diff options
139 files changed, 2172 insertions, 1960 deletions
diff --git a/.gitignore b/.gitignore index 0c803b135..cbb1b2e83 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -22,6 +22,7 @@ firejail-users.5 | |||
22 | firejail.1 | 22 | firejail.1 |
23 | firemon.1 | 23 | firemon.1 |
24 | firecfg.1 | 24 | firecfg.1 |
25 | jailtest.5 | ||
25 | mkdeb.sh | 26 | mkdeb.sh |
26 | src/firejail/firejail | 27 | src/firejail/firejail |
27 | src/firemon/firemon | 28 | src/firemon/firemon |
@@ -40,6 +41,7 @@ src/fbuilder/fbuilder | |||
40 | src/profstats/profstats | 41 | src/profstats/profstats |
41 | src/bash_completion/firejail.bash_completion | 42 | src/bash_completion/firejail.bash_completion |
42 | src/zsh_completion/_firejail | 43 | src/zsh_completion/_firejail |
44 | src/jailtest/jailtest | ||
43 | uids.h | 45 | uids.h |
44 | seccomp | 46 | seccomp |
45 | seccomp.debug | 47 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index 593afdacf..f9422fc8b 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -22,14 +22,16 @@ MAN_SRC = src/man | |||
22 | endif | 22 | endif |
23 | 23 | ||
24 | COMPLETIONDIRS = src/zsh_completion src/bash_completion | 24 | COMPLETIONDIRS = src/zsh_completion src/bash_completion |
25 | |||
26 | .PHONY: all | ||
25 | all: all_items mydirs $(MAN_TARGET) filters | 27 | all: all_items mydirs $(MAN_TARGET) filters |
26 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest |
27 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee | 29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee |
28 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
29 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
30 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
31 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
32 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 34 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5 |
33 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 35 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
34 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 36 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
35 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 37 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
@@ -44,7 +46,6 @@ mydirs: $(MYDIRS) | |||
44 | $(MYDIRS): | 46 | $(MYDIRS): |
45 | $(MAKE) -C $@ | 47 | $(MAKE) -C $@ |
46 | 48 | ||
47 | |||
48 | $(MANPAGES): src/man | 49 | $(MANPAGES): src/man |
49 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ | 50 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ |
50 | 51 | ||
@@ -72,6 +73,7 @@ seccomp.mdwx: src/fseccomp/fseccomp | |||
72 | seccomp.mdwx.32: src/fseccomp/fseccomp | 73 | seccomp.mdwx.32: src/fseccomp/fseccomp |
73 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 74 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
74 | 75 | ||
76 | .PHONY: clean | ||
75 | clean: | 77 | clean: |
76 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 78 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
77 | $(MAKE) -C $$dir clean; \ | 79 | $(MAKE) -C $$dir clean; \ |
@@ -91,6 +93,7 @@ clean: | |||
91 | rm -f test/sysutils/firejail_t* | 93 | rm -f test/sysutils/firejail_t* |
92 | cd test/compile; ./compile.sh --clean; cd ../.. | 94 | cd test/compile; ./compile.sh --clean; cd ../.. |
93 | 95 | ||
96 | .PHONY: distclean | ||
94 | distclean: clean | 97 | distclean: clean |
95 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 98 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
96 | $(MAKE) -C $$dir distclean; \ | 99 | $(MAKE) -C $$dir distclean; \ |
@@ -109,6 +112,8 @@ endif | |||
109 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) | 112 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) |
110 | # firecfg executable | 113 | # firecfg executable |
111 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) | 114 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) |
115 | # jailtest executable | ||
116 | install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir) | ||
112 | # libraries and plugins | 117 | # libraries and plugins |
113 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 118 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
114 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 119 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
@@ -177,6 +182,7 @@ uninstall: | |||
177 | rm -f $(DESTDIR)$(bindir)/firemon | 182 | rm -f $(DESTDIR)$(bindir)/firemon |
178 | rm -f $(DESTDIR)$(bindir)/firecfg | 183 | rm -f $(DESTDIR)$(bindir)/firecfg |
179 | rm -fr $(DESTDIR)$(libdir)/firejail | 184 | rm -fr $(DESTDIR)$(libdir)/firejail |
185 | rm -fr $(DESTDIR)$(libdir)/jailtest | ||
180 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 186 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
181 | for man in $(MANPAGES); do \ | 187 | for man in $(MANPAGES); do \ |
182 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 188 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
@@ -188,7 +194,7 @@ uninstall: | |||
188 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 194 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
189 | 195 | ||
190 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" | 196 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" |
191 | DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 197 | DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot" |
192 | 198 | ||
193 | dist: | 199 | dist: |
194 | mv config.status config.status.old | 200 | mv config.status config.status.old |
@@ -229,24 +235,23 @@ cppcheck: clean | |||
229 | scan-build: clean | 235 | scan-build: clean |
230 | NO_EXTRA_CFLAGS="yes" scan-build make | 236 | NO_EXTRA_CFLAGS="yes" scan-build make |
231 | 237 | ||
232 | |||
233 | # | 238 | # |
234 | # make test | 239 | # make test |
235 | # | 240 | # |
236 | 241 | ||
237 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter | 242 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter |
238 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) | 243 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) |
239 | 244 | ||
240 | $(TEST_TARGETS): | 245 | $(TEST_TARGETS): |
241 | $(MAKE) -C test $(subst test-,,$@) | 246 | $(MAKE) -C test $(subst test-,,$@) |
242 | 247 | ||
243 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 248 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
244 | echo "TEST COMPLETE" | 249 | echo "TEST COMPLETE" |
245 | 250 | ||
246 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 251 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
247 | echo "TEST COMPLETE" | 252 | echo "TEST COMPLETE" |
248 | 253 | ||
249 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments | 254 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment |
250 | echo "TEST COMPLETE" | 255 | echo "TEST COMPLETE" |
251 | 256 | ||
252 | ########################################## | 257 | ########################################## |
@@ -44,9 +44,10 @@ Committers | |||
44 | - Fred-Barclay (https://github.com/Fred-Barclay) | 44 | - Fred-Barclay (https://github.com/Fred-Barclay) |
45 | - Kelvin M. Klann (https://github.com/kmk3) | 45 | - Kelvin M. Klann (https://github.com/kmk3) |
46 | - Kristóf Marussy (https://github.com/kris7t) | 46 | - Kristóf Marussy (https://github.com/kris7t) |
47 | - Neo00001 (https://github.com/Neo00001) | ||
47 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) | 48 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
48 | - rusty-snake (https://github.com/rusty-snake) | 49 | - rusty-snake (https://github.com/rusty-snake) |
49 | - smithsohu (https://github.com/smitsohu) | 50 | - smitsohu (https://github.com/smitsohu) |
50 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 51 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
51 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) | 52 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) |
52 | - Topi Miettinen (https://github.com/topimiettinen) | 53 | - Topi Miettinen (https://github.com/topimiettinen) |
@@ -76,6 +77,9 @@ Aidan Gauland (https://github.com/aidalgol) | |||
76 | - whitelist Bohemia Interactive config dir for Steam | 77 | - whitelist Bohemia Interactive config dir for Steam |
77 | Akhil Hans Maulloo (https://github.com/kouul) | 78 | Akhil Hans Maulloo (https://github.com/kouul) |
78 | - xz profile | 79 | - xz profile |
80 | Albin Kauffmann (https://github.com/albinou) | ||
81 | - Firefox and Chromium profile fixes | ||
82 | - info to allow screen sharing in profiles | ||
79 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | 83 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) |
80 | - src/lib/libnetlink.c extracted from iproute2 software package | 84 | - src/lib/libnetlink.c extracted from iproute2 software package |
81 | Aleksey Manevich (https://github.com/manevich) | 85 | Aleksey Manevich (https://github.com/manevich) |
@@ -165,9 +169,12 @@ Barış Ekin Yıldırım (https://github.com/circuitshaker) | |||
165 | - removing net none from code.profile | 169 | - removing net none from code.profile |
166 | bbhtt (https://github.com/bbhtt) | 170 | bbhtt (https://github.com/bbhtt) |
167 | - improvements to balsa,fractal,gajim,trojita profiles | 171 | - improvements to balsa,fractal,gajim,trojita profiles |
168 | - improvements to nheko, spectral, feh, links, lynx profiles | 172 | - improvements to nheko, spectral, feh, links, lynx, smplayer profiles |
169 | - added alacartem com.github.bleakgrey.tootle, photoflare profiles | 173 | - added alacarte, com.github.bleakgrey.tootle, photoflare profiles |
170 | - add profiles for MS Edge dev build for Linux and Librewolf | 174 | - add profiles for MS Edge dev build for Linux and Librewolf |
175 | - fixes to cheese, authenticator, liferea | ||
176 | - add profile for straw-viewer | ||
177 | - email clients whitelisting and fixes | ||
171 | Benjamin Kampmann (https://github.com/ligthyear) | 178 | Benjamin Kampmann (https://github.com/ligthyear) |
172 | - Forward exit code from child process | 179 | - Forward exit code from child process |
173 | bitfreak25 (https://github.com/bitfreak25) | 180 | bitfreak25 (https://github.com/bitfreak25) |
@@ -452,6 +459,8 @@ Impyy (https://github.com/Impyy) | |||
452 | - added mumble profile | 459 | - added mumble profile |
453 | intika (https://github.com/intika) | 460 | intika (https://github.com/intika) |
454 | - added musixmatch profile | 461 | - added musixmatch profile |
462 | irandms (https://github.com/irandms) | ||
463 | - man firecfg fixes | ||
455 | irregulator (https://github.com/irregulator) | 464 | irregulator (https://github.com/irregulator) |
456 | - thunderbird profile fixes for debian stretch | 465 | - thunderbird profile fixes for debian stretch |
457 | Irvine (https://github.com/Irvinehimself) | 466 | Irvine (https://github.com/Irvinehimself) |
@@ -798,7 +807,9 @@ Simon Peter (https://github.com/probonopd) | |||
798 | sinkuu (https://github.com/sinkuu) | 807 | sinkuu (https://github.com/sinkuu) |
799 | - blacklisting kwalletd | 808 | - blacklisting kwalletd |
800 | - fix symlink invocation for programs placing symlinks in $PATH | 809 | - fix symlink invocation for programs placing symlinks in $PATH |
801 | smithsohu (https://github.com/smitsohu) | 810 | Simo Piiroinen (https://github.com/spiiroin) |
811 | - Jolla/SailfishOS patches | ||
812 | smitsohu (https://github.com/smitsohu) | ||
802 | - read-only kde4 services directory | 813 | - read-only kde4 services directory |
803 | - enhanced mediathekview profile | 814 | - enhanced mediathekview profile |
804 | - added tuxguitar profile | 815 | - added tuxguitar profile |
@@ -913,6 +924,8 @@ Tom Mellor (https://github.com/kalegrill) | |||
913 | - mupen64plus profile | 924 | - mupen64plus profile |
914 | Tomasz Jan Góralczyk (https://github.com/tjg) | 925 | Tomasz Jan Góralczyk (https://github.com/tjg) |
