/profile-a-l/chafa.profile | |||
@@ -39,6 +39,7 @@ nosound | |||
39 | notv | 39 | notv |
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
42 | # block socket syscall to simulate empty protocol option (see #639) | ||
42 | seccomp socket | 43 | seccomp socket |
43 | seccomp.block-secondary | 44 | seccomp.block-secondary |
44 | tracelog | 45 | tracelog |
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index c3944bd65..0e0416de1 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # This file is overwritten during software install. | 1 | # Firejail profile alias for blink-common-hardened.inc |
2 | # Persistent customizations should go in a .local file. | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
3 | include chromium-common-hardened.inc.local | 4 | include chromium-common-hardened.inc.local |
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
4 | 8 | ||
5 | caps.drop all | 9 | # Redirect |
6 | nonewprivs | 10 | include blink-common-hardened.inc.profile |
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
10 | |||
11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f1f2f5f68..878e0fe1d 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox | |||
17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | 17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector |
18 | #include allow-python3.inc | 18 | #include allow-python3.inc |
19 | 19 | ||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.local/share/pki | 20 | mkdir ${HOME}/.local/share/pki |
28 | mkdir ${HOME}/.pki | 21 | mkdir ${HOME}/.pki |
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.local/share/pki | 22 | whitelist ${HOME}/.local/share/pki |
31 | whitelist ${HOME}/.pki | 23 | whitelist ${HOME}/.pki |
32 | whitelist /usr/share/mozilla/extensions | 24 | whitelist /usr/share/mozilla/extensions |
33 | whitelist /usr/share/webext | 25 | whitelist /usr/share/webext |
34 | include whitelist-common.inc | ||
35 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
36 | include whitelist-runuser-common.inc | ||
37 | include whitelist-usr-share-common.inc | ||
38 | include whitelist-var-common.inc | ||
39 | 27 | ||
40 | # If your kernel allows the creation of user namespaces by unprivileged users | 28 | # If your kernel allows the creation of user namespaces by unprivileged users |
41 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | 29 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you |
42 | # can add the next line to your chromium-common.local. | 30 | # can add the next line to your chromium-common.local. |
43 | #include chromium-common-hardened.inc.profile | 31 | #include chromium-common-hardened.inc.profile |
44 | 32 | ||
45 | apparmor | ||
46 | caps.keep sys_admin,sys_chroot | ||
47 | netfilter | ||
48 | nodvd | ||
49 | nogroups | ||
50 | noinput | ||
51 | notv | ||
52 | ?BROWSER_DISABLE_U2F: nou2f | 33 | ?BROWSER_DISABLE_U2F: nou2f |
53 | 34 | ||
54 | disable-mnt | ||
55 | private-cache | ||
56 | ?BROWSER_DISABLE_U2F: private-dev | 35 | ?BROWSER_DISABLE_U2F: private-dev |
57 | #private-tmp - issues when using multiple browser sessions | 36 | #private-tmp - issues when using multiple browser sessions |
58 | 37 | ||
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget | |||
61 | blacklist ${PATH}/wget2 | 40 | blacklist ${PATH}/wget2 |
62 | 41 | ||
63 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 42 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
64 | dbus-system none | ||
65 | 43 | ||
66 | # The file dialog needs to work without d-bus. | 44 | # The file dialog needs to work without d-bus. |
67 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | 45 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
46 | |||
47 | # Redirect | ||
48 | include blink-common.profile | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index e0f1bca94..7fefc68b1 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for claws-mail | 1 | # Firejail profile for claws-mail |
2 | # Description: Fast, lightweight and user-friendly GTK based email client | 2 | # Description: Fast, lightweight and user-friendly GTK-based email client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include claws-mail.local | 5 | include claws-mail.local |
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index 504bce0b1..321d59783 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for clipit | 1 | # Firejail profile for clipit |
2 | # Description: Lightweight GTK+ clipboard manager | 2 | # Description: Lightweight GTK clipboard manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include clipit.local | 5 | include clipit.local |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 8b7d2317c..180282869 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for com.github.bleakgrey.tootle | 1 | # Firejail profile for com.github.bleakgrey.tootle |
2 | # Description: Gtk Mastodon client | 2 | # Description: GTK Mastodon client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include com.github.bleakgrey.tootle.local | 5 | include com.github.bleakgrey.tootle.local |
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile index 1774669f1..09f80d7bb 100644 --- a/etc/profile-a-l/corebird.profile +++ b/etc/profile-a-l/corebird.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for corebird | 1 | # Firejail profile for corebird |
2 | # Description: Native Gtk+ Twitter client for the Linux desktop | 2 | # Description: Native GTK Twitter client for the Linux desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include corebird.local | 5 | include corebird.local |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -45,5 +45,4 @@ private-dev | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
49 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile index 4eb89503a..71afecd7a 100644 --- a/etc/profile-a-l/deadbeef.profile +++ b/etc/profile-a-l/deadbeef.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for deadbeef | 1 | # Firejail profile for deadbeef |
2 | # Description: A GTK+ audio player for GNU/Linux | 2 | # Description: A GTK audio player for GNU/Linux |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include deadbeef.local | 5 | include deadbeef.local |
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile index ae0549d3e..3f4e3a381 100644 --- a/etc/profile-a-l/dino-im.profile +++ b/etc/profile-a-l/dino-im.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for dino-im | 1 | # Firejail profile for dino-im |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name | 2 | # Description: Modern XMPP Chat Client using GTK/Vala, Ubuntu specific bin name |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include dino-im.local | 5 | include dino-im.local |
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index 1f7134ff2..fe2b59a1e 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for dino | 1 | # Firejail profile for dino |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala | 2 | # Description: Modern XMPP Chat Client using GTK/Vala |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include dino.local | 5 | include dino.local |
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile new file mode 100644 index 000000000..c39c0d843 --- /dev/null +++ b/etc/profile-a-l/discord-ptb.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for discord-ptb | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include discord-ptb.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discordptb | ||
9 | |||
10 | mkdir ${HOME}/.config/discordptb | ||
11 | whitelist ${HOME}/.config/discordptb | ||
12 | |||
13 | private-bin discord-ptb,DiscordPTB | ||
14 | private-opt discord-ptb,DiscordPTB | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile index 73b6d1067..bb48d6332 100644 --- a/etc/profile-a-l/electron-common.profile +++ b/etc/profile-a-l/electron-common.profile | |||
@@ -7,40 +7,21 @@ include electron-common.local | |||
7 | noblacklist ${HOME}/.config/Electron | 7 | noblacklist ${HOME}/.config/Electron |
8 | noblacklist ${HOME}/.config/electron*-flag*.conf | 8 | noblacklist ${HOME}/.config/electron*-flag*.conf |
9 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/Electron | 10 | whitelist ${HOME}/.config/Electron |
19 | whitelist ${HOME}/.config/electron*-flag*.conf | 11 | whitelist ${HOME}/.config/electron*-flag*.conf |
20 | include whitelist-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | 12 | ||
25 | # If your kernel allows the creation of user namespaces by unprivileged users | 13 | # If your kernel allows the creation of user namespaces by unprivileged users |
26 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | 14 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you |
27 | # can add the next line to your electron-common.local. | 15 | # can add the next line to your electron-common.local. |
28 | #include electron-common-hardened.inc.profile | 16 | #include electron-common-hardened.inc.profile |
29 | 17 | ||
30 | apparmor | ||
31 | caps.keep sys_admin,sys_chroot | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | noinput | ||
36 | notv | ||
37 | nou2f | 18 | nou2f |
38 | novideo | 19 | novideo |
39 | 20 | ||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | 21 | private-dev |
43 | private-tmp | 22 | private-tmp |
44 | 23 | ||
45 | dbus-user none | 24 | dbus-user none |
46 | dbus-system none | 25 | |
26 | # Redirect | ||
27 | include blink-common.profile | ||
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9f4fabd68..766fe523b 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | machine-id | 28 | machine-id |
30 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 48a826f2e..7b4994a85 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -18,6 +18,7 @@ whitelist /opt/Element | |||
18 | private-opt Element | 18 | private-opt Element |
19 | 19 | ||
20 | dbus-user filter | 20 | dbus-user filter |
21 | dbus-user.talk org.freedesktop.Notifications | ||
21 | dbus-user.talk org.freedesktop.secrets | 22 | dbus-user.talk org.freedesktop.secrets |
22 | 23 | ||
23 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index bf5b67255..8eee662ad 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -8,6 +8,7 @@ include email-common.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.bogofilter | 10 | noblacklist ${HOME}/.bogofilter |
11 | noblacklist ${HOME}/.bsfilter | ||
11 | noblacklist ${HOME}/.gnupg | 12 | noblacklist ${HOME}/.gnupg |
12 | noblacklist ${HOME}/.mozilla | 13 | noblacklist ${HOME}/.mozilla |
13 | noblacklist ${HOME}/.signature | 14 | noblacklist ${HOME}/.signature |
@@ -20,6 +21,9 @@ noblacklist /var/spool/mail | |||
20 | 21 | ||
21 | noblacklist ${DOCUMENTS} | 22 | noblacklist ${DOCUMENTS} |
22 | 23 | ||
24 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
25 | include allow-perl.inc | ||
26 | |||
23 | include disable-common.inc | 27 | include disable-common.inc |
24 | include disable-devel.inc | 28 | include disable-devel.inc |
25 | include disable-exec.inc | 29 | include disable-exec.inc |
@@ -30,15 +34,18 @@ include disable-xdg.inc | |||
30 | mkdir ${HOME}/.gnupg | 34 | mkdir ${HOME}/.gnupg |
31 | mkfile ${HOME}/.config/mimeapps.list | 35 | mkfile ${HOME}/.config/mimeapps.list |
32 | mkfile ${HOME}/.signature | 36 | mkfile ${HOME}/.signature |
37 | whitelist ${HOME}/.bogofilter | ||
38 | whitelist ${HOME}/.bsfilter | ||
33 | whitelist ${HOME}/.config/mimeapps.list | 39 | whitelist ${HOME}/.config/mimeapps.list |
34 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
35 | whitelist ${HOME}/.gnupg | 40 | whitelist ${HOME}/.gnupg |
41 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
36 | whitelist ${HOME}/.signature | 42 | whitelist ${HOME}/.signature |
37 | whitelist ${DOCUMENTS} | 43 | whitelist ${DOCUMENTS} |
38 | whitelist ${DOWNLOADS} | 44 | whitelist ${DOWNLOADS} |
39 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | 45 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local |
40 | whitelist ${HOME}/Mail | 46 | whitelist ${HOME}/Mail |
41 | whitelist ${RUNUSER}/gnupg | 47 | whitelist ${RUNUSER}/gnupg |
48 | whitelist /usr/share/bogofilter | ||
42 | whitelist /usr/share/gnupg | 49 | whitelist /usr/share/gnupg |
43 | whitelist /usr/share/gnupg2 | 50 | whitelist /usr/share/gnupg2 |
44 | whitelist /var/lib/clamav | 51 | whitelist /var/lib/clamav |
@@ -71,7 +78,7 @@ tracelog | |||
71 | # disable-mnt | 78 | # disable-mnt |
72 | private-cache | 79 | private-cache |
73 | private-dev | 80 | private-dev |
74 | private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone | 81 | private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone |
75 | private-tmp | 82 | private-tmp |
76 | # encrypting and signing email | 83 | # encrypting and signing email |
77 | writable-run-user | 84 | writable-run-user |
@@ -86,6 +93,5 @@ dbus-user.talk org.gnome.seahorse.* | |||
86 | dbus-user.talk org.mozilla.* | 93 | dbus-user.talk org.mozilla.* |
87 | dbus-system none | 94 | dbus-system none |
88 | 95 | ||
89 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
90 | read-only ${HOME}/.signature | 96 | read-only ${HOME}/.signature |
91 | restrict-namespaces | 97 | restrict-namespaces |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 1118c3bf0..e1d107dc7 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -10,18 +10,21 @@ include disable-common.inc | |||
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include disable-proc.inc | ||
13 | include disable-programs.inc | 14 | include disable-programs.inc |
14 | 15 | ||
15 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
16 | 17 | ||
17 | apparmor | 18 | apparmor |
18 | caps.drop all | 19 | caps.drop all |
20 | machine-id | ||
19 | net none | 21 | net none |
20 | no3d | 22 | no3d |
21 | nodvd | 23 | nodvd |
22 | nogroups | 24 | nogroups |
23 | noinput | 25 | noinput |
24 | nonewprivs | 26 | nonewprivs |
27 | noprinters | ||
25 | noroot | 28 | noroot |
26 | nosound | 29 | nosound |
27 | notv | 30 | notv |
@@ -29,6 +32,7 @@ nou2f | |||
29 | novideo | 32 | novideo |
30 | protocol unix | 33 | protocol unix |
31 | seccomp | 34 | seccomp |
35 | seccomp.block-secondary | ||
32 | tracelog | 36 | tracelog |
33 | 37 | ||
34 | # private-bin engrampa | 38 | # private-bin engrampa |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 4f39bec55..78e2751b3 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -29,6 +29,7 @@ nodvd | |||
29 | nogroups | 29 | nogroups |
30 | noinput | 30 | noinput |
31 | nonewprivs | 31 | nonewprivs |
32 | noprinters | ||
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
34 | notv | 35 | notv |
@@ -45,6 +46,10 @@ private-dev | |||
45 | private-etc @x11 | 46 | private-etc @x11 |
46 | # private-tmp | 47 | # private-tmp |
47 | 48 | ||
49 | dbus-user filter | ||
50 | dbus-user.own org.gnome.ArchiveManager1 | ||
51 | dbus-user.own org.gnome.FileRoller | ||
52 | dbus-user.talk ca.desrt.dconf | ||
48 | dbus-system none | 53 | dbus-system none |
49 | 54 | ||
50 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index a5fd05bc7..78f1327c5 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
@@ -15,7 +15,6 @@ include disable-programs.inc | |||
15 | 15 | ||
16 | apparmor | 16 | apparmor |
17 | caps.drop all | 17 | caps.drop all |
18 | hostname file | ||
19 | ipc-namespace | 18 | ipc-namespace |
20 | machine-id | 19 | machine-id |
21 | net none | 20 | net none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 0e1d30958..42d59157c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,9 @@ include globals.local | |||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | 14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox |
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | 15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 |
16 | 16 | ||
17 | # (Ignore entry from disable-common.inc) | ||
18 | ignore read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | |||
17 | noblacklist ${HOME}/.cache/mozilla | 20 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 21 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | 22 | noblacklist ${RUNUSER}/*firefox* |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index c8414ad1b..7cef2dbbb 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gajim | 1 | # Firejail profile for gajim |
2 | # Description: GTK+-based Jabber client | 2 | # Description: GTK-based Jabber client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gajim.local | 5 | include gajim.local |
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 96ded592d..44d62cc86 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -23,7 +23,6 @@ include whitelist-var-common.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | #hostname galculator - breaks Arch Linux | ||
27 | #ipc-namespace | 26 | #ipc-namespace |
28 | net none | 27 | net none |
29 | nodvd | 28 | nodvd |
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index 9c8200dc4..9643820e7 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -15,4 +15,4 @@ private-bin gallery-dl | |||
15 | private-etc gallery-dl.conf | 15 | private-etc gallery-dl.conf |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include yt-dlp.profile |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile index 4eb94edf4..4066a1ebf 100644 --- a/etc/profile-a-l/gdu.profile +++ b/etc/profile-a-l/gdu.profile | |||
@@ -26,7 +26,7 @@ nosound | |||
26 | notv | 26 | notv |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | # block the socket syscall to simulate an be empty protocol line, see #639 | 29 | # block socket syscall to simulate empty protocol option (see #639) |
30 | seccomp socket | 30 | seccomp socket |
31 | seccomp.block-secondary | 31 | seccomp.block-secondary |
32 | x11 none | 32 | x11 none |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba7..ba0837780 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 | |||
91 | dbus-user.talk org.mozilla.* | 91 | dbus-user.talk org.mozilla.* |
92 | dbus-system none | 92 | dbus-system none |
93 | 93 | ||
94 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
95 | restrict-namespaces | 94 | restrict-namespaces |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 3a929774a..e8d4c013f 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -25,7 +25,6 @@ include whitelist-var-common.inc | |||
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
28 | hostname geekbench | ||
29 | ipc-namespace | 28 | ipc-namespace |
30 | machine-id | 29 | machine-id |
31 | netfilter | 30 | netfilter |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 95adc6840..f81a49e4f 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for geeqie | 1 | # Firejail profile for geeqie |
2 | # Description: Image viewer using GTK+ | 2 | # Description: Image viewer using GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geeqie.local | 5 | include geeqie.local |
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile index e1fb53b16..6d143bbe0 100644 --- a/etc/profile-a-l/gtk-lbry-viewer.profile +++ b/etc/profile-a-l/gtk-lbry-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-lbry-viewer | 1 | # Firejail profile for gtk-lbry-viewer |
2 | # Description: Gtk front-end to lbry-viewer | 2 | # Description: GTK front-end to lbry-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-lbry-viewer.local | 5 | include gtk-lbry-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-lbry-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include lbry-viewer.profile | 14 | include lbry-viewer.profile |
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile index 9c212ff6e..059961742 100644 --- a/etc/profile-a-l/gtk-pipe-viewer.profile +++ b/etc/profile-a-l/gtk-pipe-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-pipe-viewer | 1 | # Firejail profile for gtk-pipe-viewer |
2 | # Description: Gtk front-end to pipe-viewer | 2 | # Description: GTK front-end to pipe-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-pipe-viewer.local | 5 | include gtk-pipe-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-pipe-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include pipe-viewer.profile | 14 | include pipe-viewer.profile |
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile index 978b3d896..5f1933258 100644 --- a/etc/profile-a-l/gtk-straw-viewer.profile +++ b/etc/profile-a-l/gtk-straw-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-straw-viewer | 1 | # Firejail profile for gtk-straw-viewer |
2 | # Description: Gtk front-end to straw-viewer | 2 | # Description: GTK front-end to straw-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-straw-viewer.local | 5 | include gtk-straw-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-straw-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include straw-viewer.profile | 14 | include straw-viewer.profile |
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile index c814f0fef..2bbd8910e 100644 --- a/etc/profile-a-l/gtk-youtube-viewer.profile +++ b/etc/profile-a-l/gtk-youtube-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer | 1 | # Firejail profile for gtk-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-youtube-viewer.local | 5 | include gtk-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-youtube-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile new file mode 100644 index 000000000..049448a23 --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer clones | ||
2 | # Description: common profile for Trizen's gtk Youtube viewers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-youtube-viewers-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore quiet | ||
11 | |||
12 | # The lines below are needed to find the default Firefox profile name, to allow | ||
13 | # opening links in an existing instance of Firefox (note that it still fails if | ||
14 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
15 | noblacklist ${HOME}/.mozilla | ||
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
17 | |||
18 | private-bin firefox,xterm | ||
19 | |||
20 | dbus-user filter | ||
21 | # allow D-Bus communication with firefox for opening links | ||
22 | dbus-user.talk org.mozilla.* | ||
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile index 787c7bd90..8ff09f4d2 100644 --- a/etc/profile-a-l/gtk2-youtube-viewer.profile +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gtk2-youtube-viewer | 1 | # Firejail profile for gtk2-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk2-youtube-viewer.local | 5 | include gtk2-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk2-youtube-viewer |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | include gtk-youtube-viewers-common.profile |
12 | noblacklist ${RUNUSER} | ||
13 | |||
14 | include whitelist-runuser-common.inc | ||
15 | 12 | ||
16 | # Redirect | 13 | # Redirect |