915 | - fixed Steam profile | 926 | - fixed Steam profile |
927 | Tomi Leppänen (https://github.com/Tomin1) | ||
928 | - Jolla/SailfishOS patches | ||
916 | Topi Miettinen (https://github.com/topimiettinen) | 929 | Topi Miettinen (https://github.com/topimiettinen) |
917 | - improved seccomp printing | 930 | - improved seccomp printing |
918 | - improve mount handling, fix /run/user handling | 931 | - improve mount handling, fix /run/user handling |
@@ -1011,4 +1024,7 @@ Zack Weinberg (https://github.com/zackw) | |||
1011 | with firejail --x11 | 1024 | with firejail --x11 |
1012 | - support for xpra-extra-params in firejail.config | 1025 | - support for xpra-extra-params in firejail.config |
1013 | 1026 | ||
1027 | zupatisc (https://github.com/zupatisc) | ||
1028 | - patch-util fix | ||
1029 | |||
1014 | Copyright (C) 2014-2021 Firejail Authors | 1030 | Copyright (C) 2014-2021 Firejail Authors |
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
198 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 198 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
199 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | 199 | Release discussion: https://github.com/netblue30/firejail/issues/3696 |
200 | 200 | ||
201 | ### jailtest | ||
202 | ````` | ||
203 | JAILTEST(1) JAILTEST man page JAILTEST(1) | ||
204 | |||
205 | NAME | ||
206 | jailtest - Simple utility program to test running sandboxes | ||
207 | |||
208 | SYNOPSIS | ||
209 | sudo jailtest [OPTIONS] [directory] | ||
210 | |||
211 | DESCRIPTION | ||
212 | WORK IN PROGRESS! jailtest attaches itself to all sandboxes started by | ||
213 | the user and performs some basic tests on the sandbox filesystem: | ||
214 | |||
215 | 1. Virtual directories | ||
216 | jailtest extracts a list with the main virtual directories in‐ | ||
217 | stalled by the sandbox. These directories are build by firejail | ||
218 | at startup using --private* and --whitelist commands. | ||
219 | |||
220 | 2. Noexec test | ||
221 | jailtest inserts executable programs in /home/username, /tmp, | ||
222 | and /var/tmp directories and tries to run them form inside the | ||
223 | sandbox, thus testing if the directory is executable or not. | ||
224 | |||
225 | 3. Read access test | ||
226 | jailtest creates test files in the directories specified by the | ||
227 | user and tries to read them from inside the sandbox. | ||
228 | |||
229 | 4. AppArmor test | ||
230 | |||
231 | 5. Seccomp test | ||
232 | |||
233 | The program is started as root using sudo. | ||
234 | |||
235 | OPTIONS | ||
236 | --debug | ||
237 | Print debug messages | ||
238 | |||
239 | -?, --help | ||
240 | Print options end exit. | ||
241 | |||
242 | --version | ||
243 | Print program version and exit. | ||
201 | 244 | ||
245 | [directory] | ||
246 | One or more directories in user home to test for read access. | ||
247 | ~/.ssh and ~/.gnupg are tested by default. | ||
248 | |||
249 | OUTPUT | ||
250 | For each sandbox detected we print the following line: | ||
251 | |||
252 | PID:USER:Sandbox Name:Command | ||
253 | |||
254 | It is followed by relevant sandbox information, such as the virtual di‐ | ||
255 | rectories and various warnings. | ||
256 | |||
257 | EXAMPLE | ||
258 | $ sudo jailtest | ||
259 | 2014:netblue::firejail /usr/bin/gimp | ||
260 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
261 | Warning: I can run programs in /home/netblue | ||
262 | |||
263 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
264 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
265 | Warning: I can read ~/.ssh | ||
266 | |||
267 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ | ||
268 | pimage | ||
269 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
270 | |||
271 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
272 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
273 | /run/user/1000, | ||
274 | |||
275 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
276 | Warning: AppArmor not enabled | ||
277 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
278 | /usr/share, /run/user/1000, | ||
279 | Warning: I can run programs in /home/netblue | ||
280 | |||
281 | LICENSE | ||
282 | This program is free software; you can redistribute it and/or modify it | ||
283 | under the terms of the GNU General Public License as published by the | ||
284 | Free Software Foundation; either version 2 of the License, or (at your | ||
285 | option) any later version. | ||
286 | |||
287 | Homepage: https://firejail.wordpress.com | ||
288 | |||
289 | SEE ALSO | ||
290 | firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ | ||
291 | gin(5), firejail-users(5), | ||
292 | |||
293 | 0.9.65 Feb 2021 JAILTEST(1) | ||
294 | ````` | ||
202 | 295 | ||
203 | ### Profile Statistics | 296 | ### Profile Statistics |
204 | 297 | ||
@@ -210,31 +303,32 @@ $ ./profstats *.profile | |||
210 | Warning: multiple caps in transmission-daemon.profile | 303 | Warning: multiple caps in transmission-daemon.profile |
211 | 304 | ||
212 | Stats: | 305 | Stats: |
213 | profiles 1064 | 306 | profiles 1077 |
214 | include local profile 1064 (include profile-name.local) | 307 | include local profile 1077 (include profile-name.local) |
215 | include globals 1064 (include globals.local) | 308 | include globals 1077 (include globals.local) |
216 | blacklist ~/.ssh 959 (include disable-common.inc) | 309 | blacklist ~/.ssh 971 (include disable-common.inc) |
217 | seccomp 975 | 310 | seccomp 988 |
218 | capabilities 1063 | 311 | capabilities 1076 |
219 | noexec 944 (include disable-exec.inc) | 312 | noexec 960 (include disable-exec.inc) |
220 | memory-deny-write-execute 229 | 313 | memory-deny-write-execute 231 |
221 | apparmor 605 | 314 | apparmor 621 |
222 | private-bin 564 | 315 | private-bin 571 |
223 | private-dev 932 | 316 | private-dev 949 |
224 | private-etc 462 | 317 | private-etc 470 |
225 | private-tmp 823 | 318 | private-tmp 835 |
226 | whitelist home directory 502 | 319 | whitelist home directory 508 |
227 | whitelist var 744 (include whitelist-var-common.inc) | 320 | whitelist var 758 (include whitelist-var-common.inc) |
228 | whitelist run/user 461 (include whitelist-runuser-common.inc | 321 | whitelist run/user 539 (include whitelist-runuser-common.inc |
229 | or blacklist ${RUNUSER}) | 322 | or blacklist ${RUNUSER}) |
230 | whitelist usr/share 451 (include whitelist-usr-share-common.inc | 323 | whitelist usr/share 526 (include whitelist-usr-share-common.inc |
231 | net none 345 | 324 | net none 354 |
232 | dbus-user none 564 | 325 | dbus-user none 573 |
233 | dbus-user filter 85 | 326 | dbus-user filter 86 |
234 | dbus-system none 696 | 327 | dbus-system none 706 |
235 | dbus-system filter 7 | 328 | dbus-system filter 7 |
236 | ``` | 329 | ``` |
237 | 330 | ||
238 | ### New profiles: | 331 | ### New profiles: |
239 | 332 | ||
240 | vmware-view, display-im6.q16 | 333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop. |
334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget \ No newline at end of file | ||
@@ -1,7 +1,21 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * filtering environment variables | 2 | * filtering environment variables |
3 | * zsh completion | 3 | * zsh completion |
4 | * new profiles: vmware-view, display-im6.q16 | 4 | * command line: --mkdir, --mkfile |
5 | * --protocol now accumulates | ||
6 | * Jolla/SailfishOS patches | ||
7 | * private-lib rework | ||
8 | * jailtest utility for testing running sandboxes | ||
9 | * removed --audit options, relpaced by jailtest | ||
10 | * capabilities list update | ||
11 | * faccessat2 syscall support | ||
12 | * compile time: --enable-force-nonewprivs | ||
13 | * compile time: --disable-output | ||
14 | * compile time: --enable-lts | ||
15 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng | ||
16 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | ||
17 | * avidemux, calligragemini, vmware-player, vmware-workstation | ||
18 | * gget | ||
5 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 19 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
6 | 20 | ||
7 | firejail (0.9.64.4) baseline; urgency=low | 21 | firejail (0.9.64.4) baseline; urgency=low |
@@ -627,7 +627,8 @@ LIBOBJS | |||
627 | EGREP | 627 | EGREP |
628 | GREP | 628 | GREP |
629 | CPP | 629 | CPP |
630 | HAVE_SELINUX | 630 | HAVE_LTS |
631 | HAVE_FORCE_NONEWPRIVS | ||
631 | HAVE_CONTRIB_INSTALL | 632 | HAVE_CONTRIB_INSTALL |
632 | HAVE_GCOV | 633 | HAVE_GCOV |
633 | BUSYBOX_WORKAROUND | 634 | BUSYBOX_WORKAROUND |
@@ -645,10 +646,12 @@ HAVE_FIRETUNNEL | |||
645 | HAVE_GAWK | 646 | HAVE_GAWK |
646 | HAVE_MAN | 647 | HAVE_MAN |
647 | HAVE_USERTMPFS | 648 | HAVE_USERTMPFS |
649 | HAVE_OUTPUT | ||
648 | HAVE_OVERLAYFS | 650 | HAVE_OVERLAYFS |
649 | HAVE_DBUSPROXY | 651 | HAVE_DBUSPROXY |
650 | EXTRA_LDFLAGS | 652 | EXTRA_LDFLAGS |
651 | EXTRA_CFLAGS | 653 | EXTRA_CFLAGS |
654 | HAVE_SELINUX | ||
652 | HAVE_APPARMOR | 655 | HAVE_APPARMOR |
653 | AA_LIBS | 656 | AA_LIBS |
654 | AA_CFLAGS | 657 | AA_CFLAGS |
@@ -710,7 +713,9 @@ ac_user_opts=' | |||
710 | enable_option_checking | 713 | enable_option_checking |
711 | enable_analyzer | 714 | enable_analyzer |
712 | enable_apparmor | 715 | enable_apparmor |
716 | enable_selinux | ||
713 | enable_dbusproxy | 717 | enable_dbusproxy |
718 | enable_output | ||
714 | enable_usertmpfs | 719 | enable_usertmpfs |
715 | enable_man | 720 | enable_man |
716 | enable_firetunnel | 721 | enable_firetunnel |
@@ -727,7 +732,8 @@ enable_fatal_warnings | |||
727 | enable_busybox_workaround | 732 | enable_busybox_workaround |
728 | enable_gcov | 733 | enable_gcov |
729 | enable_contrib_install | 734 | enable_contrib_install |
730 | enable_selinux | 735 | enable_force_nonewprivs |
736 | enable_lts | ||
731 | ' | 737 | ' |
732 | ac_precious_vars='build_alias | 738 | ac_precious_vars='build_alias |
733 | host_alias | 739 | host_alias |
@@ -1365,7 +1371,9 @@ Optional Features: | |||
1365 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1371 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1366 | --enable-analyzer enable GCC 10 static analyzer | 1372 | --enable-analyzer enable GCC 10 static analyzer |
1367 | --enable-apparmor enable apparmor | 1373 | --enable-apparmor enable apparmor |
1374 | --enable-selinux SELinux labeling support | ||
1368 | --disable-dbusproxy disable dbus proxy | 1375 | --disable-dbusproxy disable dbus proxy |
1376 | --disable-output disable --output logging | ||
1369 | --disable-usertmpfs disable tmpfs as regular user | 1377 | --disable-usertmpfs disable tmpfs as regular user |
1370 | --disable-man disable man pages | 1378 | --disable-man disable man pages |
1371 | --disable-firetunnel disable firetunnel | 1379 | --disable-firetunnel disable firetunnel |
@@ -1385,7 +1393,9 @@ Optional Features: | |||
1385 | --enable-gcov Gcov instrumentation | 1393 | --enable-gcov Gcov instrumentation |
1386 | --enable-contrib-install | 1394 | --enable-contrib-install |
1387 | install contrib scripts | 1395 | install contrib scripts |
1388 | --enable-selinux SELinux labeling support | 1396 | --enable-force-nonewprivs |
1397 | enable force nonewprivs | ||
1398 | --enable-lts enable long-term support software version (LTS) | ||
1389 | 1399 | ||
1390 | Some influential environment variables: | 1400 | Some influential environment variables: |
1391 | CC C compiler command | 1401 | CC C compiler command |
@@ -3511,6 +3521,20 @@ fi | |||
3511 | 3521 | ||
3512 | fi | 3522 | fi |
3513 | 3523 | ||
3524 | HAVE_SELINUX="" | ||
3525 | # Check whether --enable-selinux was given. | ||
3526 | if test "${enable_selinux+set}" = set; then : | ||
3527 | enableval=$enable_selinux; | ||
3528 | fi | ||
3529 | |||
3530 | if test "x$enable_selinux" = "xyes"; then : | ||
3531 | |||
3532 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
3533 | EXTRA_LDFLAGS+=" -lselinux " | ||
3534 | |||
3535 | |||
3536 | fi | ||
3537 | |||
3514 | 3538 | ||
3515 | 3539 | ||
3516 | 3540 | ||
@@ -3539,6 +3563,19 @@ HAVE_OVERLAYFS="" | |||
3539 | # AC_SUBST(HAVE_OVERLAYFS) | 3563 | # AC_SUBST(HAVE_OVERLAYFS) |
3540 | #]) | 3564 | #]) |
3541 | 3565 | ||
3566 | HAVE_OUTPUT="" | ||
3567 | # Check whether --enable-output was given. | ||
3568 | if test "${enable_output+set}" = set; then : | ||
3569 | enableval=$enable_output; | ||
3570 | fi | ||
3571 | |||
3572 | if test "x$enable_output" != "xno"; then : | ||
3573 | |||
3574 | HAVE_OUTPUT="-DHAVE_OUTPUT" | ||
3575 | |||
3576 | |||
3577 | fi | ||
3578 | |||
3542 | HAVE_USERTMPFS="" | 3579 | HAVE_USERTMPFS="" |
3543 | # Check whether --enable-usertmpfs was given. | 3580 | # Check whether --enable-usertmpfs was given. |
3544 | if test "${enable_usertmpfs+set}" = set; then : | 3581 | if test "${enable_usertmpfs+set}" = set; then : |
@@ -3792,20 +3829,80 @@ else | |||
3792 | fi | 3829 | fi |
3793 | 3830 | ||
3794 | 3831 | ||
3795 | HAVE_SELINUX="" | 3832 | HAVE_FORCE_NONEWPRIVS="" |
3796 | # Check whether --enable-selinux was given. | 3833 | # Check whether --enable-force-nonewprivs was given. |
3797 | if test "${enable_selinux+set}" = set; then : | 3834 | if test "${enable_force_nonewprivs+set}" = set; then : |
3798 | enableval=$enable_selinux; | 3835 | enableval=$enable_force_nonewprivs; |
3799 | fi | 3836 | fi |
3800 | 3837 | ||
3801 | if test "x$enable_selinux" = "xyes"; then : | 3838 | if test "x$enable_force_nonewprivs" = "xyes"; then : |
3802 | 3839 | ||
3803 | HAVE_SELINUX="-DHAVE_SELINUX" | 3840 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" |
3804 | EXTRA_LDFLAGS+=" -lselinux " | ||
3805 | 3841 | ||
3806 | 3842 | ||
3807 | fi | 3843 | fi |
3808 | 3844 | ||
3845 | HAVE_LTS="" | ||
3846 | # Check whether --enable-lts was given. | ||
3847 | if test "${enable_lts+set}" = set; then : | ||
3848 | enableval=$enable_lts; | ||
3849 | fi | ||
3850 | |||
3851 | if test "x$enable_lts" = "xyes"; then : | ||
3852 | |||
3853 | HAVE_LTS="-DHAVE_LTS" | ||
3854 | |||
3855 | |||
3856 | HAVE_DBUSPROXY="" | ||
3857 | |||
3858 | |||
3859 | HAVE_OVERLAYFS="" | ||
3860 | |||
3861 | |||
3862 | HAVE_OUTPUT="" | ||
3863 | |||
3864 | |||
3865 | HAVE_USERTMPFS="" | ||
3866 | |||
3867 | |||
3868 | HAVE_MAN="-DHAVE_MAN" | ||
3869 | |||
3870 | |||
3871 | HAVE_FIRETUNNEL="" | ||
3872 | |||
3873 | |||
3874 | HAVE_PRIVATEHOME="" | ||
3875 | |||
3876 | |||
3877 | HAVE_CHROOT="" | ||
3878 | |||
3879 | |||
3880 | HAVE_GLOBALCFG="" | ||
3881 | |||
3882 | |||
3883 | HAVE_USERNS="" | ||
3884 | |||
3885 | |||
3886 | HAVE_X11="" | ||
3887 | |||
3888 | |||
3889 | HAVE_FILE_TRANSFER="" | ||
3890 | |||
3891 | |||
3892 | HAVE_SUID="yes" | ||
3893 | |||
3894 | |||
3895 | BUSYBOX_WORKAROUND="no" | ||
3896 | |||
3897 | |||
3898 | HAVE_CONTRIB_INSTALL="no", | ||
3899 | |||
3900 | |||
3901 | fi | ||
3902 | |||
3903 | |||
3904 | |||
3905 | |||
3809 | # checking pthread library | 3906 | # checking pthread library |
3810 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3907 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
3811 | $as_echo_n "checking for main in -lpthread... " >&6; } | 3908 | $as_echo_n "checking for main in -lpthread... " >&6; } |
@@ -4269,7 +4366,7 @@ fi | |||
4269 | 4366 | ||
4270 | ac_config_files="$ac_config_files mkdeb.sh" | 4367 | ac_config_files="$ac_config_files mkdeb.sh" |
4271 | 4368 | ||
4272 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile" | 4369 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile" |
4273 | 4370 | ||
4274 | cat >confcache <<\_ACEOF | 4371 | cat >confcache <<\_ACEOF |
4275 | # This file is a shell script that caches the results of configure | 4372 | # This file is a shell script that caches the results of configure |
@@ -4993,14 +5090,16 @@ do | |||
4993 | "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; | 5090 | "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; |
4994 | "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; | 5091 | "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; |
4995 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 5092 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4996 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | ||
4997 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; | 5093 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; |
4998 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; | 5094 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; |
4999 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; | 5095 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; |
5000 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 5096 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
5001 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | 5097 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; |
5002 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; | 5098 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; |
5099 | "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;; | ||
5100 | "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;; | ||
5003 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; | 5101 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; |
5102 | "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;; | ||
5004 | 5103 | ||
5005 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 5104 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
5006 | esac | 5105 | esac |
@@ -5466,6 +5565,7 @@ echo "Configuration options:" | |||
5466 | echo " prefix: $prefix" | 5565 | echo " prefix: $prefix" |
5467 | echo " sysconfdir: $sysconfdir" | 5566 | echo " sysconfdir: $sysconfdir" |
5468 | echo " apparmor: $HAVE_APPARMOR" | 5567 | echo " apparmor: $HAVE_APPARMOR" |
5568 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5469 | echo " global config: $HAVE_GLOBALCFG" | 5569 | echo " global config: $HAVE_GLOBALCFG" |
5470 | echo " chroot: $HAVE_CHROOT" | 5570 | echo " chroot: $HAVE_CHROOT" |
5471 | echo " network: $HAVE_NETWORK" | 5571 | echo " network: $HAVE_NETWORK" |
@@ -5477,6 +5577,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
5477 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5577 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5478 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | 5578 | echo " DBUS proxy support: $HAVE_DBUSPROXY" |
5479 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | 5579 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" |
5580 | echo " enable --ouput logging: $HAVE_OUTPUT" | ||
5480 | echo " Manpage support: $HAVE_MAN" | 5581 | echo " Manpage support: $HAVE_MAN" |
5481 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 5582 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
5482 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5583 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
@@ -5486,6 +5587,20 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
5486 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 5587 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
5487 | echo " Gcov instrumentation: $HAVE_GCOV" | 5588 | echo " Gcov instrumentation: $HAVE_GCOV" |
5488 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 5589 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
5489 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5490 | echo " Install as a SUID executable: $HAVE_SUID" | 5590 | echo " Install as a SUID executable: $HAVE_SUID" |
5591 | echo " LTS: $HAVE_LTS" | ||
5592 | echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" | ||
5491 | echo | 5593 | echo |
5594 | |||
5595 | |||
5596 | if test "$HAVE_LTS" = -DHAVE_LTS; then | ||
5597 | echo | ||
5598 | echo | ||
5599 | echo "*********************************************************" | ||
5600 | echo "* Warning: Long-term support (LTS) was enabled! *" | ||
5601 | echo "* Most compile-time options have bean rewritten! *" | ||
5602 | echo "*********************************************************" | ||
5603 | echo | ||
5604 | echo | ||
5605 | fi | ||
5606 | |||
diff --git a/configure.ac b/configure.ac index aa2d0fb6b..e8bd6fb80 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ | |||
54 | AC_SUBST(HAVE_APPARMOR) | 54 | AC_SUBST(HAVE_APPARMOR) |
55 | ]) | 55 | ]) |
56 | 56 | ||
57 | HAVE_SELINUX="" | ||
58 | AC_ARG_ENABLE([selinux], | ||
59 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | ||
60 | AS_IF([test "x$enable_selinux" = "xyes"], [ | ||
61 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
62 | EXTRA_LDFLAGS+=" -lselinux " | ||
63 | AC_SUBST(HAVE_SELINUX) | ||
64 | ]) | ||
65 | |||
57 | AC_SUBST([EXTRA_CFLAGS]) | 66 | AC_SUBST([EXTRA_CFLAGS]) |
58 | AC_SUBST([EXTRA_LDFLAGS]) | 67 | AC_SUBST([EXTRA_LDFLAGS]) |
59 | 68 | ||
@@ -77,6 +86,14 @@ AC_SUBST(HAVE_OVERLAYFS) | |||
77 | # AC_SUBST(HAVE_OVERLAYFS) | 86 | # AC_SUBST(HAVE_OVERLAYFS) |
78 | #]) | 87 | #]) |
79 | 88 | ||
89 | HAVE_OUTPUT="" | ||
90 | AC_ARG_ENABLE([output], | ||
91 | AS_HELP_STRING([--disable-output], [disable --output logging])) | ||
92 | AS_IF([test "x$enable_output" != "xno"], [ | ||
93 | HAVE_OUTPUT="-DHAVE_OUTPUT" | ||
94 | AC_SUBST(HAVE_OUTPUT) | ||
95 | ]) | ||
96 | |||
80 | HAVE_USERTMPFS="" | 97 | HAVE_USERTMPFS="" |
81 | AC_ARG_ENABLE([usertmpfs], | 98 | AC_ARG_ENABLE([usertmpfs], |
82 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) | 99 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) |
@@ -211,15 +228,70 @@ AS_IF([test "x$enable_contrib_install" = "xno"], | |||
211 | ) | 228 | ) |
212 | AC_SUBST(HAVE_CONTRIB_INSTALL) | 229 | AC_SUBST(HAVE_CONTRIB_INSTALL) |
213 | 230 | ||
214 | HAVE_SELINUX="" | 231 | HAVE_FORCE_NONEWPRIVS="" |
215 | AC_ARG_ENABLE([selinux], | 232 | AC_ARG_ENABLE([force-nonewprivs], |
216 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | 233 | AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])) |
217 | AS_IF([test "x$enable_selinux" = "xyes"], [ | 234 | AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ |
218 | HAVE_SELINUX="-DHAVE_SELINUX" | 235 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" |
219 | EXTRA_LDFLAGS+=" -lselinux " | 236 | AC_SUBST(HAVE_FORCE_NONEWPRIVS) |
220 | AC_SUBST(HAVE_SELINUX) | 237 | ]) |
238 | |||
239 | HAVE_LTS="" | ||
240 | AC_ARG_ENABLE([lts], | ||
241 | AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) | ||
242 | AS_IF([test "x$enable_lts" = "xyes"], [ | ||
243 | HAVE_LTS="-DHAVE_LTS" | ||
244 | AC_SUBST(HAVE_LTS) | ||
245 | |||
246 | HAVE_DBUSPROXY="" | ||
247 | AC_SUBST(HAVE_DBUSPROXY) | ||
248 | |||
249 | HAVE_OVERLAYFS="" | ||
250 | AC_SUBST(HAVE_OVERLAYFS) | ||
251 | |||
252 | HAVE_OUTPUT="" | ||
253 | AC_SUBST(HAVE_OUTPUT) | ||
254 | |||
255 | HAVE_USERTMPFS="" | ||
256 | AC_SUBST(HAVE_USERTMPFS) | ||
257 | |||
258 | HAVE_MAN="-DHAVE_MAN" | ||
259 | AC_SUBST(HAVE_MAN) | ||
260 | |||
261 | HAVE_FIRETUNNEL="" | ||
262 | AC_SUBST(HAVE_FIRETUNNEL) | ||
263 | |||
264 | HAVE_PRIVATEHOME="" | ||
265 | AC_SUBST(HAVE_PRIVATE_HOME) | ||
266 | |||
267 | HAVE_CHROOT="" | ||
268 | AC_SUBST(HAVE_CHROOT) | ||
269 | |||
270 | HAVE_GLOBALCFG="" | ||
271 | AC_SUBST(HAVE_GLOBALCFG) | ||
272 | |||
273 | HAVE_USERNS="" | ||
274 | AC_SUBST(HAVE_USERNS) | ||
275 | |||
276 | HAVE_X11="" | ||
277 | AC_SUBST(HAVE_X11) | ||
278 | |||
279 | HAVE_FILE_TRANSFER="" | ||
280 | AC_SUBST(HAVE_FILE_TRANSFER) | ||
281 | |||
282 | HAVE_SUID="yes" | ||
283 | AC_SUBST(HAVE_SUID) | ||
284 | |||
285 | BUSYBOX_WORKAROUND="no" | ||
286 | AC_SUBST(BUSYBOX_WORKAROUND) | ||
287 | |||
288 | HAVE_CONTRIB_INSTALL="no", | ||
289 | AC_SUBST(HAVE_CONTRIB_INSTALL) | ||
221 | ]) | 290 | ]) |
222 | 291 | ||
292 | |||
293 | |||
294 | |||
223 | # checking pthread library | 295 | # checking pthread library |