17 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile index 988882622..fdcb438de 100644 --- a/etc/profile-a-l/gtk3-youtube-viewer.profile +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gtk3-youtube-viewer | 1 | # Firejail profile for gtk3-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk3-youtube-viewer.local | 5 | include gtk3-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk3-youtube-viewer |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | include gtk-youtube-viewers-common.profile |
12 | noblacklist ${RUNUSER} | ||
13 | |||
14 | include whitelist-runuser-common.inc | ||
15 | 12 | ||
16 | # Redirect | 13 | # Redirect |
17 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile index 467bee3a0..0e4125791 100644 --- a/etc/profile-a-l/guvcview.profile +++ b/etc/profile-a-l/guvcview.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for guvcview | 1 | # Firejail profile for guvcview |
2 | # Description: GTK+ base UVC Viewer | 2 | # Description: GTK-based UVC Viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include guvcview.local | 5 | include guvcview.local |
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index 488665154..e0ef23cce 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for handbrake | 1 | # Firejail profile for handbrake |
2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) | 2 | # Description: Versatile DVD ripper and video transcoder (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include handbrake.local | 5 | include handbrake.local |
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile new file mode 100644 index 000000000..deff54bcd --- /dev/null +++ b/etc/profile-a-l/jami.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for jami | ||
2 | # Description: An encrypted peer-to-peer messenger | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jami.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/jami.net | ||
11 | |||
12 | mkdir ${HOME}/.config/jami.net | ||
13 | mkdir ${HOME}/Videos/Jami | ||
14 | whitelist ${HOME}/.config/jami.net | ||
15 | whitelist ${HOME}/Videos/Jami | ||
16 | |||
17 | # Redirect | ||
18 | include jami-gnome.profile | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index f7959ca81..4e8c8e449 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -93,6 +93,7 @@ private-etc | |||
93 | private-tmp | 93 | private-tmp |
94 | 94 | ||
95 | dbus-user filter | 95 | dbus-user filter |
96 | dbus-user.own org.freedesktop.secrets | ||
96 | dbus-user.own org.keepassxc.KeePassXC.* | 97 | dbus-user.own org.keepassxc.KeePassXC.* |
97 | dbus-user.talk com.canonical.Unity | 98 | dbus-user.talk com.canonical.Unity |
98 | dbus-user.talk org.freedesktop.ScreenSaver | 99 | dbus-user.talk org.freedesktop.ScreenSaver |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a9327..5cf30ed40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets | |||
77 | dbus-user.talk org.freedesktop.Notifications | 77 | dbus-user.talk org.freedesktop.Notifications |
78 | dbus-system none | 78 | dbus-system none |
79 | 79 | ||
80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
81 | restrict-namespaces | 80 | restrict-namespaces |
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile index f6a02ac83..aad1330e0 100644 --- a/etc/profile-a-l/lbry-viewer.profile +++ b/etc/profile-a-l/lbry-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/lbry-viewer | |||
15 | whitelist ${HOME}/.cache/lbry-viewer | 15 | whitelist ${HOME}/.cache/lbry-viewer |
16 | whitelist ${HOME}/.config/lbry-viewer | 16 | whitelist ${HOME}/.config/lbry-viewer |
17 | 17 | ||
18 | private-bin gtk-lbry-viewer,lbry-viewer | 18 | private-bin lbry-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile index 27b27a20b..ef0029c73 100644 --- a/etc/profile-a-l/leafpad.profile +++ b/etc/profile-a-l/leafpad.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for leafpad | 1 | # Firejail profile for leafpad |
2 | # Description: GTK+ based simple text editor | 2 | # Description: GTK-based simple text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include leafpad.local | 5 | include leafpad.local |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 9157d910b..6ca8b8103 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor | |||
37 | dbus-user.talk org.mozilla.* | 37 | dbus-user.talk org.mozilla.* |
38 | ignore dbus-user none | 38 | ignore dbus-user none |
39 | 39 | ||
40 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
41 | |||
42 | # Redirect | 40 | # Redirect |
43 | include electron-common.profile | 41 | include electron-common.profile |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile new file mode 100644 index 000000000..2b0fc5275 --- /dev/null +++ b/etc/profile-a-l/lobster.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for lobster | ||
2 | # Description: Shell script to watch Movies/Webseries/Shows from the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lobster.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.config/lobster | ||
12 | noblacklist ${HOME}/.local/share/lobster | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-proc.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/lobster | ||
21 | mkdir ${HOME}/.local/share/lobster | ||
22 | whitelist ${HOME}/.config/lobster | ||
23 | whitelist ${HOME}/.local/share/lobster | ||
24 | include whitelist-run-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | #machine-id | ||
28 | nodvd | ||
29 | noprinters | ||
30 | notv | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname | ||
34 | #private-cache | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include mpv.profile | ||
diff --git a/etc/profile-m-z/Postman.profile b/etc/profile-m-z/Postman.profile new file mode 100644 index 000000000..d08acf60b --- /dev/null +++ b/etc/profile-m-z/Postman.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for Postman | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include Postman.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include postman.profile | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index e9d245a6d..266d00395 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-* | |||
19 | 19 | ||
20 | # Enable severely restricted access to ${HOME}/.gnupg | 20 | # Enable severely restricted access to ${HOME}/.gnupg |
21 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
22 | read-only ${HOME}/.gnupg/gpg.conf | ||
23 | read-only ${HOME}/.gnupg/trustdb.gpg | 22 | read-only ${HOME}/.gnupg/trustdb.gpg |
24 | read-only ${HOME}/.gnupg/pubring.kbx | 23 | read-only ${HOME}/.gnupg/pubring.kbx |
25 | blacklist ${HOME}/.gnupg/random_seed | 24 | blacklist ${HOME}/.gnupg/random_seed |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 2fb527ad5..e7daedea5 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for marker | 1 | # Firejail profile for marker |
2 | # Description: Marker is a markdown editor for Linux made with Gtk+-3.0 | 2 | # Description: Marker is a markdown editor for Linux made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include marker.local | 5 | include marker.local |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index d3b3c6d48..7b83d61e1 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
@@ -21,7 +21,6 @@ include whitelist-var-common.inc | |||
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | hostname mdr | ||
25 | ipc-namespace | 24 | ipc-namespace |
26 | machine-id | 25 | machine-id |
27 | net none | 26 | net none |
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 63844ad70..6843c11c7 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Microsoft Edge Beta | 1 | # Firejail profile for Microsoft Edge Beta |
2 | # Description: Web browser from Microsoft,beta channel | 2 | # Description: Web browser from Microsoft, beta channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge-beta.local | 5 | include microsoft-edge-beta.local |
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/microsoft-edge-beta | 9 | noblacklist ${HOME}/.cache/microsoft-edge-beta |
10 | noblacklist ${HOME}/.config/microsoft-edge-beta | 10 | noblacklist ${HOME}/.config/microsoft-edge-beta |
11 | noblacklist /opt/microsoft/msedge-beta/msedge-sandbox | ||
11 | 12 | ||
12 | mkdir ${HOME}/.cache/microsoft-edge-beta | 13 | mkdir ${HOME}/.cache/microsoft-edge-beta |
13 | mkdir ${HOME}/.config/microsoft-edge-beta | 14 | mkdir ${HOME}/.config/microsoft-edge-beta |
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-beta | |||
15 | whitelist ${HOME}/.config/microsoft-edge-beta | 16 | whitelist ${HOME}/.config/microsoft-edge-beta |
16 | 17 | ||
17 | whitelist /opt/microsoft/msedge-beta | 18 | whitelist /opt/microsoft/msedge-beta |
19 | # private-opt might break the file-copy-limit, see #5307 | ||
20 | #private-opt microsoft | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile index b01fd7c25..b9cdaf98b 100644 --- a/etc/profile-m-z/microsoft-edge-dev.profile +++ b/etc/profile-m-z/microsoft-edge-dev.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Microsoft Edge Dev | 1 | # Firejail profile for Microsoft Edge Dev |
2 | # Description: Web browser from Microsoft,dev channel | 2 | # Description: Web browser from Microsoft, dev channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge-dev.local | 5 | include microsoft-edge-dev.local |
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/microsoft-edge-dev | 9 | noblacklist ${HOME}/.cache/microsoft-edge-dev |
10 | noblacklist ${HOME}/.config/microsoft-edge-dev | 10 | noblacklist ${HOME}/.config/microsoft-edge-dev |
11 | noblacklist /opt/microsoft/msedge-dev/msedge-sandbox | ||
11 | 12 | ||
12 | mkdir ${HOME}/.cache/microsoft-edge-dev | 13 | mkdir ${HOME}/.cache/microsoft-edge-dev |
13 | mkdir ${HOME}/.config/microsoft-edge-dev | 14 | mkdir ${HOME}/.config/microsoft-edge-dev |
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-dev | |||
15 | whitelist ${HOME}/.config/microsoft-edge-dev | 16 | whitelist ${HOME}/.config/microsoft-edge-dev |
16 | 17 | ||
17 | whitelist /opt/microsoft/msedge-dev | 18 | whitelist /opt/microsoft/msedge-dev |
19 | # private-opt might break file-copy-limit, see #5307 | ||
20 | #private-opt microsoft | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge-stable.profile b/etc/profile-m-z/microsoft-edge-stable.profile new file mode 100644 index 000000000..c5b2b4301 --- /dev/null +++ b/etc/profile-m-z/microsoft-edge-stable.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for Microsoft Edge Stable | ||
2 | # Description: Web browser from Microsoft, stable channel | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include microsoft-edge-stable.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include microsoft-edge.profile | ||
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile index 4cd8c85a5..ededb9cbd 100644 --- a/etc/profile-m-z/microsoft-edge.profile +++ b/etc/profile-m-z/microsoft-edge.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Microsoft Edge | 1 | # Firejail profile for Microsoft Edge |
2 | # Description: Web browser from Microsoft,stable channel | 2 | # Description: Web browser from Microsoft, stable channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge.local | 5 | include microsoft-edge.local |
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/microsoft-edge | 9 | noblacklist ${HOME}/.cache/microsoft-edge |
10 | noblacklist ${HOME}/.config/microsoft-edge | 10 | noblacklist ${HOME}/.config/microsoft-edge |
11 | noblacklist /opt/microsoft/msedge/msedge-sandbox | ||
11 | 12 | ||
12 | mkdir ${HOME}/.cache/microsoft-edge | 13 | mkdir ${HOME}/.cache/microsoft-edge |
13 | mkdir ${HOME}/.config/microsoft-edge | 14 | mkdir ${HOME}/.config/microsoft-edge |
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge | |||
15 | whitelist ${HOME}/.config/microsoft-edge | 16 | whitelist ${HOME}/.config/microsoft-edge |
16 | 17 | ||
17 | whitelist /opt/microsoft/msedge | 18 | whitelist /opt/microsoft/msedge |
19 | # private-opt might break default file-copy-limit, see #5307 | ||
20 | #private-opt microsoft | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile new file mode 100644 index 000000000..74d630e24 --- /dev/null +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for mov-cli | ||
2 | # Description: Python script for watching movies and TV shows via the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include mov-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | include disable-proc.inc | ||
12 | include disable-xdg.inc | ||
13 | |||
14 | include whitelist-run-common.inc | ||
15 | include whitelist-runuser-common.inc | ||
16 | |||
17 | #machine-id | ||
18 | nodvd | ||
19 | noprinters | ||
20 | notv | ||
21 | |||
22 | disable-mnt | ||
23 | private-bin ffmpeg,fzf,mov-cli | ||
24 | #private-cache | ||
25 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
26 | private-tmp | ||
27 | |||
28 | # Redirect | ||
29 | include mpv.profile | ||
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index ed344ba3f..682b0173d 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for mp3splt-gtk | 1 | # Firejail profile for mp3splt-gtk |
2 | # Description: Gtk utility for mp3/ogg splitting without decoding | 2 | # Description: GTK utility for mp3/ogg splitting without decoding |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include mp3splt-gtk.local | 5 | include mp3splt-gtk.local |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index c9706999a..85f414562 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,13 +11,13 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerful lua-API, some off these lua-scripts interact | 14 | # mpv has a powerful Lua API and some of the Lua scripts interact with |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # external resources which are blocked by firejail. In such cases you need to |
16 | # you need to allow these resources by | 16 | # allow these resources by: |
17 | # - adding additional binaries to private-bin | 17 | # - noblacklisting additional paths |
18 | # - whitelisting additional paths | 18 | # - whitelisting additional paths |
19 | # - noblacklisting paths | 19 | # - adding additional binaries to private-bin |
20 | # - weaking the dbus-policy | 20 | # - changing/weakening the D-Bus policy |
21 | # - ... | 21 | # - ... |
22 | # | 22 | # |
23 | # Often these scripts require a shell: | 23 | # Often these scripts require a shell: |
@@ -75,10 +75,12 @@ nonewprivs | |||
75 | noroot | 75 | noroot |
76 | nou2f | 76 | nou2f |
77 | protocol unix,inet,inet6,netlink | 77 | protocol unix,inet,inet6,netlink |
78 | seccomp | 78 | seccomp !set_mempolicy |
79 | seccomp.block-secondary | 79 | seccomp.block-secondary |
80 | tracelog | 80 | tracelog |
81 | 81 | ||
82 | # mpv links to libluajit, so no need to reference "lua*" in private-bin: | ||
83 | # https://github.com/netblue30/firejail/pull/5711#discussion_r1125622615 | ||
82 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp | 84 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp |
83 | # private-cache causes slow OSD, see #2838 | 85 | # private-cache causes slow OSD, see #2838 |
84 | #private-cache | 86 | #private-cache |
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 2da867dec..9b566a42b 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
@@ -16,6 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/openbox/autostart | ||
20 | read-only ${HOME}/.config/openbox/environment | ||
21 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index 2dc49a28d..d78478687 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -36,7 +36,7 @@ nonewprivs | |||
36 | noroot | 36 | noroot |
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6,netlink |
40 | seccomp | 40 | seccomp |
41 | # shell none | 41 | # shell none |
42 | tracelog | 42 | tracelog |
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile index 3de064311..77393274e 100644 --- a/etc/profile-m-z/pipe-viewer.profile +++ b/etc/profile-m-z/pipe-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/pipe-viewer | |||
15 | whitelist ${HOME}/.cache/pipe-viewer | 15 | whitelist ${HOME}/.cache/pipe-viewer |
16 | whitelist ${HOME}/.config/pipe-viewer | 16 | whitelist ${HOME}/.config/pipe-viewer |
17 | 17 | ||
18 | private-bin gtk-pipe-viewer,pipe-viewer | 18 | private-bin pipe-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 34199a08d..481bade92 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -38,7 +38,7 @@ nosound | |||
38 | notv | 38 | notv |
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | # block the socket syscall to simulate an be empty protocol line, see #639 | 41 | # block socket syscall to simulate empty protocol option (see #639) |
42 | seccomp socket | 42 | seccomp socket |
43 | tracelog | 43 | tracelog |
44 | x11 none | 44 | x11 none |
diff --git a/etc/profile-m-z/porn-cli.profile b/etc/profile-m-z/porn-cli.profile new file mode 100644 index 000000000..f33ff439c --- /dev/null +++ b/etc/profile-m-z/porn-cli.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for porn-cli | ||
2 | # Description: Python script for watching porn via the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include porn-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin porn-cli | ||
12 | |||
13 | # Redirect | ||
14 | include mov-cli.profile | ||
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile new file mode 100644 index 000000000..c8f00584d --- /dev/null +++ b/etc/profile-m-z/postman.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for postman | ||
2 | # Description: API testing platform | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include postman.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Postman | ||
10 | noblacklist ${HOME}/Postman | ||
11 | |||
12 | mkdir ${HOME}/.config/Postman | ||
13 | mkdir ${HOME}/Postman | ||
14 | whitelist ${HOME}/.config/Postman | ||
15 | whitelist ${HOME}/Postman | ||
16 | include whitelist-run-common.inc | ||
17 | |||
18 | protocol unix,inet,inet6,netlink | ||
19 | |||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh | ||
21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | ||
22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM | ||
23 | # https://github.com/netblue30/firejail/discussions/5307 | ||
24 | #private-opt postman | ||
25 | whitelist /opt/postman | ||
26 | |||
27 | # Redirect | ||
28 | include electron-common.profile | ||
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile index 126f5cec8..b61089d36 100644 --- a/etc/profile-m-z/pycharm-professional.profile +++ b/etc/profile-m-z/pycharm-professional.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profilen alias for pycharm-professional | 1 | # Firejail profilen alias for pycharm-professional |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include pyucharm-professional.local | 4 | include pycharm-professional.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile index 0c1e09e92..edec7cf0a 100644 --- a/etc/profile-m-z/qpdf.profile +++ b/etc/profile-m-z/qpdf.profile | |||
@@ -31,7 +31,6 @@ include whitelist-var-common.inc | |||
31 | 31 | ||
32 | apparmor | 32 | apparmor |
33 | caps.drop all | 33 | caps.drop all |
34 | hostname qpdf | ||
35 | ipc-namespace | 34 | ipc-namespace |
36 | machine-id | 35 | machine-id |
37 | net none | 36 | net none |
@@ -46,7 +45,7 @@ nosound | |||
46 | notv | 45 | notv |
47 | nou2f | 46 | nou2f |
48 | novideo | 47 | novideo |
49 | # block the socket syscall to simulate an be empty protocol line, see #639 | 48 | # block socket syscall to simulate empty protocol option (see #639) |
50 | seccomp socket | 49 | seccomp socket |
51 | tracelog | 50 | tracelog |
52 | x11 none | 51 | x11 none |
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index 0d35dbbad..9062c8c18 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile | |||
@@ -62,6 +62,9 @@ private-etc @tls-ca | |||
62 | private-tmp | 62 | private-tmp |
63 | 63 | ||
64 | dbus-user filter | 64 | dbus-user filter |
65 | # qutebrowser-qt6 uses a newer chrome version which uses the name 'chromium' | ||
66 | # see https://github.com/qutebrowser/qutebrowser/issues/7431 | ||
67 | dbus-user.own org.mpris.MediaPlayer2.chromium.* | ||
65 | dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* | 68 | dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* |
66 | dbus-user.talk org.freedesktop.Notifications | 69 | dbus-user.talk org.freedesktop.Notifications |
67 | # Add the next line to your qutebrowser.local to allow screen sharing under wayland. | 70 | # Add the next line to your qutebrowser.local to allow screen sharing under wayland. |
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 208f57710..1fb0c0626 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for remmina | 1 | # Firejail profile for remmina |
2 | # Description: GTK+ Remote Desktop Client | 2 | # Description: GTK Remote Desktop Client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include remmina.local | 5 | include remmina.local |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index a26b41524..3e1899ef3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal | |||
14 | # These lines are needed to allow Firefox to open links | 14 | # These lines are needed to allow Firefox to open links |
15 | noblacklist ${HOME}/.mozilla | 15 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
18 | 17 | ||
19 | mkdir ${HOME}/.config/Signal | 18 | mkdir ${HOME}/.config/Signal |
20 | whitelist ${HOME}/.config/Signal | 19 | whitelist ${HOME}/.config/Signal |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index f130176c1..7ce6748d1 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc @tls-ca,SoftMaker | 45 | private-etc @tls-ca,fstab,SoftMaker |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/standard-notes.profile b/etc/profile-m-z/standard-notes.profile new file mode 100644 index 000000000..db96cc80f --- /dev/null +++ b/etc/profile-m-z/standard-notes.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for standard-notes | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include standard-notes.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include standardnotes-desktop.profile | ||
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 95dc35741..3fe0963a9 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups | |||
18 | mkdir ${HOME}/.config/Standard Notes | 18 | mkdir ${HOME}/.config/Standard Notes |
19 | whitelist ${HOME}/Standard Notes Backups | 19 | whitelist ${HOME}/Standard Notes Backups |
20 | whitelist ${HOME}/.config/Standard Notes | 20 | whitelist ${HOME}/.config/Standard Notes |
21 | include whitelist-common.inc | ||
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
22 | 26 | ||
23 | apparmor | 27 | apparmor |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87..63d629a32 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -181,5 +181,4 @@ private-tmp | |||
181 | #dbus-user none | 181 | #dbus-user none |
182 | #dbus-system none | 182 | #dbus-system none |
183 | 183 | ||
184 | read-only ${HOME}/.config/MangoHud | ||