224 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 296 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
225 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 297 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -233,14 +305,16 @@ fi | |||
233 | AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | 305 | AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) |
234 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 306 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
235 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 307 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
236 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 308 | src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
237 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile) | 309 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ |
310 | src/jailtest/Makefile) | ||
238 | 311 | ||
239 | echo | 312 | echo |
240 | echo "Configuration options:" | 313 | echo "Configuration options:" |
241 | echo " prefix: $prefix" | 314 | echo " prefix: $prefix" |
242 | echo " sysconfdir: $sysconfdir" | 315 | echo " sysconfdir: $sysconfdir" |
243 | echo " apparmor: $HAVE_APPARMOR" | 316 | echo " apparmor: $HAVE_APPARMOR" |
317 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
244 | echo " global config: $HAVE_GLOBALCFG" | 318 | echo " global config: $HAVE_GLOBALCFG" |
245 | echo " chroot: $HAVE_CHROOT" | 319 | echo " chroot: $HAVE_CHROOT" |
246 | echo " network: $HAVE_NETWORK" | 320 | echo " network: $HAVE_NETWORK" |
@@ -252,6 +326,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
252 | echo " overlayfs support: $HAVE_OVERLAYFS" | 326 | echo " overlayfs support: $HAVE_OVERLAYFS" |
253 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | 327 | echo " DBUS proxy support: $HAVE_DBUSPROXY" |
254 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | 328 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" |
329 | echo " enable --ouput logging: $HAVE_OUTPUT" | ||
255 | echo " Manpage support: $HAVE_MAN" | 330 | echo " Manpage support: $HAVE_MAN" |
256 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 331 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
257 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 332 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
@@ -261,6 +336,20 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
261 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 336 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
262 | echo " Gcov instrumentation: $HAVE_GCOV" | 337 | echo " Gcov instrumentation: $HAVE_GCOV" |
263 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 338 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
264 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
265 | echo " Install as a SUID executable: $HAVE_SUID" | 339 | echo " Install as a SUID executable: $HAVE_SUID" |
340 | echo " LTS: $HAVE_LTS" | ||
341 | echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" | ||
266 | echo | 342 | echo |
343 | |||
344 | |||
345 | if test "$HAVE_LTS" = -DHAVE_LTS; then | ||
346 | echo | ||
347 | echo | ||
348 | echo "*********************************************************" | ||
349 | echo "* Warning: Long-term support (LTS) was enabled! *" | ||
350 | echo "* Most compile-time options have bean rewritten! *" | ||
351 | echo "*********************************************************" | ||
352 | echo | ||
353 | echo | ||
354 | fi | ||
355 | |||
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ec87f1d2d..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -126,40 +126,14 @@ signal (receive), | |||
126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
128 | ########## | 128 | ########## |
129 | capability chown, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
130 | capability dac_override, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
131 | capability dac_read_search, | 131 | # We allow all caps by default and remove the ones we don't like: |
132 | capability fowner, | 132 | capability, |
133 | capability fsetid, | 133 | deny capability audit_write, |
134 | capability kill, | 134 | deny capability audit_control, |
135 | capability setgid, | 135 | deny capability mac_override, |
136 | capability setuid, | 136 | deny capability mac_admin, |
137 | capability setpcap, | ||
138 | capability linux_immutable, | ||
139 | capability net_bind_service, | ||
140 | capability net_broadcast, | ||
141 | capability net_admin, | ||
142 | capability net_raw, | ||
143 | capability ipc_lock, | ||
144 | capability ipc_owner, | ||
145 | capability sys_module, | ||
146 | capability sys_rawio, | ||
147 | capability sys_chroot, | ||
148 | capability sys_ptrace, | ||
149 | capability sys_pacct, | ||
150 | capability sys_admin, | ||
151 | capability sys_boot, | ||
152 | capability sys_nice, | ||
153 | capability sys_resource, | ||
154 | capability sys_time, | ||
155 | capability sys_tty_config, | ||
156 | capability mknod, | ||
157 | capability lease, | ||
158 | #capability audit_write, | ||
159 | #capability audit_control, | ||
160 | capability setfcap, | ||
161 | #capability mac_override, | ||
162 | #capability mac_admin, | ||
163 | 137 | ||
164 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
165 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |
diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc deleted file mode 100644 index f33ce3115..000000000 --- a/etc/inc/chromium-common-hardened.inc +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | caps.drop all | ||
2 | nonewprivs | ||
3 | noroot | ||
4 | protocol unix,inet,inet6,netlink | ||
5 | seccomp !chroot | ||
diff --git a/etc/inc/feh-network.inc b/etc/inc/feh-network.inc deleted file mode 100644 index e94e7205c..000000000 --- a/etc/inc/feh-network.inc +++ /dev/null | |||
@@ -1,4 +0,0 @@ | |||
1 | ignore net none | ||
2 | netfilter | ||
3 | protocol unix,inet,inet6 | ||
4 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | ||
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index b2294c070..0d31255ad 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile | |||
@@ -7,8 +7,8 @@ include 7z.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Included in archiver-common.inc | 10 | # Included in archiver-common.profile |
11 | ignore include disable-shell.inc | 11 | ignore include disable-shell.inc |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include archiver-common.inc | 14 | include archiver-common.profile |
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 2cdd3a90c..5a21744cf 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile | |||
@@ -5,6 +5,7 @@ include android-studio.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Google | ||
8 | noblacklist ${HOME}/.AndroidStudio* | 9 | noblacklist ${HOME}/.AndroidStudio* |
9 | noblacklist ${HOME}/.android | 10 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.jack-server | 11 | noblacklist ${HOME}/.jack-server |
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index f99934e66..5a20a8181 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile | |||
@@ -8,4 +8,4 @@ include ar.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include archiver-common.inc | 11 | include archiver-common.profile |
diff --git a/etc/inc/archiver-common.inc b/etc/profile-a-l/archiver-common.profile index 74b0b6ef6..74b0b6ef6 100644 --- a/etc/inc/archiver-common.inc +++ b/etc/profile-a-l/archiver-common.profile | |||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 6e0ecb012..e377de2c8 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -17,4 +17,4 @@ private-etc alternatives,group,login.defs,passwd | |||
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include archiver-common.inc | 20 | include archiver-common.profile |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index fb4f643c8..d731a6a6e 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -9,4 +9,4 @@ include globals.local | |||
9 | private-etc alternatives,group,localtime,passwd | 9 | private-etc alternatives,group,localtime,passwd |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include archiver-common.inc | 12 | include archiver-common.profile |
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile index 09eaa2d12..0283a6934 100644 --- a/etc/profile-a-l/chromium-browser-privacy.profile +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -11,7 +11,7 @@ mkdir ${HOME}/.config/ungoogled-chromium | |||
11 | whitelist ${HOME}/.cache/ungoogled-chromium | 11 | whitelist ${HOME}/.cache/ungoogled-chromium |
12 | whitelist ${HOME}/.config/ungoogled-chromium | 12 | whitelist ${HOME}/.config/ungoogled-chromium |
13 | 13 | ||
14 | # private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings | 14 | # private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include chromium.profile | 17 | include chromium.profile |
diff --git a/etc/profile-a-l/chromium-common-hardened.profile b/etc/profile-a-l/chromium-common-hardened.profile new file mode 100644 index 000000000..d756eec50 --- /dev/null +++ b/etc/profile-a-l/chromium-common-hardened.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include chromium-common-hardened.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 1afb2c6e1..b81b1cb36 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -32,7 +32,7 @@ include whitelist-var-common.inc | |||
32 | 32 | ||
33 | # Uncomment the next line (or add it to your chromium-common.local) | 33 | # Uncomment the next line (or add it to your chromium-common.local) |
34 | # if your kernel allows unprivileged userns clone. | 34 | # if your kernel allows unprivileged userns clone. |
35 | #include chromium-common-hardened.inc | 35 | #include chromium-common-hardened.profile |
36 | 36 | ||
37 | # Uncomment or put in your chromium-common.local to allow screen sharing under | 37 | # Uncomment or put in your chromium-common.local to allow screen sharing under |
38 | # wayland. | 38 | # wayland. |
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 0e0299655..bdc4f21a6 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile | |||
@@ -11,4 +11,4 @@ noblacklist /sbin | |||
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include archiver-common.inc | 14 | include archiver-common.profile |
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile index 11b9a4f42..b9ef5d49d 100644 --- a/etc/profile-a-l/dosbox.profile +++ b/etc/profile-a-l/dosbox.profile | |||
@@ -11,14 +11,17 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-shell.inc | 18 | include disable-shell.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
21 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
21 | 23 | ||
24 | apparmor | ||
22 | caps.drop all | 25 | caps.drop all |
23 | netfilter | 26 | netfilter |
24 | nodvd | 27 | nodvd |
@@ -36,3 +39,6 @@ tracelog | |||
36 | private-bin dosbox | 39 | private-bin dosbox |
37 | private-dev | 40 | private-dev |
38 | private-tmp | 41 | private-tmp |
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile new file mode 100644 index 000000000..988ba90fc --- /dev/null +++ b/etc/profile-a-l/ebook-convert.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-convert.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile new file mode 100644 index 000000000..3b5fee0a8 --- /dev/null +++ b/etc/profile-a-l/ebook-edit.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-edit.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile new file mode 100644 index 000000000..594a8e241 --- /dev/null +++ b/etc/profile-a-l/ebook-meta.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-meta.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile new file mode 100644 index 000000000..ad94e32a2 --- /dev/null +++ b/etc/profile-a-l/ebook-polish.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-polish.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index d3be07c9d..691616393 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -20,7 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | # Uncomment the next line (or add it to your chromium-common.local) | 21 | # Uncomment the next line (or add it to your chromium-common.local) |