185 | #restrict-namespaces | 184 | #restrict-namespaces |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index 513abc21b..48f83fabc 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/straw-viewer | |||
15 | whitelist ${HOME}/.cache/straw-viewer | 15 | whitelist ${HOME}/.cache/straw-viewer |
16 | whitelist ${HOME}/.config/straw-viewer | 16 | whitelist ${HOME}/.config/straw-viewer |
17 | 17 | ||
18 | private-bin gtk-straw-viewer,straw-viewer | 18 | private-bin straw-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 6abef85f0..5fb35aa04 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for sylpheed | 1 | # Firejail profile for sylpheed |
2 | # Description: Light weight e-mail client with GTK+ | 2 | # Description: Lightweight e-mail client made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sylpheed.local | 5 | include sylpheed.local |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 54568b7d3..5babfb8d2 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
@@ -31,7 +31,6 @@ include whitelist-var-common.inc | |||
31 | 31 | ||
32 | apparmor | 32 | apparmor |
33 | caps.drop all | 33 | caps.drop all |
34 | hostname tesseract | ||
35 | ipc-namespace | 34 | ipc-namespace |
36 | machine-id | 35 | machine-id |
37 | net none | 36 | net none |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 1ac80bc9a..5df207e25 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -24,7 +24,6 @@ writable-run-user | |||
24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email | 24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | noblacklist ${HOME}/.cache/thunderbird | 28 | noblacklist ${HOME}/.cache/thunderbird |
30 | noblacklist ${HOME}/.gnupg | 29 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 378c8a1b7..ba68ccb53 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -60,5 +60,4 @@ dbus-user filter | |||
60 | dbus-user.talk org.freedesktop.secrets | 60 | dbus-user.talk org.freedesktop.secrets |
61 | dbus-system none | 61 | dbus-system none |
62 | 62 | ||
63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
64 | restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index 4af8b9292..55e4a4392 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for tutanota-desktop | 1 | # Firejail profile for tutanota-desktop |
2 | # Description: Encrypted email client | 2 | # Description: Official desktop client for the Tutanota E2E encrypted email provider |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include tutanota-desktop.local | 5 | include tutanota-desktop.local |
@@ -9,8 +9,13 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/tuta_integration | 9 | noblacklist ${HOME}/.config/tuta_integration |
10 | noblacklist ${HOME}/.config/tutanota-desktop | 10 | noblacklist ${HOME}/.config/tutanota-desktop |
11 | 11 | ||
12 | ignore dbus-user none | ||
13 | ignore disable-mnt | ||
12 | ignore noexec /tmp | 14 | ignore noexec /tmp |
13 | 15 | ||
16 | # sh is needed to allow Firefox to open links | ||
17 | include allow-bin-sh.inc | ||
18 | |||
14 | include disable-shell.inc | 19 | include disable-shell.inc |
15 | 20 | ||
16 | mkdir ${HOME}/.config/tuta_integration | 21 | mkdir ${HOME}/.config/tuta_integration |
@@ -18,14 +23,25 @@ mkdir ${HOME}/.config/tutanota-desktop | |||
18 | whitelist ${HOME}/.config/tuta_integration | 23 | whitelist ${HOME}/.config/tuta_integration |
19 | whitelist ${HOME}/.config/tutanota-desktop | 24 | whitelist ${HOME}/.config/tutanota-desktop |
20 | 25 | ||
21 | # These lines are needed to allow Firefox to open links | 26 | # The lines below are needed to find the default Firefox profile name, to allow |
27 | # opening links in an existing instance of Firefox (note that it still fails if | ||
28 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
22 | noblacklist ${HOME}/.mozilla | 29 | noblacklist ${HOME}/.mozilla |
23 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
24 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 31 | |
32 | machine-id | ||
33 | nosound | ||
25 | 34 | ||
26 | ?HAS_APPIMAGE: ignore private-dev | 35 | ?HAS_APPIMAGE: ignore private-dev |
27 | private-etc @tls-ca | 36 | private-etc @tls-ca |
28 | private-opt tutanota-desktop | 37 | private-opt tutanota-desktop |
29 | 38 | ||
39 | dbus-user filter | ||
40 | dbus-user.talk org.freedesktop.Notifications | ||
41 | dbus-user.talk org.freedesktop.secrets | ||
42 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
43 | # allow D-Bus communication with firefox for opening links | ||
44 | dbus-user.talk org.mozilla.* | ||
45 | |||
30 | # Redirect | 46 | # Redirect |
31 | include electron-common.profile | 47 | include electron-common.profile |
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index aac99aed5..cdfd72a5b 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
@@ -24,7 +24,6 @@ include whitelist-var-common.inc | |||
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | hostname unf | ||
28 | ipc-namespace | 27 | ipc-namespace |
29 | machine-id | 28 | machine-id |
30 | net none | 29 | net none |
diff --git a/etc/profile-m-z/url-eater.profile b/etc/profile-m-z/url-eater.profile new file mode 100644 index 000000000..a894ff0f6 --- /dev/null +++ b/etc/profile-m-z/url-eater.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for url-eater | ||
2 | # Description: Clean unnecessary parameters from URLs copied to clipboard | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include url-eater.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-proc.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-run-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | noinput | ||
33 | nonewprivs | ||
34 | noprinters | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | seccomp.block-secondary | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin url-eater | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc url-eater.kdl | ||
50 | private-lib | ||
51 | #private-tmp # breaks on Arch | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
57 | read-only ${HOME} | ||
58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index a6d2a65e9..9a9915669 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile | |||
@@ -19,7 +19,6 @@ include disable-shell.inc | |||
19 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | hostname uudeview | ||
23 | ipc-namespace | 22 | ipc-namespace |
24 | machine-id | 23 | machine-id |
25 | net none | 24 | net none |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 8958564ef..8265e1ff8 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -22,7 +22,6 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | hostname whois | ||
26 | ipc-namespace | 25 | ipc-namespace |
27 | machine-id | 26 | machine-id |
28 | netfilter | 27 | netfilter |
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 8376b4989..9e81d745d 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -5,63 +5,17 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include youtube-dl.local | 6 | include youtube-dl.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | # added by included profile |
9 | 9 | #include globals.local | |
10 | # breaks when installed under ${HOME} via `pip install --user` (see #2833) | ||
11 | ignore noexec ${HOME} | ||
12 | 10 | ||
13 | noblacklist ${HOME}/.cache/youtube-dl | 11 | noblacklist ${HOME}/.cache/youtube-dl |
14 | noblacklist ${HOME}/.config/youtube-dl | 12 | noblacklist ${HOME}/.config/youtube-dl |
15 | noblacklist ${HOME}/.netrc | ||
16 | noblacklist ${MUSIC} | ||
17 | noblacklist ${VIDEOS} | ||
18 | 13 | ||
19 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
20 | include allow-python2.inc | 15 | include allow-python2.inc |
21 | include allow-python3.inc | ||
22 | |||
23 | blacklist /tmp/.X11-unix | ||
24 | blacklist ${RUNUSER} | ||
25 | |||
26 | include disable-common.inc | ||
27 | include disable-devel.inc | ||
28 | include disable-exec.inc | ||
29 | include disable-interpreters.inc | ||
30 | include disable-programs.inc | ||
31 | include disable-shell.inc | ||
32 | include disable-xdg.inc | ||
33 | |||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | ipc-namespace | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | noinput | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | seccomp.block-secondary | ||
55 | tracelog | ||
56 | |||
57 | private-bin env,ffmpeg,python*,youtube-dl | ||
58 | private-cache | ||
59 | private-dev | ||
60 | private-etc @tls-ca,mime.types,youtube-dl.conf | ||
61 | private-tmp | ||
62 | 16 | ||
63 | dbus-user none | 17 | private-bin youtube-dl |
64 | dbus-system none | 18 | private-etc youtube-dl.conf |
65 | 19 | ||
66 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 20 | # Redirect |
67 | restrict-namespaces | 21 | include yt-dlp.profile |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index 825599fcc..4a0e26540 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.config/youtube-viewer | |||
15 | whitelist ${HOME}/.cache/youtube-viewer | 15 | whitelist ${HOME}/.cache/youtube-viewer |
16 | whitelist ${HOME}/.config/youtube-viewer | 16 | whitelist ${HOME}/.config/youtube-viewer |
17 | 17 | ||
18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer | 18 | private-bin youtube-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 9ef90eb92..c9d2ea53b 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -8,6 +8,7 @@ include youtube-viewers-common.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/youtube-dl | 10 | noblacklist ${HOME}/.cache/youtube-dl |
11 | noblacklist ${HOME}/.config/mpv | ||
11 | 12 | ||
12 | # Allow lua (blacklisted by disable-interpreters.inc) | 13 | # Allow lua (blacklisted by disable-interpreters.inc) |
13 | include allow-lua.inc | 14 | include allow-lua.inc |
@@ -19,13 +20,6 @@ include allow-perl.inc | |||
19 | include allow-python2.inc | 20 | include allow-python2.inc |
20 | include allow-python3.inc | 21 | include allow-python3.inc |
21 | 22 | ||
22 | # The lines below are needed to find the default Firefox profile name, to allow | ||
23 | # opening links in an existing instance of Firefox (note that it still fails if | ||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
25 | noblacklist ${HOME}/.mozilla | ||
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | |||
29 | include disable-common.inc | 23 | include disable-common.inc |
30 | include disable-devel.inc | 24 | include disable-devel.inc |
31 | include disable-exec.inc | 25 | include disable-exec.inc |
@@ -35,7 +29,9 @@ include disable-xdg.inc | |||
35 | 29 | ||
36 | whitelist ${DOWNLOADS} | 30 | whitelist ${DOWNLOADS} |
37 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs | 31 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs |
32 | whitelist ${HOME}/.config/mpv | ||
38 | include whitelist-common.inc | 33 | include whitelist-common.inc |
34 | include whitelist-run-common.inc | ||
39 | include whitelist-runuser-common.inc | 35 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | 36 | include whitelist-usr-share-common.inc |
41 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
@@ -56,16 +52,12 @@ seccomp | |||
56 | tracelog | 52 | tracelog |
57 | 53 | ||
58 | disable-mnt | 54 | disable-mnt |
59 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp | 55 | private-bin bash,ffmpeg,ffprobe,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,youtube-dl,yt-dlp |
60 | private-cache | 56 | private-cache |
61 | private-dev | 57 | private-dev |
62 | private-etc @tls-ca,@x11,host.conf,mime.types | 58 | private-etc @tls-ca,@x11,host.conf,mime.types |
63 | private-tmp | 59 | private-tmp |
64 | 60 | ||
65 | dbus-user filter | ||
66 | # allow D-Bus communication with firefox for opening links | ||
67 | dbus-user.talk org.mozilla.* | ||
68 | |||
69 | dbus-system none | 61 | dbus-system none |
70 | 62 | ||
71 | restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 49d4b3b56..97f9e620a 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -5,17 +5,73 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include yt-dlp.local | 6 | include yt-dlp.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | 9 | |
10 | # If you installed via pip under ${HOME} | ||
11 | # add 'ignore noexec ${HOME}' in yt-dlp.local. | ||
12 | # AppArmor needs to allow it too, | ||
13 | # add 'ignore apparmor' in yt-dlp.local | ||
14 | # OR in /etc/apparmor.d/local/firejail-default add: | ||
15 | # 'owner @HOME/.local/bin/** ix,' | ||
16 | # 'owner @HOME/.local/lib/python*/** ix,' | ||
17 | # then run the command | ||
18 | # 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default' | ||
10 | 19 | ||
11 | noblacklist ${HOME}/.cache/yt-dlp | 20 | noblacklist ${HOME}/.cache/yt-dlp |
12 | noblacklist ${HOME}/.config/yt-dlp | 21 | noblacklist ${HOME}/.config/yt-dlp |
13 | noblacklist ${HOME}/.config/yt-dlp.conf | 22 | noblacklist ${HOME}/.config/yt-dlp.conf |
14 | noblacklist ${HOME}/yt-dlp.conf | 23 | noblacklist ${HOME}/yt-dlp.conf |
15 | noblacklist ${HOME}/yt-dlp.conf.txt | 24 | noblacklist ${HOME}/yt-dlp.conf.txt |
25 | noblacklist ${HOME}/.netrc | ||
26 | noblacklist ${MUSIC} | ||
27 | noblacklist ${VIDEOS} | ||
28 | |||
29 | # Allow python (blacklisted by disable-interpreters.inc) | ||
30 | include allow-python3.inc | ||
31 | |||
32 | blacklist /tmp/.X11-unix | ||
33 | blacklist ${RUNUSER} | ||
34 | |||
35 | include disable-common.inc | ||
36 | include disable-devel.inc | ||
37 | include disable-exec.inc | ||
38 | include disable-interpreters.inc | ||
39 | include disable-programs.inc | ||
40 | include disable-shell.inc | ||
41 | include disable-xdg.inc | ||
42 | |||
43 | include whitelist-usr-share-common.inc | ||
44 | include whitelist-var-common.inc | ||
45 | |||
46 | apparmor | ||
47 | caps.drop all | ||
48 | ipc-namespace | ||
49 | machine-id | ||
50 | netfilter | ||
51 | no3d | ||
52 | nodvd | ||
53 | nogroups | ||
54 | noinput | ||
55 | nonewprivs | ||
56 | noroot | ||
57 | nosound | ||
58 | notv | ||
59 | nou2f | ||
60 | novideo | ||
61 | protocol unix,inet,inet6 | ||
62 | seccomp | ||
63 | seccomp.block-secondary | ||
64 | tracelog | ||
65 | |||
66 | private-bin env,ffmpeg,ffprobe,python*,yt-dlp | ||
67 | private-cache | ||
68 | private-dev | ||
69 | private-etc @tls-ca,mime.types,yt-dlp.conf | ||
70 | private-tmp | ||
71 | |||
72 | dbus-user none | ||
73 | dbus-system none | ||
16 | 74 | ||
17 | private-bin ffprobe,yt-dlp | 75 | memory-deny-write-execute |
18 | private-etc yt-dlp.conf | ||
19 | 76 | ||
20 | # Redirect | 77 | restrict-namespaces |
21 | include youtube-dl.profile | ||
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index caf9eab63..09a1d37a3 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -23,7 +23,6 @@ include disable-xdg.inc | |||
23 | # This also requires dbus-user filtering (see below). | 23 | # This also requires dbus-user filtering (see below). |
24 | noblacklist ${HOME}/.mozilla | 24 | noblacklist ${HOME}/.mozilla |
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
26 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | 26 | ||
28 | mkdir ${HOME}/.cache/Zeal | 27 | mkdir ${HOME}/.cache/Zeal |
29 | mkdir ${HOME}/.config/Zeal | 28 | mkdir ${HOME}/.config/Zeal |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index fd328f36c..b88566f54 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -221,6 +221,8 @@ include globals.local | |||
221 | #dbus-user.talk org.freedesktop.Notifications | 221 | #dbus-user.talk org.freedesktop.Notifications |
222 | #dbus-system none | 222 | #dbus-system none |
223 | 223 | ||
224 | # Note: read-only entries should usually go in disable-common.inc (especially | ||
225 | # entries for configuration files that allow arbitrary command execution). | ||
224 | ##deterministic-shutdown | 226 | ##deterministic-shutdown |
225 | ##env VAR=VALUE | 227 | ##env VAR=VALUE |
226 | ##join-or-start NAME | 228 | ##join-or-start NAME |
@@ -5,7 +5,7 @@ | |||
5 | 5 | ||
6 | # GCOV test setup | 6 | # GCOV test setup |
7 | # required: sudo, lcov (apt-get install lcov) | 7 | # required: sudo, lcov (apt-get install lcov) |
8 | # setup: make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov && make -j4 && sudo make install | 8 | # setup: modify ./configure line below if necessary |
9 | # run as regular user: ./gcov.sh | 9 | # run as regular user: ./gcov.sh |
10 | # result in gcov-dir/index.html | 10 | # result in gcov-dir/index.html |
11 | 11 | ||
@@ -13,37 +13,42 @@ gcov_generate() { | |||
13 | USER="$(whoami)" | 13 | USER="$(whoami)" |
14 | find . -exec sudo chown "$USER:$USER" '{}' + | 14 | find . -exec sudo chown "$USER:$USER" '{}' + |
15 | lcov -q --capture -d src/firejail -d src/lib -d src/firecfg -d src/firemon \ | 15 | lcov -q --capture -d src/firejail -d src/lib -d src/firecfg -d src/firemon \ |
16 | -d src/fnet -d src/fnetfilter --output-file gcov-file | 16 | -d src/fnet -d src/fnetfilter -d src/fcopy -d src/fseccomp --output-file gcov-file |
17 | genhtml -q gcov-file --output-directory gcov-dir | 17 | genhtml -q gcov-file --output-directory gcov-dir |
18 | } | 18 | } |
19 | 19 | ||
20 | make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov --enable-fatal-warnings && make -j4 && sudo make install | ||
20 | rm -fr gcov-dir gcov-file | 21 | rm -fr gcov-dir gcov-file |
21 | firejail --version | 22 | firejail --version |
22 | gcov_generate | 23 | gcov_generate |
23 | 24 | ||
24 | #make test-firecfg | grep TESTING | 25 | make test-firecfg | grep TESTING |
25 | #gcov_generate | 26 | gcov_generate |
26 | #make test-apparmor | grep TESTING | 27 | make test-capabilities | grep TESTING |
27 | #gcov_generate | 28 | gcov_generate |
29 | make test-seccomp-extra | grep TESTING | ||
30 | gcov_generate | ||
31 | make test-apparmor | grep TESTING | ||
32 | gcov_generate | ||
28 | make test-network | grep TESTING | 33 | make test-network | grep TESTING |
29 | gcov_generate | 34 | gcov_generate |
30 | #make test-appimage | grep TESTING | 35 | make test-appimage | grep TESTING |
31 | #gcov_generate | 36 | gcov_generate |
32 | #make test-chroot | grep TESTING | 37 | make test-chroot | grep TESTING |
33 | #gcov_generate | 38 | gcov_generate |
34 | #make test-sysutils | grep TESTING | 39 | make test-sysutils | grep TESTING |
35 | #gcov_generate | 40 | gcov_generate |
36 | #make test-private-etc | grep TESTING | 41 | make test-private-etc | grep TESTING |
37 | #gcov_generate | 42 | gcov_generate |
38 | #make test-profiles | grep TESTING | 43 | make test-profiles | grep TESTING |
39 | #gcov_generate | 44 | gcov_generate |
40 | #make test-fcopy | grep TESTING | 45 | make test-fcopy | grep TESTING |
41 | #gcov_generate | 46 | gcov_generate |
42 | make test-fnetfilter | grep TESTING | 47 | make test-fnetfilter | grep TESTING |
43 | gcov_generate | 48 | gcov_generate |
44 | #make test-fs | grep TESTING | 49 | make test-fs | grep TESTING |
45 | #gcov_generate | 50 | gcov_generate |
46 | #make test-utils | grep TESTING | 51 | make test-utils | grep TESTING |
47 | #gcov_generate | 52 | gcov_generate |
48 | #make test-environment | grep TESTING | 53 | make test-environment | grep TESTING |
49 | #gcov_generate | 54 | gcov_generate |
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile index 349da8821..10c28cd76 100644 --- a/src/etc-cleanup/Makefile +++ b/src/etc-cleanup/Makefile | |||
@@ -4,6 +4,6 @@ ROOT = ../.. | |||
4 | PROG = etc-cleanup | 4 | PROG = etc-cleanup |
5 | TARGET = $(PROG) | 5 | TARGET = $(PROG) |
6 | 6 | ||
7 | MOD_HDRS = ../include/etc-groups.h | 7 | MOD_HDRS = ../include/etc_groups.h |
8 | 8 | ||
9 | include $(ROOT)/src/prog.mk | 9 | include $(ROOT)/src/prog.mk |
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index 6c7bea6d6..f15ba53cd 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c | |||
@@ -212,13 +212,16 @@ static void process_file(const char *fname) { | |||
212 | } | 212 | } |
213 | } | 213 | } |
214 | 214 | ||
215 | static const char *const usage_str = | ||
216 | "usage: cleanup-etc [options] file.profile [file.profile]\n" | ||
217 | "Group and clean private-etc entries in one or more profile files.\n" | ||
218 | "Options:\n" | ||
219 | " --debug - print debug messages\n" | ||
220 | " -h, -?, --help - this help screen\n" | ||
221 | " --replace - replace profile file\n"; | ||
222 | |||
215 | static void usage(void) { | 223 | static void usage(void) { |
216 | printf("usage: cleanup-etc [options] file.profile [file.profile]\n"); | 224 | puts(usage_str); |
217 | printf("Group and clean private-etc entries in one or more profile files.\n"); | ||
218 | printf("Options:\n"); | ||
219 | printf(" --debug - print debug messages\n"); | ||
220 | printf(" -h, -?, --help - this help screen\n"); | ||
221 | printf(" --replace - replace profile file\n"); | ||
222 | } | 225 | } |
223 | 226 | ||
224 | int main(int argc, char **argv) { | 227 | int main(int argc, char **argv) { |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index 7fdf9af68..a85d4a931 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -21,9 +21,12 @@ | |||
21 | int arg_debug = 0; | 21 | int arg_debug = 0; |
22 | int arg_appimage = 0; | 22 | int arg_appimage = 0; |
23 | 23 | ||
24 | static const char *const usage_str = | ||
25 | "Firejail profile builder\n" | ||
26 | "Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n"; | ||
27 | |||
24 | static void usage(void) { | 28 | static void usage(void) { |
25 | printf("Firejail profile builder\n"); | 29 | puts(usage_str); |
26 | printf("Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n"); | ||
27 | } | 30 | } |
28 | 31 | ||
29 | int main(int argc, char **argv) { | 32 | int main(int argc, char **argv) { |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index ce2efb295..a56e8a91b 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -416,18 +416,19 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { | |||
416 | free(rdest); | 416 | free(rdest); |
417 | } | 417 | } |
418 | 418 | ||
419 | static const char *const usage_str = | ||
420 | "Usage: fcopy [--follow-link] src dest\n" | ||
421 | "\n" | ||
422 | "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n" | ||
423 | "If SRC is a directory it is copied recursively. If it is a symlink,\n" | ||
424 | "the link itself is duplicated, unless --follow-link is given,\n" | ||
425 | "in which case the destination of the link is copied.\n" | ||
426 | "DEST must already exist and must be a directory.\n"; | ||
419 | 427 | ||
420 | static void usage(void) { | 428 | static void usage(void) { |
421 | fputs("Usage: fcopy [--follow-link] src dest\n" | 429 | fputs(usage_str, stderr); |
422 | "\n" | ||
423 | "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n" | ||
424 | "If SRC is a directory it is copied recursively. If it is a symlink,\n" | ||
425 | "the link itself is duplicated, unless --follow-link is given,\n" | ||
426 | "in which case the destination of the link is copied.\n" | ||
427 | "DEST must already exist and must be a directory.\n", stderr); | ||
428 | } | 430 | } |
429 | 431 | ||
430 | |||
431 | int main(int argc, char **argv) { | 432 | int main(int argc, char **argv) { |
432 | #if 0 | 433 | #if 0 |
433 | { | 434 | { |
diff --git a/src/fids/main.c b/src/fids/main.c index f1dfdac8e..915edb6ca 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -318,10 +318,11 @@ static void process_config(const char *fname) { | |||
318 | include_level--; | 318 | include_level--; |
319 | } | 319 | } |
320 | 320 | ||
321 | 321 | static const char *const usage_str = | |
322 | "Usage: fids [--help|-h|-?] --init|--check homedir\n"; | ||
322 | 323 | ||
323 | void usage(void) { | 324 | void usage(void) { |
324 | printf("Usage: fids [--help|-h|-?] --init|--check homedir\n"); | 325 | puts(usage_str); |
325 | } | 326 | } |
326 | 327 | ||
327 | int main(int argc, char **argv) { | 328 | int main(int argc, char **argv) { |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 45457fb47..1e996ef72 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -11,6 +11,7 @@ Cryptocat | |||
11 | Cyberfox | 11 | Cyberfox |
12 | Discord | 12 | Discord |
13 | DiscordCanary | 13 | DiscordCanary |
14 | DiscordPTB | ||
14 | Documents | 15 | Documents |
15 | FossaMail | 16 | FossaMail |
16 | Fritzing | 17 | Fritzing |
@@ -24,6 +25,7 @@ Natron | |||
24 | PCSX2 | 25 | PCSX2 |
25 | PPSSPPQt | 26 | PPSSPPQt |
26 | PPSSPPSDL | 27 | PPSSPPSDL |
28 | Postman | ||
27 | QMediathekView | 29 | QMediathekView |
28 | QOwnNotes | 30 | QOwnNotes |
29 | Screenshot | 31 | Screenshot |
@@ -44,6 +46,7 @@ amarok | |||
44 | amule | 46 | amule |
45 | amuled | 47 | amuled |
46 | android-studio | 48 | android-studio |
49 | ani-cli | ||
47 | anydesk | 50 | anydesk |
48 | apktool | 51 | apktool |
49 | apostrophe | 52 | apostrophe |
@@ -196,6 +199,7 @@ dino | |||
196 | dino-im | 199 | dino-im |
197 | discord | 200 | discord |
198 | discord-canary | 201 | discord-canary |
202 | discord-ptb | ||
199 | display | 203 | display |
200 | display-im6.q16 | 204 | display-im6.q16 |
201 | dnox | 205 | dnox |
@@ -418,6 +422,7 @@ ipcalc | |||
418 | ipcalc-ng | 422 | ipcalc-ng |
419 | iridium | 423 | iridium |
420 | iridium-browser | 424 | iridium-browser |
425 | jami | ||
421 | jd-gui | 426 | jd-gui |
422 | jdownloader | 427 | jdownloader |
423 | jerry | 428 | jerry |
@@ -483,6 +488,7 @@ linphone | |||
483 | linuxqq | 488 | linuxqq |
484 | lmms | 489 | lmms |
485 | lobase | 490 | lobase |
491 | lobster | ||
486 | localc | 492 | localc |
487 | lodraw | 493 | lodraw |
488 | loffice | 494 | loffice |
@@ -533,6 +539,7 @@ meteo-qt | |||
533 | microsoft-edge | 539 | microsoft-edge |
534 | microsoft-edge-beta | 540 | microsoft-edge-beta |
535 | microsoft-edge-dev | 541 | microsoft-edge-dev |
542 | microsoft-edge-stable | ||
536 | midori | 543 | midori |
537 | min | 544 | min |
538 | mindless | 545 | mindless |
@@ -543,6 +550,7 @@ mirage | |||
543 | mirrormagic | 550 | mirrormagic |
544 | mocp | 551 | mocp |
545 | mousepad | 552 | mousepad |
553 | mov-cli | ||
546 | mp3splt | 554 | mp3splt |
547 | mp3splt-gtk | 555 | mp3splt-gtk |
548 | mp3wrap | 556 | mp3wrap |
@@ -676,6 +684,8 @@ pluma | |||
676 | plv | 684 | plv |
677 | pngquant | 685 | pngquant |
678 | polari | 686 | polari |
687 | porn-cli | ||
688 | postman | ||
679 | ppsspp | 689 | ppsspp |
680 | pragha | 690 | pragha |
681 | presentations18 | 691 | presentations18 |
@@ -873,6 +883,7 @@ unbound | |||
873 | unf | 883 | unf |
874 | unknown-horizons | 884 | unknown-horizons |
875 | # unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 885 | # unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
886 | url-eater | ||
876 | utox | 887 | utox |
877 | uudeview | 888 | uudeview |
878 | uzbl-browser | 889 | uzbl-browser |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index e1ff7e17a..da962c35d 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -24,7 +24,7 @@ int arg_debug = 0; | |||
24 | char *arg_bindir = "/usr/local/bin"; | 24 | char *arg_bindir = "/usr/local/bin"; |
25 | int arg_guide = 0; | 25 | int arg_guide = 0; |
26 | 26 | ||
27 | static char *usage_str = | 27 | static const char *const usage_str = |
28 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" | 28 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" |
29 | "creates several symbolic links to firejail executable. This allows the user to\n" | 29 | "creates several symbolic links to firejail executable. This allows the user to\n" |
30 | "sandbox applications automatically, just by clicking on a regular desktop\n" | 30 | "sandbox applications automatically, just by clicking on a regular desktop\n" |
@@ -57,14 +57,17 @@ static char *usage_str = | |||
57 | " [...]\n" | 57 | " [...]\n" |
58 | "\n" | 58 | "\n" |
59 | "License GPL version 2 or later\n" | 59 | "License GPL version 2 or later\n" |
60 | "Homepage: https://firejail.wordpress.com\n\n"; | 60 | "Homepage: https://firejail.wordpress.com\n"; |
61 | |||
62 | static void print_version(void) { | ||
63 | printf("firecfg version %s\n\n", VERSION); | ||
64 | } | ||
61 | 65 | ||
62 | static void usage(void) { | 66 | static void usage(void) { |
63 | printf("firecfg - version %s\n\n", VERSION); | 67 | print_version(); |
64 | puts(usage_str); | 68 | puts(usage_str); |
65 | } | 69 | } |
66 | 70 | ||
67 | |||
68 | static void list(void) { | 71 | static void list(void) { |
69 | DIR *dir = opendir(arg_bindir); | 72 | DIR *dir = opendir(arg_bindir); |
70 | if (!dir) { | 73 | if (!dir) { |
@@ -364,7 +367,7 @@ int main(int argc, char **argv) { | |||
364 | else if (strcmp(argv[i], "--debug") == 0) | 367 | else if (strcmp(argv[i], "--debug") == 0) |
365 | arg_debug = 1; | 368 | arg_debug = 1; |
366 | else if (strcmp(argv[i], "--version") == 0) { | 369 | else if (strcmp(argv[i], "--version") == 0) { |
367 | printf("firecfg version %s\n\n", VERSION); | 370 | print_version(); |
368 | return 0; | 371 | return 0; |
369 | } | 372 | } |
370 | else if (strcmp(argv[i], "--clean") == 0) { | 373 | else if (strcmp(argv[i], "--clean") == 0) { |
@@ -410,6 +413,7 @@ int main(int argc, char **argv) { | |||
410 | } | 413 | } |
411 | } | 414 | } |
412 | 415 | ||
416 | print_version(); | ||
413 | if (arg_debug) | 417 | if (arg_debug) |
414 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); | 418 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); |
415 | 419 | ||
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index d4288b29e..ed14eb171 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -197,7 +197,11 @@ int arp_check(const char *dev, uint32_t destaddr) { | |||
197 | double timeout = timerend - now; | 197 | double timeout = timerend - now; |
198 | ts.tv_sec = timeout; | 198 | ts.tv_sec = timeout; |
199 | ts.tv_usec = (timeout - ts.tv_sec) * 1000000; | 199 | ts.tv_usec = (timeout - ts.tv_sec) * 1000000; |
200 | int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts); | 200 | if (ts.tv_sec < 0) |
201 | ts.tv_sec = 0; | ||
202 | if (ts.tv_usec < 0) | ||
203 | ts.tv_usec = 0; | ||
204 | int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts); | ||
201 | if (nready < 0) | 205 | if (nready < 0) |
202 | errExit("select"); | 206 | errExit("select"); |
203 | else if (nready == 0) { // timeout | 207 | else if (nready == 0) { // timeout |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 56f983854..d2289bb40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -305,139 +305,128 @@ errout: | |||
305 | exit(1); | 305 | exit(1); |
306 | } | 306 | } |
307 | 307 | ||
308 | void print_version(void) { | 308 | static const char *const compiletime_support = |
309 | printf("firejail version %s\n", VERSION); | 309 | "Compile time support:" |
310 | printf("\n"); | 310 | "\n\t- always force nonewprivs support is " |
311 | print_compiletime_support(); | ||
312 | printf("\n"); | ||
313 | } | ||
314 | |||
315 | void print_compiletime_support(void) { | ||
316 | printf("Compile time support:\n"); | ||
317 | printf("\t- always force nonewprivs support is %s\n", | ||
318 | #ifdef HAVE_FORCE_NONEWPRIVS | 311 | #ifdef HAVE_FORCE_NONEWPRIVS |
319 | "enabled" | 312 | "enabled" |
320 | #else | 313 | #else |
321 | "disabled" | 314 | "disabled" |
322 | #endif | 315 | #endif |
323 | ); | ||
324 | 316 | ||
325 | printf("\t- AppArmor support is %s\n", | 317 | "\n\t- AppArmor support is " |
326 | #ifdef HAVE_APPARMOR | 318 | #ifdef HAVE_APPARMOR |
327 | "enabled" | 319 | "enabled" |
328 | #else | 320 | #else |
329 | "disabled" | 321 | "disabled" |
330 | #endif | 322 | #endif |
331 | ); | ||
332 | 323 | ||
333 | printf("\t- AppImage support is %s\n", | 324 | "\n\t- AppImage support is " |
334 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 325 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h |
335 | "enabled" | 326 | "enabled" |
336 | #else | 327 | #else |
337 | "disabled" | 328 | "disabled" |
338 | #endif | 329 | #endif |
339 | ); | ||
340 | 330 | ||
341 | printf("\t- chroot support is %s\n", | 331 | "\n\t- chroot support is " |
342 | #ifdef HAVE_CHROOT | 332 | #ifdef HAVE_CHROOT |
343 | "enabled" | 333 | "enabled" |
344 | #else | 334 | #else |
345 | "disabled" | 335 | "disabled" |
346 | #endif | 336 | #endif |
347 | ); | ||
348 | 337 | ||
349 | printf("\t- D-BUS proxy support is %s\n", | 338 | "\n\t- D-BUS proxy support is " |
350 | #ifdef HAVE_DBUSPROXY | 339 | #ifdef HAVE_DBUSPROXY |
351 | "enabled" | 340 | "enabled" |
352 | #else | 341 | #else |
353 | "disabled" | 342 | "disabled" |
354 | #endif | 343 | #endif |
355 | ); | ||
356 | 344 | ||
357 | printf("\t- file transfer support is %s\n", | 345 | "\n\t- file transfer support is " |
358 | #ifdef HAVE_FILE_TRANSFER | 346 | #ifdef HAVE_FILE_TRANSFER |
359 | "enabled" | 347 | "enabled" |
360 | #else | 348 | #else |
361 | "disabled" | 349 | "disabled" |
362 | #endif | 350 | #endif |
363 | ); | ||
364 | 351 | ||
365 | printf("\t- firetunnel support is %s\n", | 352 | "\n\t- firetunnel support is " |
366 | #ifdef HAVE_FIRETUNNEL | 353 | #ifdef HAVE_FIRETUNNEL |
367 | "enabled" | 354 | "enabled" |
368 | #else | 355 | #else |
369 | "disabled" | 356 | "disabled" |
370 | #endif | 357 | #endif |
371 | ); | ||
372 | 358 | ||
373 | printf("\t- IDS support is %s\n", | 359 | "\n\t- IDS support is " |
374 | #ifdef HAVE_IDS | 360 | #ifdef HAVE_IDS |
375 | "enabled" | 361 | "enabled" |
376 | #else | 362 | #else |
377 | "disabled" | 363 | "disabled" |
378 | #endif | 364 | #endif |
379 | ); | ||
380 | 365 | ||
381 | printf("\t- networking support is %s\n", | 366 | "\n\t- networking support is " |
382 | #ifdef HAVE_NETWORK | 367 | #ifdef HAVE_NETWORK |
383 | "enabled" | 368 | "enabled" |
384 | #else | 369 | #else |
385 | "disabled" | 370 | "disabled" |
386 | #endif | 371 | #endif |
387 | ); | ||
388 | 372 | ||
389 | printf("\t- output logging is %s\n", | 373 | "\n\t- output logging is " |
390 | #ifdef HAVE_OUTPUT | 374 | #ifdef HAVE_OUTPUT |
391 | "enabled" | 375 | "enabled" |
392 | #else | 376 | #else |
393 | "disabled" | 377 | "disabled" |
394 | #endif | 378 | #endif |
395 | ); | 379 | |
396 | printf("\t- overlayfs support is %s\n", | 380 | "\n\t- overlayfs support is " |
397 | #ifdef HAVE_OVERLAYFS | 381 | #ifdef HAVE_OVERLAYFS |
398 | "enabled" | 382 | "enabled" |
399 | #else | 383 | #else |
400 | "disabled" | 384 | "disabled" |
401 | #endif | 385 | #endif |
402 | ); | ||
403 | 386 | ||
404 | printf("\t- private-home support is %s\n", | 387 | "\n\t- private-home support is " |
405 | #ifdef HAVE_PRIVATE_HOME | 388 | #ifdef HAVE_PRIVATE_HOME |
406 | "enabled" | 389 | "enabled" |
407 | #else | 390 | #else |
408 | "disabled" | 391 | "disabled" |
409 | #endif | 392 | #endif |
410 | ); | ||
411 | 393 | ||
412 | printf("\t- private-cache and tmpfs as user %s\n", | 394 | "\n\t- private-lib support is " |
395 | #ifdef HAVE_PRIVATE_LIB | ||
396 | "enabled" | ||
397 | #else | ||
398 | "disabled" | ||
399 | #endif | ||
400 | |||
401 | "\n\t- private-cache and tmpfs as user " | ||
413 | #ifdef HAVE_USERTMPFS | 402 | #ifdef HAVE_USERTMPFS |
414 | "enabled" | 403 | "enabled" |
415 | #else | 404 | #else |
416 | "disabled" | 405 | "disabled" |
417 | #endif | 406 | #endif |
418 | ); | ||
419 | 407 | ||
420 | printf("\t- SELinux support is %s\n", | 408 | "\n\t- SELinux support is " |
421 | #ifdef HAVE_SELINUX | 409 | #ifdef HAVE_SELINUX |
422 | "enabled" | 410 | "enabled" |
423 | #else | 411 | #else |
424 | "disabled" | 412 | "disabled" |
425 | #endif | 413 | #endif |
426 | ); | ||
427 | 414 | ||
428 | printf("\t- user namespace support is %s\n", | 415 | "\n\t- user namespace support is " |
429 | #ifdef HAVE_USERNS | 416 | #ifdef HAVE_USERNS |
430 | "enabled" | 417 | "enabled" |
431 | #else | 418 | #else |
432 | "disabled" | 419 | "disabled" |
433 | #endif | 420 | #endif |
434 | ); | ||
435 | 421 | ||
436 | printf("\t- X11 sandboxing support is %s\n", | 422 | "\n\t- X11 sandboxing support is " |
437 | #ifdef HAVE_X11 | 423 | #ifdef HAVE_X11 |
438 | "enabled" | 424 | "enabled" |
439 | #else | 425 | #else |
440 | "disabled" | 426 | "disabled" |
441 | #endif | 427 | #endif |
442 | ); | 428 | "\n"; |
429 | |||
430 | void print_compiletime_support(void) { | ||
431 | puts(compiletime_support); | ||
443 | } | 432 | } |
diff --git a/src/firejail/env.c b/src/firejail/env.c index ede5f812d..da3c3ac53 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -279,7 +279,8 @@ static void env_apply_list(const char * const *list, unsigned int num_items) { | |||
279 | 279 | ||
280 | while (env) { | 280 | while (env) { |
281 | if (env->op == SETENV) { | 281 | if (env->op == SETENV) { |
282 | for (unsigned int i = 0; i < num_items; i++) | 282 | unsigned int i; |
283 | for (i = 0; i < num_items; i++) | ||
283 | if (strcmp(env->name, list[i]) == 0) { | 284 | if (strcmp(env->name, list[i]) == 0) { |
284 | // sanity check for whitelisted environment variables | 285 | // sanity check for whitelisted environment variables |
285 | if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { | 286 | if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5295393f0..d85b470e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -477,6 +477,8 @@ void tree(void); | |||
477 | void top(void); | 477 | void top(void); |
478 | 478 | ||
479 | // usage.c | 479 | // usage.c |
480 | void print_version(void); | ||
481 | void print_version_full(void); | ||
480 | void usage(void); | 482 | void usage(void); |
481 | 483 | ||
482 | // process.c | 484 | // process.c |
@@ -525,7 +527,6 @@ int macro_id(const char *name); | |||
525 | 527 | ||
526 | 528 | ||
527 | // util.c | 529 | // util.c |
528 | int invalid_name(const char *name); | ||
529 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); | 530 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); |
530 | void fwarning(char* fmt, ...); | 531 | void fwarning(char* fmt, ...); |
531 | void fmessage(char* fmt, ...); | 532 | void fmessage(char* fmt, ...); |
@@ -581,6 +582,13 @@ int has_handler(pid_t pid, int signal); | |||
581 | void enter_network_namespace(pid_t pid); | 582 | void enter_network_namespace(pid_t pid); |
582 | int read_pid(const char *name, pid_t *pid); | 583 | int read_pid(const char *name, pid_t *pid); |
583 | pid_t require_pid(const char *name); | 584 | pid_t require_pid(const char *name); |
585 | int ascii_isalnum(unsigned char c); | ||
586 | int ascii_isalpha(unsigned char c); | ||
587 | int ascii_isdigit(unsigned char c); | ||
588 | int ascii_islower(unsigned char c); | ||
589 | int ascii_isupper(unsigned char c); | ||
590 | int ascii_isxdigit(unsigned char c); | ||
591 | int invalid_name(const char *name); | ||
584 | void check_homedir(const char *dir); | 592 | void check_homedir(const char *dir); |
585 | 593 | ||
586 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo | 594 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo |
@@ -606,7 +614,6 @@ void fs_var_run(void); | |||
606 | void fs_var_lock(void); | 614 | void fs_var_lock(void); |
607 | void fs_var_tmp(void); | 615 | void fs_var_tmp(void); |
608 | void fs_var_utmp(void); | 616 | void fs_var_utmp(void); |
609 | void dbg_test_dir(const char *dir); | ||
610 | 617 | ||
611 | // fs_dev.c | 618 | // fs_dev.c |
612 | void fs_dev_shm(void); | 619 | void fs_dev_shm(void); |
@@ -851,7 +858,6 @@ extern char *config_seccomp_filter_add; | |||
851 | extern char **whitelist_reject_topdirs; | 858 | extern char **whitelist_reject_topdirs; |
852 | 859 | ||
853 | int checkcfg(int val); | 860 | int checkcfg(int val); |
854 | void print_version(void); | ||
855 | void print_compiletime_support(void); | 861 | void print_compiletime_support(void); |
856 | 862 | ||
857 | // appimage.c | 863 | // appimage.c |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 51a58013d..9ca73eb35 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -177,7 +177,6 @@ static void mount_dev_shm(void) { | |||
177 | int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0"); | 177 | int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0"); |
178 | if (rv == -1) { | 178 | if (rv == -1) { |
179 | fwarning("cannot mount the old /dev/shm in private-dev\n"); | 179 | fwarning("cannot mount the old /dev/shm in private-dev\n"); |
180 | dbg_test_dir(RUN_DEV_DIR "/shm"); | ||
181 | empty_dev_shm(); | 180 | empty_dev_shm(); |
182 | return; | 181 | return; |
183 | } | 182 | } |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 3b7369ea8..dc4e5c228 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -111,6 +111,11 @@ char *fs_etc_build(char *str) { | |||
111 | } | 111 | } |
112 | 112 | ||
113 | void fs_resolvconf(void) { | 113 | void fs_resolvconf(void) { |
114 | if (arg_nonetwork) { | ||
115 | if (arg_debug) | ||
116 | printf("arg_nonetwork found (--net=none). Skip creating /etc/resolv.conf file\n"); | ||
117 | return; | ||
118 | } | ||
114 | if (arg_debug) | 119 | if (arg_debug) |
115 | printf("Creating a new /etc/resolv.conf file\n"); | 120 | printf("Creating a new /etc/resolv.conf file\n"); |
116 | FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); | 121 | FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 624e74fe4..fd2441832 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -185,20 +185,10 @@ static int store_asoundrc(void) { | |||
185 | errExit("asprintf"); | 185 | errExit("asprintf"); |
186 | 186 | ||
187 | struct stat s; | 187 | struct stat s; |
188 | if (lstat(src, &s) == 0) { | 188 | if (stat(src, &s) == 0) { |
189 | if (S_ISLNK(s.st_mode)) { | 189 | if (s.st_uid != getuid()) { |
190 | // make sure the real path of the file is inside the home directory | 190 | fwarning(".asoundrc is not owned by the current user, skipping...\n"); |
191 | /* coverity[toctou] */ | 191 | return 0; |
192 | char *rp = realpath(src, NULL); | ||
193 | if (!rp) { | ||
194 | fprintf(stderr, "Error: Cannot access %s\n", src); | ||
195 | exit(1); | ||
196 | } | ||
197 | if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') { | ||
198 | fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n"); | ||
199 | exit(1); | ||
200 | } | ||
201 | free(rp); | ||
202 | } | 192 | } |
203 | 193 | ||
204 | // create an empty file as root, and change ownership to user | 194 | // create an empty file as root, and change ownership to user |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index e349941fa..ba7a291ee 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void); | |||
32 | extern void fslib_install_firejail(void); | 32 | extern void fslib_install_firejail(void); |
33 | extern void fslib_install_system(void); | 33 | extern void fslib_install_system(void); |
34 | 34 | ||
35 | static int lib_cnt = 0; | ||
36 | static int dir_cnt = 0; | ||
37 | |||
38 | static const char *masked_lib_dirs[] = { | ||
39 | "/usr/lib64", | ||
40 | "/lib64", | ||
41 | "/usr/lib", | ||
42 | "/lib", | ||
43 | "/usr/local/lib64", | ||
44 | "/usr/local/lib", | ||
45 | NULL, | ||
46 | }; | ||
47 | |||
48 | // return 1 if the file is in masked_lib_dirs[] | ||
49 | static int valid_full_path(const char *full_path) { | ||
50 | if (strstr(full_path, "..")) | ||
51 | return 0; | ||
52 | |||
53 | int i = 0; | ||
54 | while (masked_lib_dirs[i]) { | ||
55 | size_t len = strlen(masked_lib_dirs[i]); | ||
56 | if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && | ||
57 | full_path[len] == '/') | ||
58 | return 1; | ||
59 | i++; | ||
60 | } | ||
61 | return 0; | ||
62 | } | ||
63 | |||
64 | // return 1 if symlink to firejail executable | 35 | // return 1 if symlink to firejail executable |
65 | int is_firejail_link(const char *fname) { | 36 | int is_firejail_link(const char *fname) { |
66 | EUID_ASSERT(); | 37 | EUID_ASSERT(); |
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) { | |||
116 | return NULL; | 87 | return NULL; |
117 | } | 88 | } |
118 | 89 | ||
90 | #ifdef HAVE_PRIVATE_LIB | ||
91 | static int lib_cnt = 0; | ||
92 | static int dir_cnt = 0; | ||
93 | |||
94 | static const char *masked_lib_dirs[] = { | ||
95 | "/usr/lib64", | ||
96 | "/lib64", | ||
97 | "/usr/lib", | ||
98 | "/lib", | ||
99 | "/usr/local/lib64", | ||
100 | "/usr/local/lib", | ||
101 | NULL, | ||
102 | }; | ||
103 | |||
104 | // return 1 if the file is in masked_lib_dirs[] | ||
105 | static int valid_full_path(const char *full_path) { | ||
106 | if (strstr(full_path, "..")) | ||
107 | return 0; | ||
108 | |||
109 | int i = 0; | ||
110 | while (masked_lib_dirs[i]) { | ||
111 | size_t len = strlen(masked_lib_dirs[i]); | ||
112 | if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && | ||
113 | full_path[len] == '/') | ||
114 | return 1; | ||
115 | i++; | ||
116 | } | ||
117 | return 0; | ||
118 | } | ||
119 | |||
119 | static char *build_dest_dir(const char *full_path) { | 120 | static char *build_dest_dir(const char *full_path) { |
120 | assert(full_path); | 121 | assert(full_path); |
121 | if (strstr(full_path, "/x86_64-linux-gnu/")) | 122 | if (strstr(full_path, "/x86_64-linux-gnu/")) |
@@ -465,3 +466,4 @@ void fs_private_lib(void) { | |||
465 | // mount lib filesystem | 466 | // mount lib filesystem |
466 | mount_directories(); | 467 | mount_directories(); |
467 | } | 468 | } |
469 | #endif \ No newline at end of file | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 540c3286f..583888e0e 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -36,6 +36,7 @@ typedef struct liblist_t { | |||
36 | int len; | 36 | int len; |
37 | } LibList; | 37 | } LibList; |
38 | 38 | ||
39 | #ifdef HAVE_PRIVATE_LIB | ||
39 | static LibList libc_list[] = { | 40 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 41 | { "libselinux.so.", 0 }, |
41 | { "libpcre2-8.so.", 0 }, | 42 | { "libpcre2-8.so.", 0 }, |
@@ -356,3 +357,4 @@ void fslib_install_system(void) { | |||
356 | ptr++; | 357 | ptr++; |
357 | } | 358 | } |
358 | } | 359 | } |
360 | #endif | ||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 690780a0e..4787df21e 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -230,21 +230,6 @@ void fs_var_cache(void) { | |||