22 | # if your kernel allows unprivileged userns clone. | 22 | # if your kernel allows unprivileged userns clone. |
23 | #include chromium-common-hardened.inc | 23 | #include chromium-common-hardened.profile |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.keep sys_admin,sys_chroot | 26 | caps.keep sys_admin,sys_chroot |
diff --git a/etc/profile-a-l/feh-network.profile b/etc/profile-a-l/feh-network.profile new file mode 100644 index 000000000..f35facd64 --- /dev/null +++ b/etc/profile-a-l/feh-network.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include feh-network.local | ||
4 | |||
5 | ignore net none | ||
6 | netfilter | ||
7 | protocol unix,inet,inet6 | ||
8 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | ||
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 8ac7755de..6d6287f7f 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -18,7 +18,7 @@ include disable-shell.inc | |||
18 | # This profile disables network access | 18 | # This profile disables network access |
19 | # In order to enable network access, | 19 | # In order to enable network access, |
20 | # uncomment the following or put it in your feh.local: | 20 | # uncomment the following or put it in your feh.local: |
21 | # include feh-network.inc | 21 | # include feh-network.profile |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | net none | 24 | net none |
diff --git a/etc/inc/firefox-common-addons.inc b/etc/profile-a-l/firefox-common-addons.profile index ca7731442..ca7731442 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index fe0a27828..a955722c8 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -10,7 +10,7 @@ include firefox-common.local | |||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.profile |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
16 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile new file mode 100644 index 000000000..828d638ed --- /dev/null +++ b/etc/profile-a-l/gget.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for gget | ||
2 | # Description: a cli. to get things. from git repos | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gget.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist ${DOWNLOADS} | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol inet,inet6 | ||
43 | seccomp | ||
44 | seccomp.block-secondary | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin gget | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
53 | private-lib | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 035c6459c..b261c16f4 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile | |||
@@ -12,4 +12,4 @@ include globals.local | |||
12 | noblacklist /var/lib/pacman | 12 | noblacklist /var/lib/pacman |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
15 | include archiver-common.inc | 15 | include archiver-common.profile |
diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile new file mode 100644 index 000000000..3ad0f3a4f --- /dev/null +++ b/etc/profile-a-l/ipcalc-ng.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile ipcalc-ng | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ipcalc-ng.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include ipcalc.profile | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile new file mode 100644 index 000000000..4b97b83b7 --- /dev/null +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for ipcalc | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ipcalc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
10 | include allow-perl.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | # include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | # include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | # machine-id | ||
31 | net none | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | # protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | # tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private | ||
49 | private-bin bash,ipcalc,ipcalc-ng,perl,sh | ||
50 | # private-cache | ||
51 | private-dev | ||
52 | # empty etc directory | ||
53 | private-etc none | ||
54 | private-lib | ||
55 | private-opt none | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | # memory-deny-write-execute | ||
62 | # read-only ${HOME} | ||
diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile new file mode 100644 index 000000000..f3175c590 --- /dev/null +++ b/etc/profile-a-l/lzop.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lzop | ||
2 | # Description: File compressor using lzo lib | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lzop.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index 6f74e6da3..c6c50cf47 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -29,6 +29,7 @@ whitelist /usr/share/locale | |||
29 | whitelist /usr/share/man | 29 | whitelist /usr/share/man |
30 | whitelist /var/cache/man | 30 | whitelist /var/cache/man |
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
@@ -53,7 +54,7 @@ tracelog | |||
53 | x11 none | 54 | x11 none |
54 | 55 | ||
55 | disable-mnt | 56 | disable-mnt |
56 | private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 57 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
57 | private-cache | 58 | private-cache |
58 | private-dev | 59 | private-dev |
59 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 60 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 55865fe72..029d0183d 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -12,6 +12,7 @@ include globals.local | |||
12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf | 12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf |
13 | 13 | ||
14 | noblacklist ${HOME}/.cache/marker | 14 | noblacklist ${HOME}/.cache/marker |
15 | noblacklist ${DOCUMENTS} | ||
15 | 16 | ||
16 | include disable-common.inc | 17 | include disable-common.inc |
17 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index b6dc643d4..d30965922 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -15,6 +15,7 @@ include disable-shell.inc | |||
15 | 15 | ||
16 | include whitelist-common.inc | 16 | include whitelist-common.inc |
17 | 17 | ||
18 | apparmor | ||
18 | caps.drop all | 19 | caps.drop all |
19 | netfilter | 20 | netfilter |
20 | no3d | 21 | no3d |
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 46a84372c..b034efde9 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -43,7 +43,7 @@ x11 none | |||
43 | 43 | ||
44 | private-bin patch,red | 44 | private-bin patch,red |
45 | private-dev | 45 | private-dev |
46 | private-lib libfakeroot | 46 | private-lib libdl.so.*,libfakeroot |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile new file mode 100644 index 000000000..c9da0b628 --- /dev/null +++ b/etc/profile-m-z/rtv-addons.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include rtv-addons.local | ||
4 | # You can configure rtv to open different type of links | ||
5 | # in external applications. Configuration here: | ||
6 | # https://github.com/michael-lazar/rtv#viewing-media-links | ||
7 | # This include is meant to facilitate that configuration | ||
8 | # with the use of a .local file. | ||
9 | |||
10 | ignore nosound | ||
11 | ignore private-bin | ||
12 | ignore dbus-user none | ||
13 | |||
14 | noblacklist ${HOME}/.config/mpv | ||
15 | noblacklist ${HOME}/.mailcap | ||
16 | noblacklist ${HOME}/.netrc | ||
17 | noblacklist ${HOME}/.w3m | ||
18 | |||
19 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs | ||
20 | whitelist ${HOME}/.config/mpv | ||
21 | whitelist ${HOME}/.mailcap | ||
22 | whitelist ${HOME}/.netrc | ||
23 | whitelist ${HOME}/.w3m | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 14740e05f..6f971b96b 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
@@ -16,6 +16,11 @@ noblacklist ${HOME}/.local/share/rtv | |||
16 | include allow-python2.inc | 16 | include allow-python2.inc |
17 | include allow-python3.inc | 17 | include allow-python3.inc |
18 | 18 | ||
19 | # You can configure rtv to open different type of links | ||
20 | # in external applications. Configuration here: | ||
21 | # https://github.com/michael-lazar/rtv#viewing-media-links | ||
22 | # Uncomment or put in rtv.local for external application support | ||
23 | #include rtv-addons.profile | ||
19 | include disable-common.inc | 24 | include disable-common.inc |
20 | include disable-devel.inc | 25 | include disable-devel.inc |
21 | include disable-exec.inc | 26 | include disable-exec.inc |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 666a37def..ebd3168b3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -6,7 +6,6 @@ include signal-desktop.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | 8 | # Disabled until someone reported positive feedback |
9 | ignore include-xdg.inc | ||
10 | ignore include whitelist-runuser-common.inc | 9 | ignore include whitelist-runuser-common.inc |
11 | ignore include whitelist-usr-share-common.inc | 10 | ignore include whitelist-usr-share-common.inc |
12 | ignore private-cache | 11 | ignore private-cache |
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile index b39763981..ed04eda8e 100644 --- a/etc/profile-m-z/skypeforlinux.profile +++ b/etc/profile-m-z/skypeforlinux.profile | |||
@@ -18,6 +18,7 @@ ignore dbus-user none | |||
18 | ignore dbus-system none | 18 | ignore dbus-system none |
19 | 19 | ||
20 | # breaks Skype | 20 | # breaks Skype |
21 | ignore apparmor | ||
21 | ignore noexec /tmp | 22 | ignore noexec /tmp |
22 | 23 | ||
23 | noblacklist ${HOME}/.config/skypeforlinux | 24 | noblacklist ${HOME}/.config/skypeforlinux |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 641c3a79d..7bc731333 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -24,6 +24,7 @@ whitelist ${RUNUSER}/keyring/ssh | |||
24 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
26 | 26 | ||
27 | apparmor | ||
27 | caps.drop all | 28 | caps.drop all |
28 | ipc-namespace | 29 | ipc-namespace |
29 | netfilter | 30 | netfilter |
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 9d7a23d43..0d3a900e9 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -7,7 +7,7 @@ include tar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Included in archiver-common.inc | 10 | # Included in archiver-common.profile |
11 | ignore include disable-shell.inc | 11 | ignore include disable-shell.inc |
12 | 12 | ||
13 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop | 13 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop |
@@ -20,4 +20,4 @@ private-etc alternatives,group,localtime,login.defs,passwd | |||
20 | writable-var | 20 | writable-var |
21 | 21 | ||
22 | # Redirect | 22 | # Redirect |
23 | include archiver-common.inc | 23 | include archiver-common.profile |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 1045fa02a..5cb5caf8d 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -15,6 +15,9 @@ noblacklist ${HOME}/.local/share/torbrowser | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | blacklist /opt | ||
19 | blacklist /srv | ||
20 | |||
18 | include disable-common.inc | 21 | include disable-common.inc |
19 | include disable-devel.inc | 22 | include disable-devel.inc |
20 | include disable-exec.inc | 23 | include disable-exec.inc |
@@ -28,8 +31,11 @@ mkdir ${HOME}/.local/share/torbrowser | |||
28 | whitelist ${DOWNLOADS} | 31 | whitelist ${DOWNLOADS} |
29 | whitelist ${HOME}/.config/torbrowser | 32 | whitelist ${HOME}/.config/torbrowser |
30 | whitelist ${HOME}/.local/share/torbrowser | 33 | whitelist ${HOME}/.local/share/torbrowser |
34 | whitelist /usr/share/torbrowser-launcher | ||
31 | include whitelist-common.inc | 35 | include whitelist-common.inc |
32 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
33 | 39 | ||
34 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. | 40 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. |
35 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | 41 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need |
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 8dbbfcc62..348d3cb80 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -14,7 +14,7 @@ whitelist ${HOME}/.config/transmission-daemon | |||
14 | whitelist /var/lib/transmission | 14 | whitelist /var/lib/transmission |
15 | 15 | ||
16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | 16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
17 | protocol unix,inet,inet6,packet | 17 | protocol packet |
18 | 18 | ||
19 | private-bin transmission-daemon | 19 | private-bin transmission-daemon |
20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 65f1a425a..9d3d9b40e 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -12,4 +12,4 @@ private-etc alternatives,group,localtime,passwd | |||
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
15 | include archiver-common.inc | 15 | include archiver-common.profile |
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index c94416b87..0231e3dba 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -13,4 +13,4 @@ noblacklist ${HOME}/.local/share/gnome-shell | |||
13 | private-etc alternatives,group,localtime,passwd | 13 | private-etc alternatives,group,localtime,passwd |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include archiver-common.inc | 16 | include archiver-common.profile |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 7a49ad88a..232ff8ae4 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -34,6 +34,7 @@ include whitelist-var-common.inc | |||
34 | 34 | ||
35 | # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 | 35 | # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 |
36 | 36 | ||
37 | apparmor | ||
37 | caps.keep net_raw,sys_nice | 38 | caps.keep net_raw,sys_nice |
38 | netfilter | 39 | netfilter |
39 | nodvd | 40 | nodvd |
@@ -45,6 +46,7 @@ tracelog | |||
45 | #disable-mnt | 46 | #disable-mnt |
46 | private-cache | 47 | private-cache |
47 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
49 | private-tmp | ||
48 | 50 | ||
49 | dbus-user none | 51 | dbus-user none |
50 | dbus-system none | 52 | dbus-system none |
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile new file mode 100644 index 000000000..582a0f693 --- /dev/null +++ b/etc/profile-m-z/vmware-player.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-player | ||
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-player.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile new file mode 100644 index 000000000..6290b57f4 --- /dev/null +++ b/etc/profile-m-z/vmware-workstation.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-workstation | ||
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-workstation.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index c5e8d1631..79f71f2fd 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile | |||
@@ -8,4 +8,4 @@ include xzdec.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include archiver-common.inc | 11 | include archiver-common.profile |
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index 07a75f97f..faeb5c5c5 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile | |||
@@ -8,4 +8,4 @@ include zstd.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include archiver-common.inc | 11 | include archiver-common.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 72b7d3025..17d7f55b2 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -155,8 +155,8 @@ include globals.local | |||
155 | # - unix is usually needed | 155 | # - unix is usually needed |
156 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) | 156 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) |
157 | # - netlink is rarely needed | 157 | # - netlink is rarely needed |
158 | # - packet almost never | 158 | # - packet and bluetooth almost never |
159 | #protocol unix,inet,inet6,netlink,packet | 159 | #protocol unix,inet,inet6,netlink,packet,bluetooth |
160 | #seccomp | 160 | #seccomp |
161 | ##seccomp !chroot | 161 | ##seccomp !chroot |
162 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
@@ -200,6 +200,7 @@ include globals.local | |||
200 | # flatpak remote-info --show-metadata flathub <APP-ID> | 200 | # flatpak remote-info --show-metadata flathub <APP-ID> |
201 | # Notes: | 201 | # Notes: |
202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
203 | # - Some features like native notifications are implemented as portal too. | ||
203 | # - In order to make dconf work (when used by the app) you need to allow | 204 | # - In order to make dconf work (when used by the app) you need to allow |
204 | # 'ca.desrt.dconf' even when not allowed by flatpak. | 205 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
205 | # Notes and Policiy about addresses can be found at | 206 | # Notes and Policiy about addresses can be found at |
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index b73ffe857..85df1b4eb 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -35,6 +35,7 @@ rm -rf %{buildroot} | |||
35 | %attr(4755, -, -) %{_bindir}/__NAME__ | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
36 | %{_bindir}/firecfg | 36 | %{_bindir}/firecfg |
37 | %{_bindir}/firemon | 37 | %{_bindir}/firemon |
38 | %{_bindir}/jailtest | ||
38 | %{_libdir}/__NAME__ | 39 | %{_libdir}/__NAME__ |
39 | %{_datarootdir}/bash-completion/completions/__NAME__ | 40 | %{_datarootdir}/bash-completion/completions/__NAME__ |
40 | %{_datarootdir}/bash-completion/completions/firecfg | 41 | %{_datarootdir}/bash-completion/completions/firecfg |
@@ -47,4 +48,5 @@ rm -rf %{buildroot} | |||
47 | %{_mandir}/man5/__NAME__-login.5.gz | 48 | %{_mandir}/man5/__NAME__-login.5.gz |
48 | %{_mandir}/man5/__NAME__-profile.5.gz | 49 | %{_mandir}/man5/__NAME__-profile.5.gz |
49 | %{_mandir}/man5/__NAME__-users.5.gz | 50 | %{_mandir}/man5/__NAME__-users.5.gz |
51 | %{_mandir}/man5/jailtest.5.gz | ||
50 | %config(noreplace) %{_sysconfdir}/__NAME__ | 52 | %config(noreplace) %{_sysconfdir}/__NAME__ |
diff --git a/src/bash_completion/Makefile.in b/src/bash_completion/Makefile.in index d8a393aa4..f7db9e6b4 100644 --- a/src/bash_completion/Makefile.in +++ b/src/bash_completion/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firejail.bash_completion | 2 | all: firejail.bash_completion |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -7,8 +8,10 @@ firejail.bash_completion: firejail.bash_completion.in | |||
7 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 8 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
8 | rm $@.tmp | 9 | rm $@.tmp |
9 | 10 | ||
11 | .PHONY: clean | ||
10 | clean: | 12 | clean: |
11 | rm -fr firejail.bash_completion | 13 | rm -fr firejail.bash_completion |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 00f04c310..f68edf380 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -90,10 +90,6 @@ _firejail() | |||
90 | _filedir | 90 | _filedir |
91 | return 0 | 91 | return 0 |
92 | ;; | 92 | ;; |
93 | --audit) | ||
94 | _filedir | ||
95 | return 0 | ||
96 | ;; | ||
97 | --net) | 93 | --net) |
98 | comps=$(__interfaces) | 94 | comps=$(__interfaces) |
99 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) | 95 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) |
diff --git a/src/common.mk.in b/src/common.mk.in index b8a13cd1b..a3df4abb6 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -25,6 +25,9 @@ HAVE_GCOV=@HAVE_GCOV@ | |||
25 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | 26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ |
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | 27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ |
28 | HAVE_OUTPUT=@HAVE_OUTPUT@ | ||
29 | HAVE_LTS=@HAVE_LTS@ | ||
30 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | ||
28 | 31 | ||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 32 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | 33 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -34,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
34 | CFLAGS = @CFLAGS@ | 37 | CFLAGS = @CFLAGS@ |
35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 38 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 39 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
37 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 40 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS) |
38 | CFLAGS += $(MANFLAGS) | 41 | CFLAGS += $(MANFLAGS) |
39 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 42 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
40 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 43 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in deleted file mode 100644 index 44c121a4c..000000000 --- a/src/faudit/Makefile.in +++ /dev/null | |||
@@ -1,14 +0,0 @@ | |||
1 | all: faudit | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | faudit: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/faudit/caps.c b/src/faudit/caps.c deleted file mode 100644 index e9547dc8e..000000000 --- a/src/faudit/caps.c +++ /dev/null | |||
@@ -1,78 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "faudit.h" | ||
22 | #include <linux/capability.h> | ||
23 | |||
24 | #define MAXBUF 4098 | ||
25 | static int extract_caps(uint64_t *val) { | ||
26 | FILE *fp = fopen("/proc/self/status", "r"); | ||
27 | if (!fp) | ||
28 | return 1; | ||
29 | |||
30 | char buf[MAXBUF]; | ||
31 | while (fgets(buf, MAXBUF, fp)) { | ||
32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | ||
33 | char *ptr = buf + 8; | ||
34 | unsigned long long tmp; | ||
35 | sscanf(ptr, "%llx", &tmp); | ||
36 | *val = tmp; | ||
37 | fclose(fp); | ||
38 | return 0; | ||
39 | } | ||
40 | } | ||
41 | |||
42 | fclose(fp); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | // return 1 if the capability is in the map | ||
47 | static int check_capability(uint64_t map, int cap) { | ||
48 | int i; | ||
49 | uint64_t mask = 1ULL; | ||
50 | |||
51 | for (i = 0; i < 64; i++, mask <<= 1) { | ||
52 | if ((i == cap) && (mask & map)) | ||
53 | return 1; | ||
54 | } | ||
55 | |||
56 | return 0; | ||
57 | } | ||
58 | |||
59 | void caps_test(void) { | ||
60 | uint64_t caps_val; | ||
61 | |||
62 | if (extract_caps(&caps_val)) { | ||
63 | printf("SKIP: cannot extract capabilities on this platform.\n"); | ||
64 | return; | ||
65 | } | ||
66 | |||
67 | if (caps_val) { | ||
68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); | ||
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | ||
70 | |||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | ||
72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); | ||
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | ||
74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); | ||
75 | } | ||
76 | else | ||
77 | printf("GOOD: all capabilities are disabled.\n"); | ||
78 | } | ||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c deleted file mode 100644 index 389504fb8..000000000 --- a/src/faudit/dbus.c +++ /dev/null | |||
@@ -1,131 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include "../include/rundefs.h" | ||
22 | #include <stdarg.h> | ||
23 | #include <sys/socket.h> | ||
24 | #include <sys/un.h> | ||
25 | |||
26 | // return 0 if the connection is possible | ||
27 | int check_unix(const char *sockfile) { | ||
28 | assert(sockfile); | ||
29 | int rv = -1; | ||
30 | |||
31 | // open socket | ||
32 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
33 | if (sock == -1) | ||
34 | return rv; | ||
35 | |||
36 | // connect | ||
37 | struct sockaddr_un remote; | ||
38 | memset(&remote, 0, sizeof(struct sockaddr_un)); | ||
39 | remote.sun_family = AF_UNIX; | ||