230 | } | 230 | } |
231 | } | 231 | } |
232 | 232 | ||
233 | void dbg_test_dir(const char *dir) { | ||
234 | if (arg_debug) { | ||
235 | if (is_dir(dir)) | ||
236 | printf("%s is a directory\n", dir); | ||
237 | if (is_link(dir)) { | ||
238 | char *lnk = realpath(dir, NULL); | ||
239 | if (lnk) { | ||
240 | printf("%s is a symbolic link to %s\n", dir, lnk); | ||
241 | free(lnk); | ||
242 | } | ||
243 | } | ||
244 | } | ||
245 | } | ||
246 | |||
247 | |||
248 | void fs_var_lock(void) { | 233 | void fs_var_lock(void) { |
249 | 234 | ||
250 | if (is_dir("/var/lock")) { | 235 | if (is_dir("/var/lock")) { |
@@ -254,10 +239,8 @@ void fs_var_lock(void) { | |||
254 | errExit("mounting /lock"); | 239 | errExit("mounting /lock"); |
255 | fs_logger("tmpfs /var/lock"); | 240 | fs_logger("tmpfs /var/lock"); |
256 | } | 241 | } |
257 | else { | 242 | else |
258 | fwarning("/var/lock not mounted\n"); | 243 | fwarning("/var/lock not mounted\n"); |
259 | dbg_test_dir("/var/lock"); | ||
260 | } | ||
261 | } | 244 | } |
262 | 245 | ||
263 | void fs_var_tmp(void) { | 246 | void fs_var_tmp(void) { |
@@ -271,10 +254,8 @@ void fs_var_tmp(void) { | |||
271 | fs_logger("tmpfs /var/tmp"); | 254 | fs_logger("tmpfs /var/tmp"); |
272 | } | 255 | } |
273 | } | 256 | } |
274 | else { | 257 | else |
275 | fwarning("/var/tmp not mounted\n"); | 258 | fwarning("/var/tmp not mounted\n"); |
276 | dbg_test_dir("/var/tmp"); | ||
277 | } | ||
278 | } | 259 | } |
279 | 260 | ||
280 | void fs_var_utmp(void) { | 261 | void fs_var_utmp(void) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 62035ff04..1835d8de2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -369,7 +369,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
369 | exit(0); | 369 | exit(0); |
370 | } | 370 | } |
371 | else if (strcmp(argv[i], "--version") == 0) { | 371 | else if (strcmp(argv[i], "--version") == 0) { |
372 | print_version(); | 372 | print_version_full(); |
373 | exit(0); | 373 | exit(0); |
374 | } | 374 | } |
375 | #ifdef HAVE_OVERLAYFS | 375 | #ifdef HAVE_OVERLAYFS |
@@ -1128,7 +1128,7 @@ int main(int argc, char **argv, char **envp) { | |||
1128 | EUID_USER(); | 1128 | EUID_USER(); |
1129 | if (rv == 0) { | 1129 | if (rv == 0) { |
1130 | if (check_arg(argc, argv, "--version", 1)) { | 1130 | if (check_arg(argc, argv, "--version", 1)) { |
1131 | print_version(); | 1131 | print_version_full(); |
1132 | exit(0); | 1132 | exit(0); |
1133 | } | 1133 | } |
1134 | 1134 | ||
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) { | |||
1355 | arg_debug_blacklists = 1; | 1355 | arg_debug_blacklists = 1; |
1356 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1356 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
1357 | arg_debug_whitelists = 1; | 1357 | arg_debug_whitelists = 1; |
1358 | #ifdef HAVE_PRIVATE_LIB | ||
1358 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1359 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1359 | arg_debug_private_lib = 1; | 1360 | arg_debug_private_lib = 1; |
1361 | #endif | ||
1360 | else if (strcmp(argv[i], "--quiet") == 0) { | 1362 | else if (strcmp(argv[i], "--quiet") == 0) { |
1361 | if (!arg_debug) | 1363 | if (!arg_debug) |
1362 | arg_quiet = 1; | 1364 | arg_quiet = 1; |
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) { | |||
2137 | else | 2139 | else |
2138 | exit_err_feature("private-bin"); | 2140 | exit_err_feature("private-bin"); |
2139 | } | 2141 | } |
2142 | #ifdef HAVE_PRIVATE_LIB | ||
2140 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | 2143 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
2141 | if (checkcfg(CFG_PRIVATE_LIB)) { | 2144 | if (checkcfg(CFG_PRIVATE_LIB)) { |
2142 | // extract private lib list (if any) | 2145 | // extract private lib list (if any) |
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) { | |||
2152 | else | 2155 | else |
2153 | exit_err_feature("private-lib"); | 2156 | exit_err_feature("private-lib"); |
2154 | } | 2157 | } |
2158 | #endif | ||
2155 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 2159 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
2156 | arg_private_tmp = 1; | 2160 | arg_private_tmp = 1; |
2157 | } | 2161 | } |
@@ -3006,6 +3010,11 @@ int main(int argc, char **argv, char **envp) { | |||
3006 | } | 3010 | } |
3007 | EUID_ASSERT(); | 3011 | EUID_ASSERT(); |
3008 | 3012 | ||
3013 | // Note: Only attempt to print non-debug information to stdout after | ||
3014 | // all profiles have been loaded (because a profile may set arg_quiet) | ||
3015 | if (!arg_quiet) | ||
3016 | print_version(); | ||
3017 | |||
3009 | // block X11 sockets | 3018 | // block X11 sockets |
3010 | if (arg_x11_block) | 3019 | if (arg_x11_block) |
3011 | x11_block(); | 3020 | x11_block(); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index b4deda562..32fdd6218 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -248,5 +248,5 @@ void netfilter_print(pid_t pid, int ipv6) { | |||
248 | exit(1); | 248 | exit(1); |
249 | } | 249 | } |
250 | 250 | ||
251 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); | 251 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-nvL"); |
252 | } | 252 | } |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 0d2d53fca..3da51e195 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -89,30 +89,6 @@ int net_get_mtu(const char *ifname) { | |||
89 | return mtu; | 89 | return mtu; |
90 | } | 90 | } |
91 | 91 | ||
92 | //void net_set_mtu(const char *ifname, int mtu) { | ||
93 | // if (strlen(ifname) > IFNAMSIZ) { | ||
94 | // fprintf(stderr, "Error: invalid network device name %s\n", ifname); | ||
95 | // exit(1); | ||
96 | // } | ||
97 | // | ||
98 | // if (arg_debug) | ||
99 | // printf("set interface %s MTU %d.\n", ifname, mtu); | ||
100 | // | ||
101 | // int s; | ||
102 | // struct ifreq ifr; | ||
103 | // | ||
104 | // if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) | ||
105 | // errExit("socket"); | ||
106 | // | ||
107 | // memset(&ifr, 0, sizeof(ifr)); | ||
108 | // ifr.ifr_addr.sa_family = AF_INET; | ||
109 | // strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | ||
110 | // ifr.ifr_mtu = mtu; | ||
111 | // if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) | ||
112 | // fwarning("cannot set mtu for interface %s\n", ifname); | ||
113 | // close(s); | ||
114 | //} | ||
115 | |||
116 | // return -1 if the interface was not found; if the interface was found return 0 and fill in IP address and mask | 92 | // return -1 if the interface was not found; if the interface was found return 0 and fill in IP address and mask |
117 | int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu) { | 93 | int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu) { |
118 | assert(bridge); | 94 | assert(bridge); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 648fc2248..19ac8d9ec 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) { | |||
949 | } | 949 | } |
950 | } | 950 | } |
951 | 951 | ||
952 | #ifdef HAVE_PRIVATE_LIB | ||
952 | // private-lib is disabled for appimages | 953 | // private-lib is disabled for appimages |
953 | if (arg_private_lib && !arg_appimage) { | 954 | if (arg_private_lib && !arg_appimage) { |
954 | if (cfg.chrootdir) | 955 | if (cfg.chrootdir) |
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) { | |||
959 | fs_private_lib(); | 960 | fs_private_lib(); |
960 | } | 961 | } |
961 | } | 962 | } |
963 | #endif | ||
962 | 964 | ||
963 | #ifdef HAVE_USERTMPFS | 965 | #ifdef HAVE_USERTMPFS |
964 | if (arg_private_cache) { | 966 | if (arg_private_cache) { |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 11ea5b036..59b74ec5c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <sys/resource.h> | 26 | #include <sys/resource.h> |
27 | #include <sys/wait.h> | 27 | #include <sys/wait.h> |
28 | #include "../include/seccomp.h" | 28 | #include "../include/seccomp.h" |
29 | #include "../include/gcov_wrapper.h" | ||
29 | 30 | ||
30 | #include <fcntl.h> | 31 | #include <fcntl.h> |
31 | #ifndef O_PATH | 32 | #ifndef O_PATH |
@@ -131,6 +132,24 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
131 | #ifdef SYS_umount2 | 132 | #ifdef SYS_umount2 |
132 | BLACKLIST(SYS_umount2), | 133 | BLACKLIST(SYS_umount2), |
133 | #endif | 134 | #endif |
135 | #ifdef SYS_fsopen | ||
136 | BLACKLIST(SYS_fsopen), // mount syscalls introduced 2019 | ||
137 | #endif | ||
138 | #ifdef SYS_fsconfig | ||
139 | BLACKLIST(SYS_fsconfig), | ||
140 | #endif | ||
141 | #ifdef SYS_fsmount | ||
142 | BLACKLIST(SYS_fsmount), | ||
143 | #endif | ||
144 | #ifdef SYS_move_mount | ||
145 | BLACKLIST(SYS_move_mount), | ||
146 | #endif | ||
147 | #ifdef SYS_fspick | ||
148 | BLACKLIST(SYS_fspick), | ||
149 | #endif | ||
150 | #ifdef SYS_open_tree | ||
151 | BLACKLIST(SYS_open_tree), | ||
152 | #endif | ||
134 | #ifdef SYS_ptrace | 153 | #ifdef SYS_ptrace |
135 | BLACKLIST(SYS_ptrace), // trace processes | 154 | BLACKLIST(SYS_ptrace), // trace processes |
136 | #endif | 155 | #endif |
@@ -185,6 +204,9 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
185 | #ifdef SYS_syslog | 204 | #ifdef SYS_syslog |
186 | BLACKLIST(SYS_syslog), // kernel printk control | 205 | BLACKLIST(SYS_syslog), // kernel printk control |
187 | #endif | 206 | #endif |
207 | #ifdef SYS_personality | ||
208 | BLACKLIST(SYS_personality), // execution domain | ||
209 | #endif | ||
188 | RETURN_ALLOW | 210 | RETURN_ALLOW |
189 | }; | 211 | }; |
190 | 212 | ||
@@ -238,6 +260,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
238 | fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]); | 260 | fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]); |
239 | exit(1); | 261 | exit(1); |
240 | } | 262 | } |
263 | __gcov_dump(); | ||
241 | fexecve(fd, arg, new_environment); | 264 | fexecve(fd, arg, new_environment); |
242 | } else { | 265 | } else { |
243 | assert(0); | 266 | assert(0); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 965d09992..e8758c807 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | static char *usage_str = | 22 | static const char *const usage_str = |
23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" | 23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" |
24 | "restricting the running environment of untrusted applications using Linux\n" | 24 | "restricting the running environment of untrusted applications using Linux\n" |
25 | "namespaces.\n" | 25 | "namespaces.\n" |
@@ -81,7 +81,9 @@ static char *usage_str = | |||
81 | " --debug-blacklists - debug blacklisting.\n" | 81 | " --debug-blacklists - debug blacklisting.\n" |
82 | " --debug-caps - print all recognized capabilities.\n" | 82 | " --debug-caps - print all recognized capabilities.\n" |
83 | " --debug-errnos - print all recognized error numbers.\n" | 83 | " --debug-errnos - print all recognized error numbers.\n" |
84 | #ifdef HAVE_PRIVATE_LIB | ||
84 | " --debug-private-lib - debug for --private-lib option.\n" | 85 | " --debug-private-lib - debug for --private-lib option.\n" |
86 | #endif | ||
85 | " --debug-protocols - print all recognized protocols.\n" | 87 | " --debug-protocols - print all recognized protocols.\n" |
86 | " --debug-syscalls - print all recognized system calls.\n" | 88 | " --debug-syscalls - print all recognized system calls.\n" |
87 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 89 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
@@ -208,6 +210,9 @@ static char *usage_str = | |||
208 | "\tcommon device files.\n" | 210 | "\tcommon device files.\n" |
209 | " --private-etc=file,directory - build a new /etc in a temporary\n" | 211 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
210 | "\tfilesystem, and copy the files and directories in the list.\n" | 212 | "\tfilesystem, and copy the files and directories in the list.\n" |
213 | #ifdef HAVE_PRIVATE_LIB | ||
214 | " --private-lib - create a private /lib directory\n" | ||
215 | #endif | ||
211 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 216 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
212 | " --private-cwd - do not inherit working directory inside jail.\n" | 217 | " --private-cwd - do not inherit working directory inside jail.\n" |
213 | " --private-cwd=directory - set working directory inside jail.\n" | 218 | " --private-cwd=directory - set working directory inside jail.\n" |
@@ -306,11 +311,18 @@ static char *usage_str = | |||
306 | "\tlist all running sandboxes\n" | 311 | "\tlist all running sandboxes\n" |
307 | "\n" | 312 | "\n" |
308 | "License GPL version 2 or later\n" | 313 | "License GPL version 2 or later\n" |
309 | "Homepage: https://firejail.wordpress.com\n" | 314 | "Homepage: https://firejail.wordpress.com\n"; |
310 | "\n"; | ||
311 | 315 | ||
316 | void print_version(void) { | ||
317 | printf("firejail version %s\n\n", VERSION); | ||
318 | } | ||
319 | |||
320 | void print_version_full(void) { | ||
321 | print_version(); | ||
322 | print_compiletime_support(); | ||
323 | } | ||
312 | 324 | ||
313 | void usage(void) { | 325 | void usage(void) { |
314 | printf("firejail - version %s\n\n", VERSION); | 326 | print_version(); |
315 | puts(usage_str); | 327 | puts(usage_str); |
316 | } | 328 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index cda99e432..a0af3d4bf 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -56,7 +56,8 @@ long long unsigned parse_arg_size(char *str) { | |||
56 | } | 56 | } |
57 | 57 | ||
58 | /* checks for is value valid positive number */ | 58 | /* checks for is value valid positive number */ |
59 | for (int i = 0; i < len; i++) { | 59 | int i; |
60 | for (i = 0; i < len; i++) { | ||
60 | if (!isdigit(*(str+i))) { | 61 | if (!isdigit(*(str+i))) { |
61 | return 0; | 62 | return 0; |
62 | } | 63 | } |
@@ -1448,15 +1449,42 @@ static int has_link(const char *dir) { | |||
1448 | return 0; | 1449 | return 0; |
1449 | } | 1450 | } |
1450 | 1451 | ||
1452 | int ascii_isalnum(unsigned char c) { | ||
1453 | return (ascii_isalpha(c) || ascii_isdigit(c)); | ||
1454 | } | ||
1455 | |||
1456 | int ascii_isalpha(unsigned char c) { | ||
1457 | return (ascii_islower(c) || ascii_isupper(c)); | ||
1458 | } | ||
1459 | |||
1460 | int ascii_isdigit(unsigned char c) { | ||
1461 | return (c >= '0' && c <= '9'); | ||
1462 | } | ||
1463 | |||
1464 | int ascii_islower(unsigned char c) { | ||
1465 | return (c >= 'a' && c <= 'z'); | ||
1466 | } | ||
1467 | |||
1468 | int ascii_isupper(unsigned char c) { | ||
1469 | return (c >= 'A' && c <= 'Z'); | ||
1470 | } | ||
1471 | |||
1472 | int ascii_isxdigit(unsigned char c) { | ||
1473 | int ret = (ascii_isdigit(c) || | ||
1474 | (c >= 'a' && c <= 'f') || | ||
1475 | (c >= 'A' && c <= 'F')); | ||
1476 | return ret; | ||
1477 | } | ||
1478 | |||
1451 | // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected | 1479 | // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected |
1452 | int invalid_name(const char *name) { | 1480 | int invalid_name(const char *name) { |
1453 | const char *c = name; | 1481 | const char *c = name; |
1454 | 1482 | ||
1455 | int only_numbers = 1; | 1483 | int only_numbers = 1; |
1456 | while (*c) { | 1484 | while (*c) { |
1457 | if (!isalnum(*c)) | 1485 | if (!ascii_isalnum(*c)) |
1458 | return 1; | 1486 | return 1; |
1459 | if (!isdigit(*c)) | 1487 | if (!ascii_isdigit(*c)) |
1460 | only_numbers = 0; | 1488 | only_numbers = 0; |
1461 | ++c; | 1489 | ++c; |
1462 | } | 1490 | } |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 01167e555..958fa1b03 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -30,7 +30,6 @@ int arg_debug = 0; | |||
30 | static int arg_route = 0; | 30 | static int arg_route = 0; |
31 | static int arg_arp = 0; | 31 | static int arg_arp = 0; |
32 | static int arg_tree = 0; | 32 | static int arg_tree = 0; |
33 | static int arg_interface = 0; | ||
34 | static int arg_seccomp = 0; | 33 | static int arg_seccomp = 0; |
35 | static int arg_caps = 0; | 34 | static int arg_caps = 0; |
36 | static int arg_cpu = 0; | 35 | static int arg_cpu = 0; |
@@ -146,7 +145,7 @@ int main(int argc, char **argv) { | |||
146 | return 0; | 145 | return 0; |
147 | } | 146 | } |
148 | else if (strcmp(argv[i], "--version") == 0) { | 147 | else if (strcmp(argv[i], "--version") == 0) { |
149 | printf("firemon version %s\n\n", VERSION); | 148 | print_version(); |
150 | return 0; | 149 | return 0; |
151 | } | 150 | } |
152 | else if (strcmp(argv[i], "--debug") == 0) | 151 | else if (strcmp(argv[i], "--debug") == 0) |
@@ -178,13 +177,6 @@ int main(int argc, char **argv) { | |||
178 | arg_seccomp = 1; | 177 | arg_seccomp = 1; |
179 | else if (strcmp(argv[i], "--caps") == 0) | 178 | else if (strcmp(argv[i], "--caps") == 0) |
180 | arg_caps = 1; | 179 | arg_caps = 1; |
181 | else if (strcmp(argv[i], "--interface") == 0) { | ||
182 | if (getuid() != 0) { | ||
183 | fprintf(stderr, "Error: you need to be root to run this command\n"); | ||
184 | exit(1); | ||
185 | } | ||
186 | arg_interface = 1; | ||
187 | } | ||
188 | #ifdef HAVE_NETWORK | 180 | #ifdef HAVE_NETWORK |
189 | else if (strcmp(argv[i], "--route") == 0) | 181 | else if (strcmp(argv[i], "--route") == 0) |
190 | arg_route = 1; | 182 | arg_route = 1; |
@@ -261,13 +253,12 @@ int main(int argc, char **argv) { | |||
261 | 253 | ||
262 | // if --name requested without other options, print all data | 254 | // if --name requested without other options, print all data |
263 | if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && | 255 | if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && |
264 | !arg_x11 && !arg_interface && !arg_route && !arg_arp) { | 256 | !arg_x11 && !arg_route && !arg_arp) { |
265 | arg_tree = 1; | 257 | arg_tree = 1; |
266 | arg_cpu = 1; | 258 | arg_cpu = 1; |
267 | arg_seccomp = 1; | 259 | arg_seccomp = 1; |
268 | arg_caps = 1; | 260 | arg_caps = 1; |
269 | arg_x11 = 1; | 261 | arg_x11 = 1; |
270 | arg_interface = 1; | ||
271 | arg_route = 1; | 262 | arg_route = 1; |
272 | arg_arp = 1; | 263 | arg_arp = 1; |
273 | arg_apparmor = 1; | 264 | arg_apparmor = 1; |
@@ -295,10 +286,6 @@ int main(int argc, char **argv) { | |||
295 | x11((pid_t) pid, print_procs); | 286 | x11((pid_t) pid, print_procs); |
296 | print_procs = 0; | 287 | print_procs = 0; |
297 | } | 288 | } |
298 | if (arg_interface && getuid() == 0) { | ||
299 | interface((pid_t) pid, print_procs); | ||
300 | print_procs = 0; | ||
301 | } | ||
302 | if (arg_route) { | 289 | if (arg_route) { |
303 | route((pid_t) pid, print_procs); | 290 | route((pid_t) pid, print_procs); |
304 | print_procs = 0; | 291 | print_procs = 0; |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index dae071e89..be83352bb 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -49,6 +49,7 @@ void firemon_sleep(int st); | |||
49 | void procevent(pid_t pid) __attribute__((noreturn)); | 49 | void procevent(pid_t pid) __attribute__((noreturn)); |
50 | 50 | ||
51 | // usage.c | 51 | // usage.c |
52 | void print_version(void); | ||
52 | void usage(void); | 53 | void usage(void); |
53 | 54 | ||
54 | // top.c | 55 | // top.c |
@@ -57,9 +58,6 @@ void top(void) __attribute__((noreturn)); | |||
57 | // list.c | 58 | // list.c |
58 | void list(void); | 59 | void list(void); |
59 | 60 | ||
60 | // interface.c | ||
61 | void interface(pid_t pid, int print_procs); | ||
62 | |||
63 | // arp.c | 61 | // arp.c |
64 | void arp(pid_t pid, int print_procs); | 62 | void arp(pid_t pid, int print_procs); |
65 | 63 | ||
diff --git a/src/firemon/interface.c b/src/firemon/interface.c deleted file mode 100644 index a8e78133b..000000000 --- a/src/firemon/interface.c +++ /dev/null | |||
@@ -1,175 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2023 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include "../include/gcov_wrapper.h" | ||
22 | #include <sys/types.h> | ||
23 | #include <sys/wait.h> | ||
24 | #include <netdb.h> | ||
25 | #include <arpa/inet.h> | ||
26 | #include <ifaddrs.h> | ||
27 | #include <net/if.h> | ||
28 | #include <linux/connector.h> | ||
29 | #include <linux/netlink.h> | ||
30 | #include <linux/if_link.h> | ||
31 | #include <linux/sockios.h> | ||
32 | #include <sys/ioctl.h> | ||
33 | |||
34 | //#include <net/route.h> | ||
35 | //#include <linux/if_bridge.h> | ||
36 | |||
37 | // print IP addresses for all interfaces | ||
38 | static void net_ifprint(void) { | ||
39 | uint32_t ip; | ||
40 | uint32_t mask; | ||
41 | struct ifaddrs *ifaddr, *ifa; | ||
42 | |||
43 | int fd; | ||
44 | if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { | ||
45 | fprintf(stderr, "Error: cannot open AF_INET socket\n"); | ||
46 | exit(1); | ||
47 | } | ||
48 | |||
49 | if (getifaddrs(&ifaddr) == -1) | ||
50 | errExit("getifaddrs"); | ||
51 | |||
52 | // walk through the linked list | ||
53 | printf(" Link status:\n"); | ||
54 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
55 | if (ifa->ifa_addr == NULL) | ||
56 | continue; | ||
57 | |||
58 | if (ifa->ifa_addr->sa_family == AF_PACKET) { | ||
59 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) { | ||
60 | if (ifa->ifa_data != NULL) { | ||
61 | struct rtnl_link_stats *stats = ifa->ifa_data; | ||
62 | |||
63 | // extract mac address | ||
64 | struct ifreq ifr; | ||
65 | memset(&ifr, 0, sizeof(ifr)); | ||
66 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ - 1); | ||
67 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); | ||
68 | |||
69 | if (rv == 0) | ||
70 | printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n", | ||
71 | ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data)); | ||
72 | else | ||
73 | printf(" %s UP\n", ifa->ifa_name); | ||
74 | |||
75 | printf(" tx/rx: %u/%u packets, %u/%u bytes\n", | ||
76 | stats->tx_packets, stats->rx_packets, | ||
77 | stats->tx_bytes, stats->rx_bytes); | ||
78 | } | ||
79 | } | ||
80 | else | ||
81 | printf(" %s DOWN\n", ifa->ifa_name); | ||
82 | } | ||
83 | } | ||
84 | |||
85 | |||
86 | // walk through the linked list | ||
87 | printf(" IPv4 status:\n"); | ||
88 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
89 | if (ifa->ifa_addr == NULL) | ||
90 | continue; | ||
91 | |||
92 | if (ifa->ifa_addr->sa_family == AF_INET) { | ||
93 | struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask; | ||
94 | mask = ntohl(si->sin_addr.s_addr); | ||
95 | si = (struct sockaddr_in *) ifa->ifa_addr; | ||
96 | ip = ntohl(si->sin_addr.s_addr); | ||
97 | |||
98 | char *status; | ||
99 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) | ||
100 | status = "UP"; | ||
101 | else | ||
102 | status = "DOWN"; | ||
103 | |||
104 | printf(" %s %s, %d.%d.%d.%d/%u\n", | ||
105 | ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask)); | ||
106 | } | ||
107 | } | ||
108 | |||
109 | |||
110 | // walk through the linked list | ||
111 | printf(" IPv6 status:\n"); | ||
112 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
113 | if (ifa->ifa_addr == NULL) | ||
114 | continue; | ||
115 | |||