40 | strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); | ||
41 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); | ||
42 | if (*sockfile == '@') | ||
43 | remote.sun_path[0] = '\0'; | ||
44 | if (connect(sock, (struct sockaddr *)&remote, len) == 0) | ||
45 | rv = 0; | ||
46 | |||
47 | close(sock); | ||
48 | return rv; | ||
49 | } | ||
50 | |||
51 | static char *test_dbus_env(char *env_var_name) { | ||
52 | // check the session bus | ||
53 | char *str = getenv(env_var_name); | ||
54 | char *found = NULL; | ||
55 | if (str) { | ||
56 | int rv = 0; | ||
57 | char *bus = strdup(str); | ||
58 | if (!bus) | ||
59 | errExit("strdup"); | ||
60 | char *sockfile; | ||
61 | if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { | ||
62 | sockfile += 13; | ||
63 | *sockfile = '@'; | ||
64 | char *ptr = strchr(sockfile, ','); | ||
65 | if (ptr) | ||
66 | *ptr = '\0'; | ||
67 | rv = check_unix(sockfile); | ||
68 | *sockfile = '@'; | ||
69 | if (rv == 0) | ||
70 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
71 | else if (rv == -1) | ||
72 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
73 | } | ||
74 | else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { | ||
75 | sockfile += 10; | ||
76 | char *ptr = strchr(sockfile, ','); | ||
77 | if (ptr) | ||
78 | *ptr = '\0'; | ||
79 | rv = check_unix(sockfile); | ||
80 | if (rv == 0) { | ||
81 | if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 || | ||
82 | strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) { | ||
83 | printf("GOOD: D-Bus filtering is active on %s\n", sockfile); | ||
84 | } else { | ||
85 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
86 | } | ||
87 | } | ||
88 | else if (rv == -1) | ||
89 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
90 | found = strdup(sockfile); | ||
91 | if (!found) | ||
92 | errExit("strdup"); | ||
93 | } | ||
94 | else if (strstr(bus, "tcp:host=") != NULL) | ||
95 | printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); | ||
96 | else | ||
97 | printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); | ||
98 | free(bus); | ||
99 | } | ||
100 | else | ||
101 | printf("MAYBE: %s environment variable not configured.\n", env_var_name); | ||
102 | return found; | ||
103 | } | ||
104 | |||
105 | static void test_default_socket(const char *found, const char *format, ...) { | ||
106 | va_list ap; | ||
107 | va_start(ap, format); | ||
108 | char *sockfile; | ||
109 | if (vasprintf(&sockfile, format, ap) == -1) | ||
110 | errExit("vasprintf"); | ||
111 | va_end(ap); | ||
112 | if (found != NULL && strcmp(found, sockfile) == 0) | ||
113 | goto end; | ||
114 | int rv = check_unix(sockfile); | ||
115 | if (rv == 0) | ||
116 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
117 | end: | ||
118 | free(sockfile); | ||
119 | } | ||
120 | |||
121 | void dbus_test(void) { | ||
122 | char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS"); | ||
123 | test_default_socket(found_user, "/run/user/%d/bus", (int) getuid()); | ||
124 | test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid()); | ||
125 | if (found_user != NULL) | ||
126 | free(found_user); | ||
127 | char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS"); | ||
128 | test_default_socket(found_system, "/run/dbus/system_bus_socket"); | ||
129 | if (found_system != NULL) | ||
130 | free(found_system); | ||
131 | } | ||
diff --git a/src/faudit/files.c b/src/faudit/files.c deleted file mode 100644 index 73e0a387d..000000000 --- a/src/faudit/files.c +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <fcntl.h> | ||
22 | #include <pwd.h> | ||
23 | |||
24 | static char *username = NULL; | ||
25 | static char *homedir = NULL; | ||
26 | |||
27 | static void check_home_file(const char *name) { | ||
28 | assert(homedir); | ||
29 | |||
30 | char *fname; | ||
31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | ||
32 | errExit("asprintf"); | ||
33 | |||
34 | if (access(fname, R_OK) == 0) { | ||
35 | printf("UGLY: I can access files in %s directory. ", fname); | ||
36 | printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); | ||
37 | } | ||
38 | else | ||
39 | printf("GOOD: I cannot access files in %s directory.\n", fname); | ||
40 | |||
41 | free(fname); | ||
42 | } | ||
43 | |||
44 | void files_test(void) { | ||
45 | struct passwd *pw = getpwuid(getuid()); | ||
46 | if (!pw) { | ||
47 | fprintf(stderr, "Error: cannot retrieve user account information\n"); | ||
48 | return; | ||
49 | } | ||
50 | |||
51 | username = strdup(pw->pw_name); | ||
52 | if (!username) | ||
53 | errExit("strdup"); | ||
54 | homedir = strdup(pw->pw_dir); | ||
55 | if (!homedir) | ||
56 | errExit("strdup"); | ||
57 | |||
58 | // check access to .ssh directory | ||
59 | check_home_file(".ssh"); | ||
60 | |||
61 | // check access to .gnupg directory | ||
62 | check_home_file(".gnupg"); | ||
63 | |||
64 | // check access to Firefox browser directory | ||
65 | check_home_file(".mozilla"); | ||
66 | |||
67 | // check access to Chromium browser directory | ||
68 | check_home_file(".config/chromium"); | ||
69 | |||
70 | // check access to Debian Icedove directory | ||
71 | check_home_file(".icedove"); | ||
72 | |||
73 | // check access to Thunderbird directory | ||
74 | check_home_file(".thunderbird"); | ||
75 | } | ||
diff --git a/src/faudit/main.c b/src/faudit/main.c deleted file mode 100644 index 605d5ff7b..000000000 --- a/src/faudit/main.c +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | char *prog; | ||
22 | |||
23 | int main(int argc, char **argv) { | ||
24 | // make test-arguments helper | ||
25 | if (getenv("FIREJAIL_TEST_ARGUMENTS")) { | ||
26 | printf("Arguments:\n"); | ||
27 | |||
28 | int i; | ||
29 | for (i = 0; i < argc; i++) { | ||
30 | printf("#%s#\n", argv[i]); | ||
31 | } | ||
32 | |||
33 | return 0; | ||
34 | } | ||
35 | |||
36 | |||
37 | if (argc != 1) { | ||
38 | int i; | ||
39 | |||
40 | for (i = 1; i < argc; i++) { | ||
41 | if (strcmp(argv[i], "syscall") == 0) { | ||
42 | syscall_helper(argc, argv); | ||
43 | return 0; | ||
44 | } | ||
45 | } | ||
46 | return 1; | ||
47 | } | ||
48 | |||
49 | printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); | ||
50 | |||
51 | // extract program name | ||
52 | prog = realpath(argv[0], NULL); | ||
53 | if (prog == NULL) { | ||
54 | prog = strdup("faudit"); | ||
55 | if (!prog) | ||
56 | errExit("strdup"); | ||
57 | } | ||
58 | printf("INFO: starting %s.\n", prog); | ||
59 | |||
60 | |||
61 | // check pid namespace | ||
62 | pid_test(); | ||
63 | printf("\n"); | ||
64 | |||
65 | // check seccomp | ||
66 | seccomp_test(); | ||
67 | printf("\n"); | ||
68 | |||
69 | // check capabilities | ||
70 | caps_test(); | ||
71 | printf("\n"); | ||
72 | |||
73 | // check some well-known problematic files and directories | ||
74 | files_test(); | ||
75 | printf("\n"); | ||
76 | |||
77 | // network | ||
78 | network_test(); | ||
79 | printf("\n"); | ||
80 | |||
81 | // dbus | ||
82 | dbus_test(); | ||
83 | printf("\n"); | ||
84 | |||
85 | // x11 test | ||
86 | x11_test(); | ||
87 | printf("\n"); | ||
88 | |||
89 | // /dev test | ||
90 | dev_test(); | ||
91 | printf("\n"); | ||
92 | |||
93 | |||
94 | free(prog); | ||
95 | printf("--------------------------------------------------------------------------------\n"); | ||
96 | |||
97 | return 0; | ||
98 | } | ||
diff --git a/src/faudit/network.c b/src/faudit/network.c deleted file mode 100644 index 8e799dc19..000000000 --- a/src/faudit/network.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <arpa/inet.h> | ||
23 | #include <linux/netlink.h> | ||
24 | #include <linux/rtnetlink.h> | ||
25 | |||
26 | static void check_ssh(void) { | ||
27 | // open socket | ||
28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
29 | if (sock == -1) { | ||
30 | printf("GOOD: SSH server not available on localhost.\n"); | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | // connect to localhost | ||
35 | struct sockaddr_in server; | ||
36 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
37 | server.sin_family = AF_INET; | ||
38 | server.sin_port = htons(22); | ||
39 | |||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
41 | printf("GOOD: SSH server not available on localhost.\n"); | ||
42 | else { | ||
43 | printf("MAYBE: an SSH server is accessible on localhost. "); | ||
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
45 | } | ||
46 | |||
47 | close(sock); | ||
48 | } | ||
49 | |||
50 | static void check_http(void) { | ||
51 | // open socket | ||
52 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
53 | if (sock == -1) { | ||
54 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | // connect to localhost | ||
59 | struct sockaddr_in server; | ||
60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
61 | server.sin_family = AF_INET; | ||
62 | server.sin_port = htons(80); | ||
63 | |||
64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
65 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
66 | else { | ||
67 | printf("MAYBE: an HTTP server is accessible on localhost. "); | ||
68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
69 | } | ||
70 | |||
71 | close(sock); | ||
72 | } | ||
73 | |||
74 | void check_netlink(void) { | ||
75 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | ||
76 | if (sock == -1) { | ||
77 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
78 | return; | ||
79 | } | ||
80 | |||
81 | struct sockaddr_nl local; | ||
82 | memset(&local, 0, sizeof(local)); | ||
83 | local.nl_family = AF_NETLINK; | ||
84 | local.nl_groups = 0; //subscriptions; | ||
85 | |||
86 | if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { | ||
87 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
88 | close(sock); | ||
89 | return; | ||
90 | } | ||
91 | |||
92 | close(sock); | ||
93 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | ||
94 | printf("You can use \"--protocol\" to disable the socket.\n"); | ||
95 | } | ||
96 | |||
97 | void network_test(void) { | ||
98 | check_ssh(); | ||
99 | check_http(); | ||
100 | check_netlink(); | ||
101 | } | ||
diff --git a/src/faudit/pid.c b/src/faudit/pid.c deleted file mode 100644 index ec8c37dc7..000000000 --- a/src/faudit/pid.c +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | void pid_test(void) { | ||
23 | static char *kern_proc[] = { | ||
24 | "kthreadd", | ||
25 | "ksoftirqd", | ||
26 | "kworker", | ||
27 | "rcu_sched", | ||
28 | "rcu_bh", | ||
29 | NULL // NULL terminated list | ||
30 | }; | ||
31 | int i; | ||
32 | |||
33 | // look at the first 10 processes | ||
34 | int not_visible = 1; | ||
35 | for (i = 1; i <= 10; i++) { | ||
36 | struct stat s; | ||
37 | char *fname; | ||
38 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | ||
39 | errExit("asprintf"); | ||
40 | if (stat(fname, &s) == -1) { | ||
41 | free(fname); | ||
42 | continue; | ||
43 | } | ||
44 | |||
45 | // open file | ||
46 | /* coverity[toctou] */ | ||
47 | FILE *fp = fopen(fname, "r"); | ||
48 | if (!fp) { | ||
49 | free(fname); | ||
50 | continue; | ||
51 | } | ||
52 | |||
53 | // read file | ||
54 | char buf[100]; | ||
55 | if (fgets(buf, 10, fp) == NULL) { | ||
56 | fclose(fp); | ||
57 | free(fname); | ||
58 | continue; | ||
59 | } | ||
60 | not_visible = 0; | ||
61 | |||
62 | // clean /n | ||
63 | char *ptr; | ||
64 | if ((ptr = strchr(buf, '\n')) != NULL) | ||
65 | *ptr = '\0'; | ||
66 | |||
67 | // check process name against the kernel list | ||
68 | int j = 0; | ||
69 | while (kern_proc[j] != NULL) { | ||
70 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | ||
71 | fclose(fp); | ||
72 | free(fname); | ||
73 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); | ||
74 | printf("Are you sure you're running in a sandbox?\n"); | ||
75 | return; | ||
76 | } | ||
77 | j++; | ||
78 | } | ||
79 | |||
80 | fclose(fp); | ||