116 | if (ifa->ifa_addr->sa_family == AF_INET6) { | ||
117 | char host[NI_MAXHOST]; | ||
118 | int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6), | ||
119 | host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST); | ||
120 | if (s == 0) { | ||
121 | char *ptr; | ||
122 | if ((ptr = strchr(host, '%')) != NULL) | ||
123 | *ptr = '\0'; | ||
124 | char *status; | ||
125 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) | ||
126 | status = "UP"; | ||
127 | else | ||
128 | status = "DOWN"; | ||
129 | |||
130 | printf(" %s %s, %s\n", ifa->ifa_name, status, host); | ||
131 | } | ||
132 | } | ||
133 | } | ||
134 | |||
135 | freeifaddrs(ifaddr); | ||
136 | close(fd); | ||
137 | } | ||
138 | |||
139 | static void print_sandbox(pid_t pid) { | ||
140 | pid_t child = fork(); | ||
141 | if (child == -1) | ||
142 | return; | ||
143 | |||
144 | if (child == 0) { | ||
145 | int rv = join_namespace(pid, "net"); | ||
146 | if (rv) | ||
147 | return; | ||
148 | net_ifprint(); | ||
149 | |||
150 | __gcov_flush(); | ||
151 | |||
152 | _exit(0); | ||
153 | } | ||
154 | |||
155 | // wait for the child to finish | ||
156 | waitpid(child, NULL, 0); | ||
157 | } | ||
158 | |||
159 | void interface(pid_t pid, int print_procs) { | ||
160 | pid_read(pid); // a pid of 0 will include all processes | ||
161 | |||
162 | // print processes | ||
163 | int i; | ||
164 | for (i = 0; i < max_pids; i++) { | ||
165 | if (pids[i].level == 1) { | ||
166 | if (print_procs || pid == 0) | ||
167 | pid_print_list(i, arg_wrap); | ||
168 | int child = find_child(i); | ||
169 | if (child != -1) { | ||
170 | print_sandbox(child); | ||
171 | } | ||
172 | } | ||
173 | } | ||
174 | printf("\n"); | ||
175 | } | ||
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 169ec9163..afd2b552a 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | 21 | ||
22 | static char *help_str = | 22 | static const char *const usage_str = |
23 | "Usage: firemon [OPTIONS] [PID]\n\n" | 23 | "Usage: firemon [OPTIONS] [PID]\n\n" |
24 | "Monitor processes started in a Firejail sandbox. Without any PID specified,\n" | 24 | "Monitor processes started in a Firejail sandbox. Without any PID specified,\n" |
25 | "all processes started by Firejail are monitored. Descendants of these processes\n" | 25 | "all processes started by Firejail are monitored. Descendants of these processes\n" |
@@ -75,10 +75,13 @@ static char *help_str = | |||
75 | "\tUser - The owner of the sandbox.\n" | 75 | "\tUser - The owner of the sandbox.\n" |
76 | "\n" | 76 | "\n" |
77 | "License GPL version 2 or later\n" | 77 | "License GPL version 2 or later\n" |
78 | "Homepage: https://firejail.wordpress.com\n" | 78 | "Homepage: https://firejail.wordpress.com\n"; |
79 | "\n"; | 79 | |
80 | void print_version(void) { | ||
81 | printf("firemon version %s\n\n", VERSION); | ||
82 | } | ||
80 | 83 | ||
81 | void usage(void) { | 84 | void usage(void) { |
82 | printf("firemon - version %s\n", VERSION); | 85 | print_version(); |
83 | puts(help_str); | 86 | puts(usage_str); |
84 | } | 87 | } |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 4b645b1b3..c28cad72e 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #include "../include/common.h" | 21 | #include "../include/common.h" |
22 | #include "../include/ldd_utils.h" | 22 | #include "../include/ldd_utils.h" |
23 | #ifdef HAVE_PRIVATE_LIB | ||
23 | 24 | ||
24 | #include <fcntl.h> | 25 | #include <fcntl.h> |
25 | #include <sys/mman.h> | 26 | #include <sys/mman.h> |
@@ -281,12 +282,13 @@ static void walk_directory(const char *dirname) { | |||
281 | } | 282 | } |
282 | } | 283 | } |
283 | 284 | ||
284 | 285 | static const char *const usage_str = | |
286 | "Usage: fldd program_or_directory [file]\n" | ||
287 | "Print a list of libraries used by program or store it in the file.\n" | ||
288 | "Print a list of libraries used by all .so files in a directory or store it in the file.\n"; | ||
285 | 289 | ||
286 | static void usage(void) { | 290 | static void usage(void) { |
287 | printf("Usage: fldd program_or_directory [file]\n"); | 291 | puts(usage_str); |
288 | printf("Print a list of libraries used by program or store it in the file.\n"); | ||
289 | printf("Print a list of libraries used by all .so files in a directory or store it in the file.\n"); | ||
290 | } | 292 | } |
291 | 293 | ||
292 | int main(int argc, char **argv) { | 294 | int main(int argc, char **argv) { |
@@ -357,3 +359,9 @@ printf("\n"); | |||
357 | close(fd); | 359 | close(fd); |
358 | return 0; | 360 | return 0; |
359 | } | 361 | } |
362 | #else | ||
363 | int main(void) { | ||
364 | printf("Sorry, private lib is disabled in this build\n"); | ||
365 | return 0; | ||
366 | } | ||
367 | #endif | ||
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index ca7c744ed..50e1beaa0 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -213,6 +213,23 @@ void net_ifprint(int scan) { | |||
213 | fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", | 213 | fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", |
214 | ifa->ifa_name, macstr, ipstr, maskstr, status); | 214 | ifa->ifa_name, macstr, ipstr, maskstr, status); |
215 | 215 | ||
216 | // print ipv6 address | ||
217 | if (!scan) { | ||
218 | struct ifaddrs *ptr = ifa->ifa_next; | ||
219 | while (ptr) { | ||
220 | if (ptr->ifa_addr->sa_family == AF_INET6 && strcmp(ifa->ifa_name, ptr->ifa_name) == 0) { | ||
221 | struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)ptr->ifa_addr; | ||
222 | struct in6_addr *in_addr = &s6->sin6_addr; | ||
223 | char buf[64]; | ||
224 | if(inet_ntop(ptr->ifa_addr->sa_family, in_addr, buf, sizeof(buf))) { | ||
225 | fmessage("%-35.35s %s\n", " ", buf); | ||
226 | break; | ||
227 | } | ||
228 | } | ||
229 | ptr = ptr->ifa_next; | ||
230 | } | ||
231 | } | ||
232 | |||
216 | // network scanning | 233 | // network scanning |
217 | if (!scan) // scanning disabled | 234 | if (!scan) // scanning disabled |
218 | continue; | 235 | continue; |
diff --git a/src/fnet/main.c b/src/fnet/main.c index fc36ae977..d1c8170ca 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -35,19 +35,21 @@ void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/fire | |||
35 | fflush(0); | 35 | fflush(0); |
36 | } | 36 | } |
37 | 37 | ||
38 | static const char *const usage_str = | ||
39 | "Usage:\n" | ||
40 | "\tfnet create veth dev1 dev2 bridge child\n" | ||
41 | "\tfnet create macvlan dev parent child\n" | ||
42 | "\tfnet moveif dev proc\n" | ||
43 | "\tfnet printif\n" | ||
44 | "\tfnet printif scan\n" | ||
45 | "\tfnet config interface dev ip mask mtu\n" | ||
46 | "\tfnet config mac addr\n" | ||
47 | "\tfnet config ipv6 dev ip\n" | ||
48 | "\tfnet ifup dev\n" | ||
49 | "\tfnet waitll dev\n"; | ||
38 | 50 | ||
39 | static void usage(void) { | 51 | static void usage(void) { |
40 | printf("Usage:\n"); | 52 | puts(usage_str); |
41 | printf("\tfnet create veth dev1 dev2 bridge child\n"); | ||
42 | printf("\tfnet create macvlan dev parent child\n"); | ||
43 | printf("\tfnet moveif dev proc\n"); | ||
44 | printf("\tfnet printif\n"); | ||
45 | printf("\tfnet printif scan\n"); | ||
46 | printf("\tfnet config interface dev ip mask mtu\n"); | ||
47 | printf("\tfnet config mac addr\n"); | ||
48 | printf("\tfnet config ipv6 dev ip\n"); | ||
49 | printf("\tfnet ifup dev\n"); | ||
50 | printf("\tfnet waitll dev\n"); | ||
51 | } | 53 | } |
52 | 54 | ||
53 | int main(int argc, char **argv) { | 55 | int main(int argc, char **argv) { |
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 8c0f6c297..1b0335d68 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -45,9 +45,12 @@ static char *default_filter = | |||
45 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" | 45 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" |
46 | "COMMIT\n"; | 46 | "COMMIT\n"; |
47 | 47 | ||
48 | static const char *const usage_str = | ||
49 | "Usage:\n" | ||
50 | "\tfnetfilter netfilter-command destination-file\n"; | ||
51 | |||
48 | static void usage(void) { | 52 | static void usage(void) { |
49 | printf("Usage:\n"); | 53 | puts(usage_str); |
50 | printf("\tfnetfilter netfilter-command destination-file\n"); | ||
51 | } | 54 | } |
52 | 55 | ||
53 | static void err_exit_cannot_open_file(const char *fname) { | 56 | static void err_exit_cannot_open_file(const char *fname) { |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 64feec5fe..1cde1942c 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -167,13 +167,13 @@ static void run_trace(void) { | |||
167 | 167 | ||
168 | close(s); | 168 | close(s); |
169 | } | 169 | } |
170 | 170 | static const char *const usage_str = | |
171 | "Usage: fnettrace-dns [OPTIONS]\n" | ||
172 | "Options:\n" | ||
173 | " --help, -? - this help screen\n"; | ||
171 | 174 | ||
172 | static void usage(void) { | 175 | static void usage(void) { |
173 | printf("Usage: fnettrace-dns [OPTIONS]\n"); | 176 | puts(usage_str); |
174 | printf("Options:\n"); | ||
175 | printf(" --help, -? - this help screen\n"); | ||
176 | printf("\n"); | ||
177 | } | 177 | } |
178 | 178 | ||
179 | int main(int argc, char **argv) { | 179 | int main(int argc, char **argv) { |
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c index 714917547..516a9fc5b 100644 --- a/src/fnettrace-icmp/main.c +++ b/src/fnettrace-icmp/main.c | |||
@@ -201,11 +201,13 @@ static void run_trace(void) { | |||
201 | close(s); | 201 | close(s); |
202 | } | 202 | } |
203 | 203 | ||
204 | static const char *const usage_str = | ||
205 | "Usage: fnettrace-icmp [OPTIONS]\n" | ||
206 | "Options:\n" | ||
207 | " --help, -? - this help screen\n"; | ||
208 | |||
204 | static void usage(void) { | 209 | static void usage(void) { |
205 | printf("Usage: fnettrace-icmp [OPTIONS]\n"); | 210 | puts(usage_str); |
206 | printf("Options:\n"); | ||
207 | printf(" --help, -? - this help screen\n"); | ||
208 | printf("\n"); | ||
209 | } | 211 | } |
210 | 212 | ||
211 | int main(int argc, char **argv) { | 213 | int main(int argc, char **argv) { |
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index b8490b4f7..e7782d656 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c | |||
@@ -204,12 +204,13 @@ static void run_trace(void) { | |||
204 | close(s); | 204 | close(s); |
205 | } | 205 | } |
206 | 206 | ||
207 | static const char *const usage_str = | ||
208 | "Usage: fnettrace-sni [OPTIONS]\n" | ||
209 | "Options:\n" | ||
210 | " --help, -? - this help screen\n"; | ||
207 | 211 | ||
208 | static void usage(void) { | 212 | static void usage(void) { |
209 | printf("Usage: fnettrace-sni [OPTIONS]\n"); | 213 | puts(usage_str); |
210 | printf("Options:\n"); | ||
211 | printf(" --help, -? - this help screen\n"); | ||
212 | printf("\n"); | ||
213 | } | 214 | } |
214 | 215 | ||
215 | int main(int argc, char **argv) { | 216 | int main(int argc, char **argv) { |
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index 2f421562e..178ac3631 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c | |||
@@ -668,18 +668,20 @@ void logprintf(char *fmt, ...) { | |||
668 | va_end(args); | 668 | va_end(args); |
669 | } | 669 | } |
670 | 670 | ||
671 | static const char *const usage_str = | ||
672 | "Usage: fnettrace [OPTIONS]\n" | ||
673 | "Options:\n" | ||
674 | " --help, -? - this help screen\n" | ||
675 | " --log=filename - netlocker logfile\n" | ||
676 | " --netfilter - build the firewall rules and commit them.\n" | ||
677 | " --tail - \"tail -f\" functionality\n" | ||
678 | "Examples:\n" | ||
679 | " # fnettrace - traffic trace\n" | ||
680 | " # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n" | ||
681 | " # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n"; | ||
682 | |||
671 | static void usage(void) { | 683 | static void usage(void) { |
672 | printf("Usage: fnettrace [OPTIONS]\n"); | 684 | puts(usage_str); |
673 | printf("Options:\n"); | ||
674 | printf(" --help, -? - this help screen\n"); | ||
675 | printf(" --log=filename - netlocker logfile\n"); | ||
676 | printf(" --netfilter - build the firewall rules and commit them.\n"); | ||
677 | printf(" --tail - \"tail -f\" functionality\n"); | ||
678 | printf("Examples:\n"); | ||
679 | printf(" # fnettrace - traffic trace\n"); | ||
680 | printf(" # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n"); | ||
681 | printf(" # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n"); | ||
682 | printf("\n"); | ||
683 | } | 685 | } |
684 | 686 | ||
685 | int main(int argc, char **argv) { | 687 | int main(int argc, char **argv) { |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 0bc521c0d..38ba7c697 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -22,9 +22,12 @@ | |||
22 | 22 | ||
23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill | 23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill |
24 | 24 | ||
25 | static const char *const usage_str = | ||
26 | "Usage:\n" | ||
27 | "\tfsec-optimize file - optimize seccomp filter\n"; | ||
28 | |||
25 | static void usage(void) { | 29 | static void usage(void) { |
26 | printf("Usage:\n"); | 30 | puts(usage_str); |
27 | printf("\tfsec-optimize file - optimize seccomp filter\n"); | ||
28 | } | 31 | } |
29 | 32 | ||
30 | int main(int argc, char **argv) { | 33 | int main(int argc, char **argv) { |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 696c6bc0c..4d3e38648 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -19,9 +19,12 @@ | |||
19 | */ | 19 | */ |
20 | #include "fsec_print.h" | 20 | #include "fsec_print.h" |
21 | 21 | ||
22 | static const char *const usage_str = | ||
23 | "Usage:\n" | ||
24 | "\tfsec-print file - disassemble seccomp filter\n"; | ||
25 | |||
22 | static void usage(void) { | 26 | static void usage(void) { |
23 | printf("Usage:\n"); | 27 | puts(usage_str); |
24 | printf("\tfsec-print file - disassemble seccomp filter\n"); | ||
25 | } | 28 | } |
26 | 29 | ||
27 | int arg_quiet = 0; | 30 | int arg_quiet = 0; |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 57a5a6d67..e7823d3c5 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -22,34 +22,37 @@ | |||
22 | int arg_quiet = 0; | 22 | int arg_quiet = 0; |
23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill | 23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill |
24 | 24 | ||
25 | static const char *const usage_str = | ||
26 | "Usage:\n" | ||
27 | "\tfseccomp debug-syscalls\n" | ||
28 | "\tfseccomp debug-syscalls32\n" | ||
29 | "\tfseccomp debug-errnos\n" | ||
30 | "\tfseccomp debug-protocols\n" | ||
31 | "\tfseccomp protocol build list file\n" | ||
32 | "\tfseccomp secondary 64 file\n" | ||
33 | "\tfseccomp secondary 32 file\n" | ||
34 | "\tfseccomp secondary block file\n" | ||
35 | "\tfseccomp default file\n" | ||
36 | "\tfseccomp default file allow-debuggers\n" | ||
37 | "\tfseccomp default32 file\n" | ||
38 | "\tfseccomp default32 file allow-debuggers\n" | ||
39 | "\tfseccomp drop file1 file2 list\n" | ||
40 | "\tfseccomp drop file1 file2 list allow-debuggers\n" | ||
41 | "\tfseccomp drop32 file1 file2 list\n" | ||
42 | "\tfseccomp drop32 file1 file2 list allow-debuggers\n" | ||
43 | "\tfseccomp default drop file1 file2 list\n" | ||
44 | "\tfseccomp default drop file1 file2 list allow-debuggers\n" | ||
45 | "\tfseccomp default32 drop file1 file2 list\n" | ||
46 | "\tfseccomp default32 drop file1 file2 list allow-debuggers\n" | ||
47 | "\tfseccomp keep file1 file2 list\n" | ||
48 | "\tfseccomp keep32 file1 file2 list\n" | ||
49 | "\tfseccomp memory-deny-write-execute file\n" | ||
50 | "\tfseccomp memory-deny-write-execute.32 file\n" | ||
51 | "\tfseccomp restrict-namespaces file list\n" | ||
52 | "\tfseccomp restrict-namespaces.32 file list\n"; | ||
53 | |||
25 | static void usage(void) { | 54 | static void usage(void) { |
26 | printf("Usage:\n"); | 55 | puts(usage_str); |
27 | printf("\tfseccomp debug-syscalls\n"); | ||
28 | printf("\tfseccomp debug-syscalls32\n"); | ||
29 | printf("\tfseccomp debug-errnos\n"); | ||
30 | printf("\tfseccomp debug-protocols\n"); | ||
31 | printf("\tfseccomp protocol build list file\n"); | ||
32 | printf("\tfseccomp secondary 64 file\n"); | ||
33 | printf("\tfseccomp secondary 32 file\n"); | ||
34 | printf("\tfseccomp secondary block file\n"); | ||
35 | printf("\tfseccomp default file\n"); | ||
36 | printf("\tfseccomp default file allow-debuggers\n"); | ||
37 | printf("\tfseccomp default32 file\n"); | ||
38 | printf("\tfseccomp default32 file allow-debuggers\n"); | ||
39 | printf("\tfseccomp drop file1 file2 list\n"); | ||
40 | printf("\tfseccomp drop file1 file2 list allow-debuggers\n"); | ||
41 | printf("\tfseccomp drop32 file1 file2 list\n"); | ||
42 | printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n"); | ||
43 | printf("\tfseccomp default drop file1 file2 list\n"); | ||
44 | printf("\tfseccomp default drop file1 file2 list allow-debuggers\n"); | ||
45 | printf("\tfseccomp default32 drop file1 file2 list\n"); | ||
46 | printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n"); | ||
47 | printf("\tfseccomp keep file1 file2 list\n"); | ||
48 | printf("\tfseccomp keep32 file1 file2 list\n"); | ||
49 | printf("\tfseccomp memory-deny-write-execute file\n"); | ||
50 | printf("\tfseccomp memory-deny-write-execute.32 file\n"); | ||
51 | printf("\tfseccomp restrict-namespaces file list\n"); | ||
52 | printf("\tfseccomp restrict-namespaces.32 file list\n"); | ||
53 | } | 56 | } |
54 | 57 | ||
55 | int main(int argc, char **argv) { | 58 | int main(int argc, char **argv) { |
diff --git a/src/ftee/main.c b/src/ftee/main.c index 0a492b41e..a34a76b26 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -180,8 +180,11 @@ static int is_link(const char *fname) { | |||
180 | return 0; | 180 | return 0; |
181 | } | 181 | } |
182 | 182 | ||
183 | static const char *const usage_str = | ||
184 | "Usage: ftee filename\n"; | ||
185 | |||
183 | static void usage(void) { | 186 | static void usage(void) { |
184 | printf("Usage: ftee filename\n"); | 187 | puts(usage_str); |
185 | } | 188 | } |
186 | 189 | ||
187 | int main(int argc, char **argv) { | 190 | int main(int argc, char **argv) { |
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 8e0aaa860..27da309ea 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c | |||
@@ -29,16 +29,19 @@ char *user_home_dir = NULL; | |||
29 | char *user_run_dir = NULL; | 29 | char *user_run_dir = NULL; |
30 | int arg_debug = 0; | 30 | int arg_debug = 0; |
31 | 31 | ||
32 | static char *usage_str = | 32 | static const char *const usage_str = |
33 | "Usage: jailcheck [options] directory [directory]\n\n" | 33 | "Usage: jailcheck [options] directory [directory]\n\n" |
34 | "Options:\n" | 34 | "Options:\n" |
35 | " --debug - print debug messages.\n" | 35 | " --debug - print debug messages.\n" |
36 | " --help, -? - this help screen.\n" | 36 | " --help, -? - this help screen.\n" |
37 | " --version - print program version and exit.\n"; | 37 | " --version - print program version and exit.\n"; |
38 | 38 | ||
39 | static void print_version(void) { | ||
40 | printf("jailcheck version %s\n\n", VERSION); | ||
41 | } | ||
39 | 42 | ||
40 | static void usage(void) { | 43 | static void usage(void) { |
41 | printf("firetest - version %s\n\n", VERSION); | 44 | print_version(); |
42 | puts(usage_str); | 45 | puts(usage_str); |
43 | } | 46 | } |
44 | 47 | ||
@@ -62,7 +65,7 @@ int main(int argc, char **argv) { | |||
62 | return 0; | 65 | return 0; |
63 | } | 66 | } |
64 | else if (strcmp(argv[i], "--version") == 0) { | 67 | else if (strcmp(argv[i], "--version") == 0) { |
65 | printf("firetest version %s\n\n", VERSION); | 68 | print_version(); |
66 | return 0; | 69 | return 0; |
67 | } | 70 | } |
68 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test | 71 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index 39a548887..80e3b92d7 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
25 | 25 | ||
26 | #ifdef HAVE_PRIVATE_LIB | ||
26 | // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c | 27 | // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c |
27 | const char * const default_lib_paths[] = { | 28 | const char * const default_lib_paths[] = { |
28 | "/usr/lib/x86_64-linux-gnu", // Debian & friends | 29 | "/usr/lib/x86_64-linux-gnu", // Debian & friends |
@@ -63,3 +64,4 @@ doexit: | |||
63 | close(fd); | 64 | close(fd); |
64 | return retval; | 65 | return retval; |
65 | } | 66 | } |
67 | #endif \ No newline at end of file | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3fa07d1ee..fa294d888 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -407,12 +407,14 @@ the current user's home directory. | |||
407 | All modifications are discarded when the sandbox is | 407 | All modifications are discarded when the sandbox is |
408 | closed. | 408 | closed. |
409 | #endif | 409 | #endif |
410 | #ifdef HAVE_PRIVATE_LIB | ||
410 | .TP | 411 | .TP |
411 | \fBprivate-lib file,directory | 412 | \fBprivate-lib file,directory |
412 | Build a new /lib directory and bring in the libraries required by the application to run. | 413 | Build a new /lib directory and bring in the libraries required by the application to run. |
413 | The files and directories in the list must be expressed as relative to | 414 | The files and directories in the list must be expressed as relative to |
414 | the /lib directory. | 415 | the /lib directory. |
415 | This feature is still under development, see \fBman 1 firejail\fR for some examples. | 416 | This feature is still under development, see \fBman 1 firejail\fR for some examples. |
417 | #endif | ||
416 | .TP | 418 | .TP |
417 | \fBprivate-opt file,directory | 419 | \fBprivate-opt file,directory |
418 | Build a new /opt in a temporary | 420 | Build a new /opt in a temporary |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6068c9ff4..586ef9852 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex | |||
684 | Example: | 684 | Example: |
685 | .br | 685 | .br |
686 | $ firejail \-\-debug-errnos | 686 | $ firejail \-\-debug-errnos |
687 | #ifdef HAVE_PRIVATE_LIB | ||
687 | .TP | 688 | .TP |
688 | \fB\-\-debug-private-lib | 689 | \fB\-\-debug-private-lib |
689 | Debug messages for --private-lib option. | 690 | Debug messages for --private-lib option. |
691 | #endif | ||
690 | .TP | 692 | .TP |
691 | \fB\-\-debug-protocols | 693 | \fB\-\-debug-protocols |
692 | Print all recognized protocols in the current Firejail software build and exit. | 694 | Print all recognized protocols in the current Firejail software build and exit. |
@@ -2179,6 +2181,7 @@ Example: | |||
2179 | .br | 2181 | .br |
2180 | $ firejail \-\-private-home=.mozilla firefox | 2182 | $ firejail \-\-private-home=.mozilla firefox |
2181 | #endif | 2183 | #endif |
2184 | #ifdef HAVE_PRIVATE_LIB | ||
2182 | .TP | 2185 | .TP |
2183 | \fB\-\-private-lib=file,directory | 2186 | \fB\-\-private-lib=file,directory |
2184 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. | 2187 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. |
@@ -2234,6 +2237,7 @@ $ | |||
2234 | .br | 2237 | .br |
2235 | Note: Support for this command is controlled in firejail.config with the | 2238 | Note: Support for this command is controlled in firejail.config with the |
2236 | \fBprivate-lib\fR option. | 2239 | \fBprivate-lib\fR option. |
2240 | #endif | ||
2237 | .TP | 2241 | .TP |
2238 | \fB\-\-private-opt=file,directory | 2242 | \fB\-\-private-opt=file,directory |
2239 | Build a new /opt in a temporary | 2243 | Build a new /opt in a temporary |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 9d0785a4a..fb0cf1175 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -30,9 +30,6 @@ Print debug messages | |||
30 | \fB\-?\fR, \fB\-\-help\fR | 30 | \fB\-?\fR, \fB\-\-help\fR |
31 | Print options end exit. | 31 | Print options end exit. |
32 | .TP | 32 | .TP |
33 | \fB\-\-interface | ||
34 | Print network interface information for each sandbox. | ||
35 | .TP | ||
36 | \fB\-\-list | 33 | \fB\-\-list |
37 | List all sandboxes. | 34 | List all sandboxes. |
38 | .TP | 35 | .TP |
diff --git a/src/profstats/main.c b/src/profstats/main.c index d5e57e7cc..49ed1637a 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -74,32 +74,34 @@ static int arg_restrict_namespaces = 0; | |||
74 | 74 | ||
75 | static char *profile = NULL; | 75 | static char *profile = NULL; |
76 | 76 | ||
77 | static const char *const usage_str = | ||
78 | "profstats - print profile statistics\n" | ||
79 | "Usage: profstats [options] file[s]\n" | ||
80 | "Options:\n" | ||
81 | " --apparmor - print profiles without apparmor\n" | ||
82 | " --caps - print profiles without caps\n" | ||
83 | " --dbus-system-none - print profiles without \"dbus-system none\"\n" | ||
84 | " --dbus-user-none - print profiles without \"dbus-user none\"\n" | ||
85 | " --ssh - print profiles without \"include disable-common.inc\"\n" | ||
86 | " --noexec - print profiles without \"include disable-exec.inc\"\n" | ||
87 | " --noroot - print profiles without \"noroot\"\n" | ||
88 | " --private-bin - print profiles without private-bin\n" | ||
89 | " --private-dev - print profiles without private-dev\n" | ||
90 | " --private-etc - print profiles without private-etc\n" | ||
91 | " --private-tmp - print profiles without private-tmp\n" | ||
92 | " --print-blacklist - print all --blacklist for a profile\n" | ||
93 | " --print-whitelist - print all --private and --whitelist for a profile\n" | ||
94 | " --seccomp - print profiles without seccomp\n" | ||
95 | " --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n" | ||
96 | " --restrict-namespaces - print profiles without \"restrict-namespaces\"\n" | ||
97 | " --whitelist-home - print profiles whitelisting home directory\n" | ||
98 | " --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n" | ||
99 | " --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n" | ||
100 | " --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n" | ||
101 | " --debug\n"; | ||
102 | |||
77 | static void usage(void) { | 103 | static void usage(void) { |
78 | printf("profstats - print profile statistics\n"); | 104 | puts(usage_str); |
79 | printf("Usage: profstats [options] file[s]\n"); | ||
80 | printf("Options:\n"); | ||
81 | printf(" --apparmor - print profiles without apparmor\n"); | ||
82 | printf(" --caps - print profiles without caps\n"); | ||
83 | printf(" --dbus-system-none - print profiles without \"dbus-system none\"\n"); | ||
84 | printf(" --dbus-user-none - print profiles without \"dbus-user none\"\n"); | ||
85 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | ||
86 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | ||
87 | printf(" --noroot - print profiles without \"noroot\"\n"); | ||
88 | printf(" --private-bin - print profiles without private-bin\n"); | ||
89 | printf(" --private-dev - print profiles without private-dev\n"); | ||
90 | printf(" --private-etc - print profiles without private-etc\n"); | ||
91 | printf(" --private-tmp - print profiles without private-tmp\n"); | ||
92 | printf(" --print-blacklist - print all --blacklist for a profile\n"); | ||
93 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); | ||
94 | printf(" --seccomp - print profiles without seccomp\n"); | ||
95 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); | ||
96 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | ||
97 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | ||
98 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | ||
99 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | ||
100 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | ||
101 | printf(" --debug\n"); | ||
102 | printf("\n"); | ||
103 | } | 105 | } |
104 | 106 | ||
105 | static void process_file(char *fname) { | 107 | static void process_file(char *fname) { |
diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh new file mode 100755 index 000000000..2d345025a --- /dev/null +++ b/test/capabilities/capabilities.sh | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | export LC_ALL=C | ||
9 | |||
10 | |||
11 | #if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | ||
12 | echo "TESTING: capabilities (test/filters/caps.exp)" | ||
13 | ./caps.exp | ||
14 | #else | ||
15 | # echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" | ||
16 | #fi | ||
17 | |||
18 | echo "TESTING: capabilities print (test/filters/caps-print.exp)" | ||
19 | ./caps-print.exp | ||
20 | |||
21 | echo "TESTING: capabilities join (test/filters/caps-join.exp)" | ||
22 | ./caps-join.exp | ||
23 | |||
24 | echo "TESTING: firemon caps (test/utils/firemon-caps.exp)" | ||
25 | ./firemon-caps.exp | ||
26 | |||
diff --git a/test/filters/caps-join.exp b/test/capabilities/caps-join.exp index 1830143fb..ecb43d943 100755 --- a/test/filters/caps-join.exp +++ b/test/capabilities/caps-join.exp | |||
@@ -35,7 +35,7 @@ sleep 1 | |||
35 | 35 | ||
36 | set spawn_id $id1 | 36 | set spawn_id $id1 |
37 | send -- "exit\r" | 37 | send -- "exit\r" |
38 | after 100 | 38 | sleep 1 |
39 | 39 | ||
40 | # | 40 | # |
41 | # no caps | 41 | # no caps |
@@ -67,7 +67,7 @@ sleep 1 | |||
67 | 67 | ||
68 | set spawn_id $id1 | 68 | set spawn_id $id1 |
69 | send -- "exit\r" | 69 | send -- "exit\r" |
70 | after 100 | 70 | after 500 |
71 | 71 | ||
72 | # | 72 | # |
73 | # no caps | 73 | # no caps |
@@ -91,6 +91,6 @@ sleep 1 | |||
91 | 91 | ||
92 | set spawn_id $id1 | 92 | set spawn_id $id1 |
93 | send -- "exit\r" | 93 | send -- "exit\r" |
94 | after 100 | 94 | after 500 |
95 | 95 | ||
96 | puts "all done\n" | 96 | puts "all done\n" |
diff --git a/test/filters/caps-print.exp b/test/capabilities/caps-print.exp index b403f9ffe..66a7e093b 100755 --- a/test/filters/caps-print.exp +++ b/test/capabilities/caps-print.exp | |||
@@ -68,7 +68,7 @@ expect { | |||
68 | timeout {puts "TESTING ERROR 13\n";exit} | 68 | timeout {puts "TESTING ERROR 13\n";exit} |
69 | "syslog - disabled" | 69 | "syslog - disabled" |
70 | } | 70 | } |
71 | after 100 | 71 | after 500 |
72 | 72 | ||
73 | send -- "firejail --debug-caps\r" | 73 | send -- "firejail --debug-caps\r" |
74 | expect { | 74 | expect { |
@@ -87,7 +87,7 @@ expect { | |||
87 | timeout {puts "TESTING ERROR 9\n";exit} | 87 | timeout {puts "TESTING ERROR 9\n";exit} |
88 | "24 - sys_resource" | 88 | "24 - sys_resource" |
89 | } | 89 | } |
90 | after 100 | 90 | after 500 |
91 | 91 | ||
92 | send -- "firejail --caps.keep=\"bla bla bla\"\r" | 92 | send -- "firejail --caps.keep=\"bla bla bla\"\r" |
93 | expect { | 93 | expect { |
@@ -99,5 +99,5 @@ expect { | |||
99 | "not found" | 99 | "not found" |
100 | } | 100 | } |
101 | 101 | ||
102 | after 100 | 102 | after 500 |
103 | puts "\nall done\n" | 103 | puts "\nall done\n" |
diff --git a/test/filters/caps.exp b/test/capabilities/caps.exp index dbd63efda..bd7ab04eb 100755 --- a/test/filters/caps.exp +++ b/test/capabilities/caps.exp | |||
@@ -7,14 +7,11 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --caps.keep=chown,fowner --noprofile\r" | 10 | send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
14 | } | 14 | } |
15 | after 100 | ||
16 | |||
17 | send -- "cat /proc/self/status\r" | ||
18 | expect { | 15 | expect { |
19 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
20 | "CapBnd: 0000000000000009" | 17 | "CapBnd: 0000000000000009" |
@@ -23,17 +20,13 @@ expect { | |||
23 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
24 | "Seccomp:" | 21 | "Seccomp:" |
25 | } | 22 | } |
26 | send -- "exit\r" | 23 | after 500 |
27 | sleep 1 | ||
28 | 24 | ||
29 | send -- "firejail --caps.drop=all --noprofile\r" | 25 | send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r" |
30 | expect { | 26 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 27 | timeout {puts "TESTING ERROR 4\n";exit} |
32 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 28 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
33 | } | 29 | } |
34 | after 100 | ||
35 | |||
36 | send -- "cat /proc/self/status\r" | ||
37 | expect { | 30 | expect { |
38 | timeout {puts "TESTING ERROR 5\n";exit} | 31 | timeout {puts "TESTING ERROR 5\n";exit} |
39 | "CapBnd: 0000000000000000" | 32 | "CapBnd: 0000000000000000" |
@@ -42,17 +35,13 @@ expect { | |||
42 | timeout {puts "TESTING ERROR 6\n";exit} | 35 | timeout {puts "TESTING ERROR 6\n";exit} |
43 | "Seccomp:" | 36 | "Seccomp:" |
44 | } | 37 | } |
45 | send -- "exit\r" | 38 | after 500 |
46 | sleep 1 | ||
47 | 39 | ||
48 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | 40 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r" |
49 | expect { | 41 | expect { |
50 | timeout {puts "TESTING ERROR 7\n";exit} | 42 | timeout {puts "TESTING ERROR 7\n";exit} |
51 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 43 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
52 | } | 44 | } |
53 | after 100 | ||
54 | |||
55 | send -- "cat /proc/self/status\r" | ||
56 | expect { | 45 | expect { |
57 | timeout {puts "TESTING ERROR 8\n";exit} | 46 | timeout {puts "TESTING ERROR 8\n";exit} |
58 | "CapBnd:" | 47 | "CapBnd:" |
@@ -65,11 +54,9 @@ expect { | |||
65 | timeout {puts "TESTING ERROR 10\n";exit} | 54 | timeout {puts "TESTING ERROR 10\n";exit} |
66 | "Seccomp:" | 55 | "Seccomp:" |
67 | } | 56 | } |
68 | send -- "exit\r" | 57 | after 500 |
69 | sleep 1 | ||
70 | 58 | ||
71 | 59 | send -- "firejail --profile=caps1.profile --debug ls\r" | |
72 | send -- "firejail --profile=caps1.profile --debug\r" | ||
73 | expect { | 60 | expect { |
74 | timeout {puts "TESTING ERROR 11\n";exit} | 61 | timeout {puts "TESTING ERROR 11\n";exit} |
75 | "Drop CAP_SYS_MODULE" | 62 | "Drop CAP_SYS_MODULE" |
@@ -83,10 +70,7 @@ expect { | |||
83 | "Drop CAP_" {puts "TESTING ERROR 14\n";exit} | 70 | "Drop CAP_" {puts "TESTING ERROR 14\n";exit} |
84 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 71 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
85 | } | 72 | } |
86 | after 100 | 73 | after 500 |
87 | send -- "exit\r" | ||
88 | sleep 1 | ||
89 | |||
90 | 74 | ||
91 | ## tofix: possible problem with caps.keep in profile files | 75 | ## tofix: possible problem with caps.keep in profile files |
92 | ##send -- "firejail --caps.keep=chown,fowner --noprofile\r" | 76 | ##send -- "firejail --caps.keep=chown,fowner --noprofile\r" |
@@ -110,14 +94,11 @@ sleep 1 | |||
110 | #sleep 1 | 94 | #sleep 1 |
111 | 95 | ||
112 | #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | 96 | #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" |
113 | send -- "firejail --profile=caps3.profile\r" | 97 | send -- "firejail --profile=caps3.profile cat /proc/self/status\r" |
114 | expect { | 98 | expect { |
115 | timeout {puts "TESTING ERROR 18\n";exit} | 99 | timeout {puts "TESTING ERROR 18\n";exit} |
116 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 100 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
117 | } | 101 | } |
118 | after 100 | ||
119 | |||
120 | send -- "cat /proc/self/status\r" | ||
121 | expect { | 102 | expect { |
122 | timeout {puts "TESTING ERROR 19\n";exit} | 103 | timeout {puts "TESTING ERROR 19\n";exit} |
123 | "CapBnd:" | 104 | "CapBnd:" |
@@ -130,10 +111,5 @@ expect { | |||
130 | timeout {puts "TESTING ERROR 21\n";exit} | 111 | timeout {puts "TESTING ERROR 21\n";exit} |
131 | "Seccomp:" | 112 | "Seccomp:" |
132 | } | 113 | } |
133 | send -- "exit\r" | 114 | after 500 |
134 | sleep 1 | ||
135 | |||
136 | |||
137 | |||
138 | after 100 | ||
139 | puts "\nall done\n" | 115 | puts "\nall done\n" |
diff --git a/test/filters/caps1.profile b/test/capabilities/caps1.profile index 8b0c3b340..8b0c3b340 100644 --- a/test/filters/caps1.profile +++ b/test/capabilities/caps1.profile | |||
diff --git a/test/filters/caps2.profile b/test/capabilities/caps2.profile index ad49719f1..ad49719f1 100644 --- a/test/filters/caps2.profile +++ b/test/capabilities/caps2.profile | |||
diff --git a/test/filters/caps3.profile b/test/capabilities/caps3.profile index ad49719f1..ad49719f1 100644 --- a/test/filters/caps3.profile +++ b/test/capabilities/caps3.profile | |||
diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp new file mode 100755 index 000000000..905c8cba9 --- /dev/null +++ b/test/capabilities/firemon-caps.exp | |||
@@ -0,0 +1,47 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=bingo1 --noprofile --caps\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --name=bingo2 --noprofile\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firemon --caps\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} | ||
30 | "bingo1" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3\n";exit} | ||
34 | "31cffff" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 4\n";exit} | ||
38 | "bingo2" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 5\n";exit} | ||
42 | "fffffff" | ||
43 | } | ||
44 | |||
45 | after 500 | ||
46 | |||
47 | puts "all done\n" | ||
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index eb1349112..8bdaa507c 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp | |||
@@ -60,11 +60,12 @@ expect { | |||
60 | timeout {puts "TESTING ERROR 8\n";exit} | 60 | timeout {puts "TESTING ERROR 8\n";exit} |
61 | "No such file or directory" | 61 | "No such file or directory" |
62 | } | 62 | } |
63 | after 100 | 63 | # FIXME: Sometimes ping works normally |
64 | send -- "/bin/ping 1.1.1.1\r" | 64 | #after 100 |
65 | expect { | 65 | #send -- "/bin/ping 1.1.1.1\r" |
66 | timeout {puts "TESTING ERROR 9\n";exit} | 66 | #expect { |
67 | "Operation not permitted" | 67 | # timeout {puts "TESTING ERROR 9\n";exit} |
68 | } | 68 | # "Operation not permitted" |
69 | #} | ||
69 | 70 | ||
70 | puts "all done\n" | 71 | puts "all done\n" |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 2d115db1b..56c97482e 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -53,22 +53,19 @@ fi | |||
53 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" | 53 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" |
54 | ./seccomp-postexec.exp | 54 | ./seccomp-postexec.exp |
55 | 55 | ||
56 | echo "TESTING: noroot (test/filters/noroot.exp)" | ||
57 | ./noroot.exp | ||
58 | 56 | ||
59 | 57 | #if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | |
60 | if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | 58 | # echo "TESTING: capabilities (test/filters/caps.exp)" |
61 | echo "TESTING: capabilities (test/filters/caps.exp)" | 59 | # ./caps.exp |
62 | ./caps.exp | 60 | #else |
63 | else | 61 | # echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" |
64 | echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" | 62 | #fi |
65 | fi | 63 | # |
66 | 64 | #echo "TESTING: capabilities print (test/filters/caps-print.exp)" | |
67 | echo "TESTING: capabilities print (test/filters/caps-print.exp)" | 65 | #./caps-print.exp |
68 | ./caps-print.exp | 66 | # |
69 | 67 | #echo "TESTING: capabilities join (test/filters/caps-join.exp)" | |
70 | echo "TESTING: capabilities join (test/filters/caps-join.exp)" | 68 | #./caps-join.exp |
71 | ./caps-join.exp | ||
72 | 69 | ||
73 | rm -f seccomp-test-file | 70 | rm -f seccomp-test-file |
74 | if [[ $(uname -m) == "x86_64" ]]; then | 71 | if [[ $(uname -m) == "x86_64" ]]; then |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index dc6befcfe..33a992a93 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -97,61 +97,4 @@ expect { | |||
97 | } | 97 | } |
98 | after 100 | 98 | after 100 |
99 | 99 | ||
100 | # memory-deny-write-execute | ||
101 | send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 24\n";exit} | ||
104 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
105 | } | ||
106 | expect { | ||
107 | timeout {puts "TESTING ERROR 25\n";exit} | ||
108 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" | ||
109 | } | ||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 26\n";exit} | ||
112 | "done" | ||
113 | } | ||
114 | |||
115 | |||
116 | # 64 bit architecture - seccomp.block-secondary | ||
117 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 27\n";exit} | ||
120 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} | ||
121 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
122 | } | ||
123 | expect { | ||
124 | timeout {puts "TESTING ERROR 29\n";exit} | ||
125 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} | ||
126 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" | ||
127 | } | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 31\n";exit} | ||
130 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} | ||
131 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 33\n";exit} | ||
135 | "done" | ||
136 | } | ||
137 | after 100 | ||
138 | |||
139 | # 64 bit architecture - seccomp.block-secondary, profile | ||
140 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | ||
141 | expect { | ||
142 | timeout {puts "TESTING ERROR 33\n";exit} | ||
143 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} | ||
144 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
145 | } | ||
146 | expect { | ||
147 | timeout {puts "TESTING ERROR 35\n";exit} | ||
148 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} | ||
149 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" | ||
150 | } | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 37\n";exit} | ||
153 | "done" | ||
154 | } | ||
155 | after 100 | ||
156 | |||
157 | puts "all done\n" | 100 | puts "all done\n" |
diff --git a/test/firecfg/firecfg.exp b/test/firecfg/firecfg.exp index 0249fb7fa..755eea3a1 100755 --- a/test/firecfg/firecfg.exp +++ b/test/firecfg/firecfg.exp | |||
@@ -12,7 +12,20 @@ expect { | |||
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "ping: symbolic link to /usr/bin/firejail" | 13 | "ping: symbolic link to /usr/bin/firejail" |
14 | } | 14 | } |
15 | after 100 | ||
15 | 16 | ||
17 | send -- "file /tmp/ttt/ping\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 0\n";exit} | ||
20 | "ping: symbolic link to /usr/bin/firejail" | ||
21 | } | ||
22 | after 100 | ||
23 | |||
24 | send -- "firecfg --list\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1\n";exit} | ||
27 | "/usr/local/bin/ping" | ||
28 | } | ||
16 | after 100 | 29 | after 100 |
17 | 30 | ||
18 | puts "\nall done\n" | 31 | puts "\nall done\n" |
diff --git a/test/firecfg/firecfg.sh b/test/firecfg/firecfg.sh index 6b03cc841..6f2bb5244 100755 --- a/test/firecfg/firecfg.sh +++ b/test/firecfg/firecfg.sh | |||
@@ -7,6 +7,11 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | sudo mkdir /tmp/ttt | ||
10 | sudo firecfg | 11 | sudo firecfg |
12 | sudo firecfg --bindir=/tmp/ttt | ||
13 | |||
11 | echo "TESTING: firecfg (test/firecfg/firecfg.exp)" | 14 | echo "TESTING: firecfg (test/firecfg/firecfg.exp)" |
12 | ./firecfg.exp | 15 | ./firecfg.exp |
16 | |||
17 | sudo rm -fr /tmp/ttt | ||
diff --git a/test/utils/caps-print.exp b/test/network/firemon-arp.exp index 381f27574..87f0ddf4e 100755 --- a/test/utils/caps-print.exp +++ b/test/network/firemon-arp.exp | |||
@@ -7,26 +7,22 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test\r" | 10 | send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
14 | } | 14 | } |
15 | sleep 2 | 15 | sleep 2 |
16 | 16 | ||
17 | spawn $env(SHELL) | 17 | spawn $env(SHELL) |
18 | send -- "firejail --caps.print=test\r" | 18 | send -- "firemon --arp\r" |
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "setgid - disabled" | ||
22 | } | ||
23 | expect { | 19 | expect { |
24 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
25 | "setuid - disabled" | 21 | "firejail --name=test --net=br0 --ip=10.10.20.50" |
26 | } | 22 | } |
27 | expect { | 23 | expect { |
28 | timeout {puts "TESTING ERROR 3\n";exit} | 24 | timeout {puts "TESTING ERROR 3\n";exit} |
29 | "net_raw - disabled" | 25 | "ARP Table:" |
30 | } | 26 | } |
31 | after 100 | 27 | after 500 |
32 | puts "\nall done\n" | 28 | puts "\nall done\n" |
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp new file mode 100755 index 000000000..2ca6f2fca --- /dev/null +++ b/test/network/firemon-route.exp | |||
@@ -0,0 +1,40 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firemon --route\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "firejail --name=test --net=br0 --ip=10.10.20.50" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Route table:" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "0.0.0.0/0 via 10.10.20.1" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "10.10.20.0/24, dev eth0" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 6\n";exit} | ||
37 | "src 10.10.20.50" | ||
38 | } | ||
39 | after 500 | ||
40 | puts "\nall done\n" | ||
diff --git a/test/utils/protocol-print.exp b/test/network/ip6_netfilter.exp index f24afc703..6c478d9e7 100755 --- a/test/utils/protocol-print.exp +++ b/test/network/ip6_netfilter.exp | |||
@@ -7,18 +7,25 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test\r" | 10 | # check default netfilter on br0 |
11 | send -- "firejail --name=test --net=br0 --netfilter6=ip6_netfilter.profile\r" | ||
11 | expect { | 12 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
14 | } | 15 | } |
15 | sleep 2 | 16 | sleep 2 |
16 | |||
17 | spawn $env(SHELL) | 17 | spawn $env(SHELL) |
18 | send -- "firejail --protocol.print=test\r" | 18 | |
19 | # check default netfilter no new network | ||
20 | send -- "firejail --netfilter6.print=test\r" | ||
19 | expect { | 21 | expect { |
20 | timeout {puts "TESTING ERROR 1\n";exit} | 22 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "unix,inet,inet6" | 23 | "DROP" |
22 | } | 24 | } |
23 | after 100 | 25 | expect { |
24 | puts "\nall done\n" | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "2001:db8:1f0a:3ec::2" | ||
28 | } | ||
29 | |||
30 | after 500 | ||
31 | puts "all done\n" | ||
diff --git a/test/network/ip6_netfilter.profile b/test/network/ip6_netfilter.profile new file mode 100644 index 000000000..cc8f22943 --- /dev/null +++ b/test/network/ip6_netfilter.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016 | ||
2 | *filter | ||
3 | :INPUT ACCEPT [0:0] | ||
4 | :FORWARD ACCEPT [0:0] | ||
5 | :OUTPUT ACCEPT [0:0] | ||
6 | -A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP | ||
7 | COMMIT | ||
8 | # Completed on Wed Jan 13 10:53:40 2016 | ||
diff --git a/test/network/net_bandwidth.exp b/test/network/net_bandwidth.exp new file mode 100755 index 000000000..0ec3b59ef --- /dev/null +++ b/test/network/net_bandwidth.exp | |||
@@ -0,0 +1,51 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --net=br0\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --bandwidth=test set br0 10 20\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "Download speed 80kbps" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Upload speed 160kbps" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "configuring tc ingress" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "configuring tc egress" | ||
34 | } | ||
35 | after 500 | ||
36 | |||
37 | send -- "firejail --bandwidth=test status\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 6\n";exit} | ||
40 | "rate 160Kbit burst 10Kb" | ||
41 | } | ||
42 | after 500 | ||
43 | |||
44 | send -- "firejail --bandwidth=test clear br0\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 7\n";exit} | ||
47 | "Removing bandwidth limits" | ||
48 | } | ||
49 | sleep 1 | ||
50 | |||
51 | puts "\nall done\n" | ||
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 251b55362..0cccf93a0 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp | |||
@@ -130,4 +130,44 @@ expect { | |||
130 | } | 130 | } |
131 | 131 | ||
132 | after 500 | 132 | after 500 |
133 | |||
134 | send -- "firejail --profile=net_ip.profile ip addr show\r" | ||
135 | expect { | ||
136 | timeout {puts "TESTING ERROR 26\n";exit} | ||
137 | "eth0" | ||
138 | } | ||
139 | expect { | ||
140 | timeout {puts "TESTING ERROR 27\n";exit} | ||
141 | "00:11:22:33:44:55" | ||
142 | } | ||
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 28\n";exit} | ||
145 | "10.10.20.55" | ||
146 | } | ||
147 | expect { | ||
148 | timeout {puts "TESTING ERROR 29\n";exit} | ||
149 | "Default gateway 10.10.20.9" | ||
150 | } | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 30\n";exit} | ||
153 | "00:11:22:33:44:55" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 31\n";exit} | ||
157 | "10.10.20.55" | ||
158 | } | ||
159 | after 500 | ||
160 | |||
161 | send -- "firejail --profile=net_ip.profile ip route show\r" | ||
162 | expect { | ||
163 | timeout {puts "TESTING ERROR 32\n";exit} | ||
164 | "default via 10.10.20.9" | ||
165 | } | ||
166 | expect { | ||
167 | timeout {puts "TESTING ERROR 33\n";exit} | ||
168 | "10.10.20.0/24 dev eth0 proto kernel scope link src 10.10.20.55" | ||
169 | } | ||
170 | after 500 | ||
171 | |||
172 | |||
133 | puts "\nall done\n" | 173 | puts "\nall done\n" |
diff --git a/test/network/net_ip.profile b/test/network/net_ip.profile new file mode 100644 index 000000000..72910d77e --- /dev/null +++ b/test/network/net_ip.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | net br0 | ||
2 | ip 10.10.20.55 | ||
3 | defaultgw 10.10.20.9 | ||
4 | mac 00:11:22:33:44:55 | ||
5 | mtu 1000 | ||
6 | |||
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index 56480251e..ac144e19d 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp | |||
@@ -20,7 +20,27 @@ spawn $env(SHELL) | |||
20 | send -- "firejail --netfilter.print=test\r" | 20 | send -- "firejail --netfilter.print=test\r" |
21 | expect { | 21 | expect { |
22 | timeout {puts "TESTING ERROR 1\n";exit} | 22 | timeout {puts "TESTING ERROR 1\n";exit} |
23 | "ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED" | 23 | "ACCEPT" |
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1\n";exit} | ||
27 | "lo" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1\n";exit} | ||
31 | "ACCEPT" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1\n";exit} | ||
35 | "state RELATED,ESTABLISHED" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1\n";exit} | ||
39 | "ACCEPT" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 1\n";exit} | ||
43 | "icmptype 8" | ||
24 | } | 44 | } |
25 | 45 | ||
26 | after 500 | 46 | after 500 |
diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp new file mode 100755 index 000000000..2dc50cef7 --- /dev/null +++ b/test/network/netfilter-template.exp | |||
@@ -0,0 +1,41 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | |||
11 | send -- "firejail --net=br0 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/blablabla\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "invalid network filter file" | ||
15 | } | ||
16 | after 500 | ||
17 | |||
18 | send -- "firejail --net=br0 --ip=10.10.20.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5678\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
22 | } | ||
23 | sleep 2 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firejail --netfilter.print=test1\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "Chain INPUT" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 3\n";exit} | ||
33 | "ACCEPT" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4\n";exit} | ||
37 | "tcp dpt:5678 state NEW,ESTABLISHED" | ||
38 | } | ||
39 | sleep 1 | ||
40 | |||
41 | puts "\nall done\n" | ||
diff --git a/test/network/netstats.exp b/test/network/netstats.exp new file mode 100755 index 000000000..d9da9cb75 --- /dev/null +++ b/test/network/netstats.exp | |||
@@ -0,0 +1,30 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --net=br0\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 4 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --netstats\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "statistics only for sandboxes using a new network namespace" | ||
22 | } | ||
23 | sleep 4 | ||
24 | |||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "firejail --name=test --net=br0" | ||
28 | } | ||
29 | after 500 | ||
30 | puts "\nall done\n" | ||
diff --git a/test/network/network.sh b/test/network/network.sh index 877f16156..6d26e967f 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -33,8 +33,32 @@ echo "TESTING: print network (net-print.exp)" | |||
33 | echo "TESTING: print dns (dns-print.exp)" | 33 | echo "TESTING: print dns (dns-print.exp)" |
34 | ./dns-print.exp | 34 | ./dns-print.exp |
35 | 35 | ||
36 | echo "TESTING: bandwidth (net_bandwidth.exp)" | ||
37 | ./net_bandwidth.exp | ||
38 | |||
36 | echo "TESTING: ipv6 (ip6.exp)" | 39 | echo "TESTING: ipv6 (ip6.exp)" |
37 | ./ip6.exp | 40 | ./ip6.exp |
38 | 41 | ||
42 | echo "TESTING: ipv6 netfilter (ip6_netfilter.exp)" | ||
43 | ./ip6_netfilter.exp | ||
44 | |||
45 | # this test will fail on github! | ||
46 | USER=`whoami` | ||
47 | if [[ $USER == "runner" ]]; then | ||
48 | echo "TESTING: skip over netstats test" | ||
49 | else | ||
50 | echo "TESTING: netstats (netstats.exp)" | ||
51 | ./netstats.exp | ||
52 | fi | ||
53 | |||
54 | echo "TESTING: firemon arp (firemon-arp.exp)" | ||
55 | ./firemon-arp.exp | ||
56 | |||
57 | echo "TESTING: firemon route (firemon-route.exp)" | ||
58 | ./firemon-route.exp | ||
59 | |||
60 | echo "TESTING: netfilter-template (netfilter-template.exp)" | ||
61 | ./netfilter-template.exp | ||
62 | |||
39 | sudo ip link set br0 down | 63 | sudo ip link set br0 down |
40 | sudo brctl delbr br0 | 64 | sudo brctl delbr br0 |
diff --git a/test/seccomp-extra/block-secondary.exp b/test/seccomp-extra/block-secondary.exp new file mode 100755 index 000000000..1db512126 --- /dev/null +++ b/test/seccomp-extra/block-secondary.exp | |||
@@ -0,0 +1,43 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | |||
11 | # 64 bit architecture - seccomp.block-secondary | ||
12 | send -- "firejail --debug --seccomp.block-secondary pwd\r" | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 1\n";exit} | ||
15 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 2\n";exit} | ||
16 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
17 | } | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 3\n";exit} | ||
20 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 4\n";exit} | ||
21 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 5\n";exit} | ||
25 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit} | ||
26 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" | ||
27 | } | ||
28 | after 500 | ||
29 | |||
30 | # 64 bit architecture - seccomp.block-secondary, profile | ||
31 | send -- "firejail --debug --profile=block-secondary.profile pwd\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 7\n";exit} | ||
34 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 8\n";exit} | ||
35 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 9\n";exit} | ||
39 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 10\n";exit} | ||
40 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" | ||
41 | } | ||
42 | after 500 | ||
43 | puts "all done\n" | ||
diff --git a/test/filters/block-secondary.profile b/test/seccomp-extra/block-secondary.profile index e32056c3d..e32056c3d 100644 --- a/test/filters/block-secondary.profile +++ b/test/seccomp-extra/block-secondary.profile | |||
diff --git a/test/filters/memwrexe b/test/seccomp-extra/memwrexe index 1173cdc07..82ea7631f 100755 --- a/test/filters/memwrexe +++ b/test/seccomp-extra/memwrexe | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe.c b/test/seccomp-extra/memwrexe.c index 548320df9..548320df9 100644 --- a/test/filters/memwrexe.c +++ b/test/seccomp-extra/memwrexe.c | |||
diff --git a/test/seccomp-extra/mrwx.exp b/test/seccomp-extra/mrwx.exp new file mode 100755 index 000000000..403bc852f --- /dev/null +++ b/test/seccomp-extra/mrwx.exp | |||
@@ -0,0 +1,37 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | |||
11 | |||
12 | # memory-deny-write-execute | ||
13 | send -- "firejail --debug --memory-deny-write-execute pwd\r" | ||
14 | expect { | ||
15 | timeout {puts "TESTING ERROR 1\n";exit} | ||
16 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
17 | } | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" | ||
21 | } | ||
22 | after 500 | ||
23 | |||
24 | send -- "firejail --debug --profile=mrwx.profile pwd\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 4\n";exit} | ||
31 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" | ||
32 | } | ||
33 | after 500 | ||
34 | |||
35 | |||
36 | after 500 | ||
37 | puts "all done\n" | ||
diff --git a/test/seccomp-extra/mrwx.profile b/test/seccomp-extra/mrwx.profile new file mode 100644 index 000000000..46d6cedee --- /dev/null +++ b/test/seccomp-extra/mrwx.profile | |||
@@ -0,0 +1 @@ | |||
memory-deny-write-execute | |||
diff --git a/test/filters/memwrexe.exp b/test/seccomp-extra/mrwx2.exp index e51b3372e..4703a4014 100755 --- a/test/filters/memwrexe.exp +++ b/test/seccomp-extra/mrwx2.exp | |||
@@ -17,7 +17,7 @@ expect { | |||
17 | "mmap successful" {puts "TESTING ERROR 2\n";exit} | 17 | "mmap successful" {puts "TESTING ERROR 2\n";exit} |
18 | "Parent is shutting down" | 18 | "Parent is shutting down" |
19 | } | 19 | } |
20 | after 100 | 20 | after 500 |
21 | 21 | ||
22 | send -- "firejail --memory-deny-write-execute ./memwrexe mprotect\r" | 22 | send -- "firejail --memory-deny-write-execute ./memwrexe mprotect\r" |
23 | expect { | 23 | expect { |
@@ -29,7 +29,7 @@ expect { | |||
29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} | 29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} |
30 | "Parent is shutting down" | 30 | "Parent is shutting down" |
31 | } | 31 | } |
32 | after 100 | 32 | after 500 |
33 | 33 | ||
34 | send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r" | 34 | send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r" |
35 | expect { | 35 | expect { |
@@ -42,5 +42,5 @@ expect { | |||
42 | "Parent is shutting down" | 42 | "Parent is shutting down" |
43 | } | 43 | } |
44 | 44 | ||
45 | after 100 | 45 | after 500 |
46 | puts "\nall done\n" | 46 | puts "\nall done\n" |
diff --git a/test/filters/noroot.exp b/test/seccomp-extra/noroot.exp index 8a8842cd9..eeb82833e 100755 --- a/test/filters/noroot.exp +++ b/test/seccomp-extra/noroot.exp | |||
@@ -132,5 +132,5 @@ expect { | |||
132 | puts "\n" | 132 | puts "\n" |
133 | 133 | ||
134 | 134 | ||
135 | after 100 | 135 | after 500 |
136 | puts "\nall done\n" | 136 | puts "\nall done\n" |
diff --git a/test/seccomp-extra/protocol-print.exp b/test/seccomp-extra/protocol-print.exp new file mode 100755 index 000000000..7e76e6ff6 --- /dev/null +++ b/test/seccomp-extra/protocol-print.exp | |||
@@ -0,0 +1,59 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test0\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --name=test1 --profile=protocol1.profile\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
23 | } | ||
24 | sleep 2 | ||
25 | |||
26 | spawn $env(SHELL) | ||
27 | send -- "firejail --name=test2 --profile=protocol2.profile\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 2\n";exit} | ||
30 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
31 | } | ||
32 | sleep 2 | ||
33 | |||
34 | spawn $env(SHELL) | ||
35 | send -- "firejail --protocol.print=test0\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 3\n";exit} | ||
38 | "packet" {puts "TESTING ERROR 4\n";exit} | ||
39 | "unix,inet,inet6" | ||
40 | } | ||
41 | after 500 | ||
42 | |||
43 | send -- "firejail --protocol.print=test1\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "inet" {puts "TESTING ERROR 6\n";exit} | ||
47 | "unix" | ||
48 | } | ||
49 | after 500 | ||
50 | |||
51 | send -- "firejail --protocol.print=test2\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 7\n";exit} | ||
54 | "unix" {puts "TESTING ERROR 8\n";exit} | ||
55 | "inet6,packet" | ||
56 | } | ||
57 | after 500 | ||
58 | |||
59 | puts "\nall done\n" | ||
diff --git a/test/filters/protocol.exp b/test/seccomp-extra/protocol.exp index 5320dde6f..5844e1de3 100755 --- a/test/filters/protocol.exp +++ b/test/seccomp-extra/protocol.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --noprofile --protocol=unix --debug\r" | 10 | send -- "firejail --noprofile --protocol=unix --debug pwd\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "0009: 20 00 00 00000000" | 13 | "0009: 20 00 00 00000000" |
@@ -29,11 +29,9 @@ expect { | |||
29 | "0012: 06 00 00 0005005f" | 29 | "0012: 06 00 00 0005005f" |
30 | } | 30 | } |
31 | 31 | ||
32 | after 100 | 32 | after 500 |
33 | send -- "exit\r" | ||
34 | sleep 1 | ||
35 | 33 | ||
36 | send -- "firejail --noprofile --protocol=bluetooth --debug\r" | 34 | send -- "firejail --noprofile --protocol=bluetooth --debug pwd\r" |
37 | expect { | 35 | expect { |
38 | timeout {puts "TESTING ERROR 11\n";exit} | 36 | timeout {puts "TESTING ERROR 11\n";exit} |
39 | "0009: 20 00 00 00000000" | 37 | "0009: 20 00 00 00000000" |
@@ -54,12 +52,9 @@ expect { | |||
54 | timeout {puts "TESTING ERROR1 5\n";exit} | 52 | timeout {puts "TESTING ERROR1 5\n";exit} |
55 | "0012: 06 00 00 0005005f" | 53 | "0012: 06 00 00 0005005f" |
56 | } | 54 | } |
55 | after 500 | ||
57 | 56 | ||
58 | after 100 | 57 | send -- "firejail --noprofile --protocol=inet,inet6 --debug pwd\r" |
59 | send -- "exit\r" | ||
60 | sleep 1 | ||
61 | |||
62 | send -- "firejail --noprofile --protocol=inet,inet6 --debug\r" | ||
63 | expect { | 58 | expect { |
64 | timeout {puts "TESTING ERROR 31\n";exit} | 59 | timeout {puts "TESTING ERROR 31\n";exit} |
65 | "0009: 20 00 00 00000000" | 60 | "0009: 20 00 00 00000000" |
@@ -88,10 +83,5 @@ expect { | |||
88 | timeout {puts "TESTING ERROR 37\n";exit} | 83 | timeout {puts "TESTING ERROR 37\n";exit} |
89 | "0014: 06 00 00 0005005f" | 84 | "0014: 06 00 00 0005005f" |
90 | } | 85 | } |
91 | 86 | after 500 | |
92 | after 100 | ||
93 | send -- "exit\r" | ||
94 | |||
95 | |||
96 | after 100 | ||
97 | puts "\nall done\n" | 87 | puts "\nall done\n" |
diff --git a/test/filters/protocol1.profile b/test/seccomp-extra/protocol1.profile index 3e1ea2a29..3e1ea2a29 100644 --- a/test/filters/protocol1.profile +++ b/test/seccomp-extra/protocol1.profile | |||
diff --git a/test/filters/protocol2.profile b/test/seccomp-extra/protocol2.profile index b7eb4ab91..b7eb4ab91 100644 --- a/test/filters/protocol2.profile +++ b/test/seccomp-extra/protocol2.profile | |||
diff --git a/test/seccomp-extra/seccomp-extra.sh b/test/seccomp-extra/seccomp-extra.sh new file mode 100755 index 000000000..50852f7e0 --- /dev/null +++ b/test/seccomp-extra/seccomp-extra.sh | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | export LC_ALL=C | ||
9 | |||
10 | echo "TESTING: protocol (test/seccomp-extras/protocol-print.exp)" | ||
11 | ./protocol.exp | ||
12 | |||
13 | echo "TESTING: protocol.print (test/seccomp-extras/protocol-print.exp)" | ||
14 | ./protocol-print.exp | ||
15 | |||
16 | echo "TESTING: noroot (test/seccomp-extras/noroot.exp)" | ||
17 | ./noroot.exp | ||
18 | |||
19 | echo "TESTING: mrwx (test/seccomp-extras/mrwx.exp)" | ||
20 | ./mrwx.exp | ||
21 | |||
22 | echo "TESTING: mrwx2 (test/seccomp-extras/mrwx.exp)" | ||
23 | ./mrwx2.exp | ||
24 | |||
25 | echo "TESTING: block-secondary (test/seccomp-extras/block-secondary.exp)" | ||
26 | ./block-secondary.exp | ||
diff --git a/test/utils/caps1.profile b/test/utils/caps1.profile deleted file mode 100644 index 78c18fc64..000000000 --- a/test/utils/caps1.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps.drop chown,kill | ||
diff --git a/test/utils/caps2.profile b/test/utils/caps2.profile deleted file mode 100644 index e760d4cb5..000000000 --- a/test/utils/caps2.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps.keep chown,kill | ||
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp deleted file mode 100755 index 621447d45..000000000 --- a/test/utils/firemon-caps.exp +++ /dev/null | |||
@@ -1,129 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=bingo1 --noprofile --caps\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --name=bingo2 --noprofile\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | spawn $env(SHELL) | ||
34 | send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 3\n";exit} | ||
37 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
38 | } | ||
39 | sleep 1 | ||
40 | |||
41 | spawn $env(SHELL) | ||
42 | send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | spawn $env(SHELL) | ||
50 | send -- "firejail --name=bingo6 --profile=caps1.profile\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5\n";exit} | ||
53 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
54 | } | ||
55 | sleep 1 | ||
56 | |||
57 | spawn $env(SHELL) | ||
58 | send -- "firejail --name=bingo7 --profile=caps2.profile\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 0\n";exit} | ||
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | spawn $env(SHELL) | ||
66 | send -- "firemon --caps\r" | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 8.1\n";exit} | ||
69 | "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} | ||
70 | "bingo1" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 8.2\n";exit} | ||
74 | "31cffff" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 8.3\n";exit} | ||
78 | "bingo2" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 8.4\n";exit} | ||
82 | "fffffff" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 8.5\n";exit} | ||
86 | "bingo3" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 8.6\n";exit} | ||
90 | "000000000000" | ||
91 | } | ||
92 | |||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 8.7\n";exit} | ||
95 | "bingo4" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 8.8\n";exit} | ||
99 | "ffffffde" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 8.9\n";exit} | ||
103 | "bingo5" | ||
104 | } | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 8.10\n";exit} | ||
107 | "0000000000000021" | ||
108 | } | ||
109 | |||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 8.11\n";exit} | ||
112 | "bingo6" | ||
113 | } | ||
114 | expect { | ||
115 | timeout {puts "TESTING ERROR 8.12\n";exit} | ||
116 | "ffffffde" | ||
117 | } | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 8.13\n";exit} | ||
120 | "bingo7" | ||
121 | } | ||
122 | expect { | ||
123 | timeout {puts "TESTING ERROR 8.14\n";exit} | ||
124 | "0000000000000021" | ||
125 | } | ||
126 | |||
127 | after 100 | ||
128 | |||
129 | puts "all done\n" | ||
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp deleted file mode 100755 index fc1ea9ef6..000000000 --- a/test/utils/firemon-interface.exp +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firemon --interface\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "you need to be root" | ||
14 | } | ||
15 | after 100 | ||
16 | |||
17 | puts "\nall done\n" | ||
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 9f04c2625..9ff4048ef 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -61,15 +61,9 @@ echo "TESTING: fs.print (test/utils/fs-print.exp)" | |||
61 | echo "TESTING: dns.print (test/utils/dns-print.exp)" | 61 | echo "TESTING: dns.print (test/utils/dns-print.exp)" |
62 | ./dns-print.exp | 62 | ./dns-print.exp |
63 | 63 | ||
64 | echo "TESTING: caps.print (test/utils/caps-print.exp)" | ||
65 | ./caps-print.exp | ||
66 | |||
67 | echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" | 64 | echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" |
68 | ./seccomp-print.exp | 65 | ./seccomp-print.exp |
69 | 66 | ||
70 | echo "TESTING: protocol.print (test/utils/protocol-print.exp)" | ||
71 | ./protocol-print.exp | ||
72 | |||
73 | echo "TESTING: shutdown (test/utils/shutdown.exp)" | 67 | echo "TESTING: shutdown (test/utils/shutdown.exp)" |
74 | ./shutdown.exp | 68 | ./shutdown.exp |
75 | 69 | ||
@@ -112,21 +106,11 @@ else | |||
112 | echo "TESTING SKIP: seccomp already active (test/utils/firemon-seccomp.exp)" | 106 | echo "TESTING SKIP: seccomp already active (test/utils/firemon-seccomp.exp)" |
113 | fi | 107 | fi |
114 | 108 | ||
115 | if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | ||
116 | echo "TESTING: firemon caps (test/utils/firemon-caps.exp)" | ||
117 | ./firemon-caps.exp | ||
118 | else | ||
119 | echo "TESTING SKIP: other capabilities than expected (test/utils/firemon-caps.exp)" | ||
120 | fi | ||
121 | |||
122 | echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" | 109 | echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" |
123 | ./firemon-cpu.exp | 110 | ./firemon-cpu.exp |
124 | 111 | ||
125 | echo "TESTING: firemon version (test/utils/firemon-version.exp)" | 112 | echo "TESTING: firemon version (test/utils/firemon-version.exp)" |
126 | ./firemon-version.exp | 113 | ./firemon-version.exp |
127 | 114 | ||
128 | echo "TESTING: firemon interface (test/utils/firemon-interface.exp)" | ||
129 | ./firemon-interface.exp | ||
130 | |||
131 | echo "TESTING: firemon name (test/utils/firemon-name.exp)" | 115 | echo "TESTING: firemon name (test/utils/firemon-name.exp)" |
132 | ./firemon-name.exp | 116 | ./firemon-name.exp |