81 | free(fname); | ||
82 | } | ||
83 | |||
84 | pid_t pid = getpid(); | ||
85 | if (not_visible && pid > 100) | ||
86 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
87 | else | ||
88 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
89 | |||
90 | // try to guess the type of container/sandbox | ||
91 | char *str = getenv("container"); | ||
92 | if (str) | ||
93 | printf("INFO: container/sandbox %s.\n", str); | ||
94 | else { | ||
95 | str = getenv("SNAP"); | ||
96 | if (str) | ||
97 | printf("INFO: this is a snap package\n"); | ||
98 | } | ||
99 | } | ||
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c deleted file mode 100644 index d8acee160..000000000 --- a/src/faudit/seccomp.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | #define MAXBUF 4098 | ||
23 | static int extract_seccomp(int *val) { | ||
24 | FILE *fp = fopen("/proc/self/status", "r"); | ||
25 | if (!fp) | ||
26 | return 1; | ||
27 | |||
28 | char buf[MAXBUF]; | ||
29 | while (fgets(buf, MAXBUF, fp)) { | ||
30 | if (strncmp(buf, "Seccomp:\t", 9) == 0) { | ||
31 | char *ptr = buf + 9; | ||
32 | int tmp; | ||
33 | sscanf(ptr, "%d", &tmp); | ||
34 | *val = tmp; | ||
35 | fclose(fp); | ||
36 | return 0; | ||
37 | } | ||
38 | } | ||
39 | |||
40 | fclose(fp); | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | void seccomp_test(void) { | ||
45 | int seccomp_status; | ||
46 | int rv = extract_seccomp(&seccomp_status); | ||
47 | |||
48 | if (rv) { | ||
49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); | ||
50 | return; | ||
51 | } | ||
52 | |||
53 | if (seccomp_status == 0) { | ||
54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); | ||
55 | } | ||
56 | else if (seccomp_status == 1) | ||
57 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); | ||
58 | else if (seccomp_status == 2) { | ||
59 | printf("GOOD: seccomp BPF enabled.\n"); | ||
60 | |||
61 | printf("checking syscalls: "); fflush(0); | ||
62 | printf("mount... "); fflush(0); | ||
63 | syscall_run("mount"); | ||
64 | |||
65 | printf("umount2... "); fflush(0); | ||
66 | syscall_run("umount2"); | ||
67 | |||
68 | printf("ptrace... "); fflush(0); | ||
69 | syscall_run("ptrace"); | ||
70 | |||
71 | printf("swapon... "); fflush(0); | ||
72 | syscall_run("swapon"); | ||
73 | |||
74 | printf("swapoff... "); fflush(0); | ||
75 | syscall_run("swapoff"); | ||
76 | |||
77 | printf("init_module... "); fflush(0); | ||
78 | syscall_run("init_module"); | ||
79 | |||
80 | printf("delete_module... "); fflush(0); | ||
81 | syscall_run("delete_module"); | ||
82 | |||
83 | printf("chroot... "); fflush(0); | ||
84 | syscall_run("chroot"); | ||
85 | |||
86 | printf("pivot_root... "); fflush(0); | ||
87 | syscall_run("pivot_root"); | ||
88 | |||
89 | #if defined(__i386__) || defined(__x86_64__) | ||
90 | printf("iopl... "); fflush(0); | ||
91 | syscall_run("iopl"); | ||
92 | |||
93 | printf("ioperm... "); fflush(0); | ||
94 | syscall_run("ioperm"); | ||
95 | #endif | ||
96 | printf("\n"); | ||
97 | } | ||
98 | else | ||
99 | fprintf(stderr, "Error: unrecognized seccomp mode\n"); | ||
100 | |||
101 | } | ||
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c deleted file mode 100644 index 11e83a0f5..000000000 --- a/src/faudit/syscall.c +++ /dev/null | |||
@@ -1,105 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/ptrace.h> | ||
22 | #include <sys/swap.h> | ||
23 | #if defined(__i386__) || defined(__x86_64__) | ||
24 | #include <sys/io.h> | ||
25 | #endif | ||
26 | #include <sys/wait.h> | ||
27 | extern int init_module(void *module_image, unsigned long len, | ||
28 | const char *param_values); | ||
29 | extern int finit_module(int fd, const char *param_values, | ||
30 | int flags); | ||
31 | extern int delete_module(const char *name, int flags); | ||
32 | extern int pivot_root(const char *new_root, const char *put_old); | ||
33 | |||
34 | void syscall_helper(int argc, char **argv) { | ||
35 | (void) argc; | ||
36 | |||
37 | if (argc < 3) | ||
38 | return; | ||
39 | |||
40 | if (strcmp(argv[2], "mount") == 0) { | ||
41 | int rv = mount(NULL, NULL, NULL, 0, NULL); | ||
42 | (void) rv; | ||
43 | printf("\nUGLY: mount syscall permitted.\n"); | ||
44 | } | ||
45 | else if (strcmp(argv[2], "umount2") == 0) { | ||
46 | umount2(NULL, 0); | ||
47 | printf("\nUGLY: umount2 syscall permitted.\n"); | ||
48 | } | ||
49 | else if (strcmp(argv[2], "ptrace") == 0) { | ||
50 | ptrace(0, 0, NULL, NULL); | ||
51 | printf("\nUGLY: ptrace syscall permitted.\n"); | ||
52 | } | ||
53 | else if (strcmp(argv[2], "swapon") == 0) { | ||
54 | swapon(NULL, 0); | ||
55 | printf("\nUGLY: swapon syscall permitted.\n"); | ||
56 | } | ||
57 | else if (strcmp(argv[2], "swapoff") == 0) { | ||
58 | swapoff(NULL); | ||
59 | printf("\nUGLY: swapoff syscall permitted.\n"); | ||
60 | } | ||
61 | else if (strcmp(argv[2], "init_module") == 0) { | ||
62 | init_module(NULL, 0, NULL); | ||
63 | printf("\nUGLY: init_module syscall permitted.\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[2], "delete_module") == 0) { | ||
66 | delete_module(NULL, 0); | ||
67 | printf("\nUGLY: delete_module syscall permitted.\n"); | ||
68 | } | ||
69 | else if (strcmp(argv[2], "chroot") == 0) { | ||
70 | int rv = chroot("/blablabla-57281292"); | ||
71 | (void) rv; | ||
72 | printf("\nUGLY: chroot syscall permitted.\n"); | ||
73 | } | ||
74 | else if (strcmp(argv[2], "pivot_root") == 0) { | ||
75 | pivot_root(NULL, NULL); | ||
76 | printf("\nUGLY: pivot_root syscall permitted.\n"); | ||
77 | } | ||
78 | #if defined(__i386__) || defined(__x86_64__) | ||
79 | else if (strcmp(argv[2], "iopl") == 0) { | ||
80 | iopl(0L); | ||
81 | printf("\nUGLY: iopl syscall permitted.\n"); | ||
82 | } | ||
83 | else if (strcmp(argv[2], "ioperm") == 0) { | ||
84 | ioperm(0, 0, 0); | ||
85 | printf("\nUGLY: ioperm syscall permitted.\n"); | ||
86 | } | ||
87 | #endif | ||
88 | exit(0); | ||
89 | } | ||
90 | |||
91 | void syscall_run(const char *name) { | ||
92 | assert(prog); | ||
93 | |||
94 | pid_t child = fork(); | ||
95 | if (child < 0) | ||
96 | errExit("fork"); | ||
97 | if (child == 0) { | ||
98 | execl(prog, prog, "syscall", name, NULL); | ||
99 | perror("execl"); | ||
100 | _exit(1); | ||
101 | } | ||
102 | |||
103 | // wait for the child to finish | ||
104 | waitpid(child, NULL, 0); | ||
105 | } | ||
diff --git a/src/faudit/x11.c b/src/faudit/x11.c deleted file mode 100644 index 2ffd7bac7..000000000 --- a/src/faudit/x11.c +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <dirent.h> | ||
23 | |||
24 | |||
25 | void x11_test(void) { | ||
26 | // check regular display 0 sockets | ||
27 | if (check_unix("/tmp/.X11-unix/X0") == 0) | ||
28 | printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); | ||
29 | |||
30 | if (check_unix("@/tmp/.X11-unix/X0") == 0) | ||
31 | printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); | ||
32 | |||
33 | // check all unix sockets in /tmp/.X11-unix directory | ||
34 | DIR *dir; | ||
35 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
36 | // sleep 2 seconds and try again | ||
37 | sleep(2); | ||
38 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
39 | ; | ||
40 | } | ||
41 | } | ||
42 | |||
43 | if (dir == NULL) | ||
44 | printf("GOOD: cannot open /tmp/.X11-unix directory\n"); | ||
45 | else { | ||
46 | struct dirent *entry; | ||
47 | while ((entry = readdir(dir)) != NULL) { | ||
48 | if (strcmp(entry->d_name, "X0") == 0) | ||
49 | continue; | ||
50 | if (strcmp(entry->d_name, ".") == 0) | ||
51 | continue; | ||
52 | if (strcmp(entry->d_name, "..") == 0) | ||
53 | continue; | ||
54 | char *name; | ||
55 | if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) | ||
56 | errExit("asprintf"); | ||
57 | if (check_unix(name) == 0) | ||
58 | printf("MAYBE: X11 socket %s is available\n", name); | ||
59 | free(name); | ||
60 | } | ||
61 | closedir(dir); | ||
62 | } | ||
63 | } | ||
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in index 2847ca2cb..6eaee284b 100644 --- a/src/fbuilder/Makefile.in +++ b/src/fbuilder/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fbuilder | 2 | all: fbuilder |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fbuilder: $(OBJS) | 9 | fbuilder: $(OBJS) |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 85f84aa32..e19f5d3b5 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fcopy | 2 | all: fcopy |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fcopy: $(OBJS) ../lib/common.o | 9 | fcopy: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 01633be59..572e9f601 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -51,8 +51,9 @@ static int selinux_enabled = -1; | |||
51 | #endif | 51 | #endif |
52 | 52 | ||
53 | // copy from firejail/selinux.c | 53 | // copy from firejail/selinux.c |
54 | static void selinux_relabel_path(const char *path, const char *inside_path) | 54 | static void selinux_relabel_path(const char *path, const char *inside_path) { |
55 | { | 55 | assert(path); |
56 | assert(inside_path); | ||
56 | #if HAVE_SELINUX | 57 | #if HAVE_SELINUX |
57 | char procfs_path[64]; | 58 | char procfs_path[64]; |
58 | char *fcon = NULL; | 59 | char *fcon = NULL; |
@@ -172,6 +173,51 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
172 | } | 173 | } |
173 | } | 174 | } |
174 | 175 | ||
176 | static char *proc_pid_to_self(const char *target) { | ||
177 | assert(target); | ||
178 | char *use_target = 0; | ||
179 | char *proc_pid = 0; | ||
180 | |||
181 | if (!(use_target = realpath(target, NULL))) | ||
182 | goto done; | ||
183 | |||
184 | // target is under /proc/<PID>? | ||
185 | static const char proc[] = "/proc/"; | ||
186 | if (strncmp(use_target, proc, sizeof(proc) - 1)) | ||
187 | goto done; | ||
188 | |||
189 | int digit = use_target[sizeof(proc) - 1]; | ||
190 | if (digit < '1' || digit > '9') | ||
191 | goto done; | ||
192 | |||
193 | // check where /proc/self points to | ||
194 | static const char proc_self[] = "/proc/self"; | ||
195 | if (!(proc_pid = realpath(proc_self, NULL))) | ||
196 | goto done; | ||
197 | |||
198 | // redirect /proc/PID/xxx -> /proc/self/XXX | ||
199 | size_t pfix = strlen(proc_pid); | ||
200 | if (strncmp(use_target, proc_pid, pfix)) | ||
201 | goto done; | ||
202 | |||
203 | if (use_target[pfix] != 0 && use_target[pfix] != '/') | ||
204 | goto done; | ||
205 | |||
206 | char *tmp; | ||
207 | if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) { | ||
208 | if (arg_debug) | ||
209 | fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp); | ||
210 | free(use_target); | ||
211 | use_target = tmp; | ||
212 | } | ||
213 | else | ||
214 | errExit("asprintf"); | ||
215 | |||
216 | done: | ||
217 | if (proc_pid) | ||
218 | free(proc_pid); | ||
219 | return use_target; | ||
220 | } | ||
175 | 221 | ||
176 | void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { | 222 | void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { |
177 | (void) mode; | 223 | (void) mode; |
@@ -183,7 +229,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
183 | if (lstat(linkpath, &s) == 0) | 229 | if (lstat(linkpath, &s) == 0) |
184 | return; | 230 | return; |
185 | 231 | ||
186 | char *rp = realpath(target, NULL); | 232 | char *rp = proc_pid_to_self(target); |
187 | if (rp) { | 233 | if (rp) { |
188 | if (symlink(rp, linkpath) == -1) { | 234 | if (symlink(rp, linkpath) == -1) { |
189 | free(rp); | 235 | free(rp); |
@@ -227,16 +273,14 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
227 | first = 0; | 273 | first = 0; |
228 | else if (!arg_quiet) | 274 | else if (!arg_quiet) |
229 | fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); | 275 | fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); |
230 | free(outfname); | 276 | goto out; |
231 | return 0; | ||
232 | } | 277 | } |
233 | 278 | ||
234 | // extract mode and ownership | 279 | // extract mode and ownership |
235 | if (stat(infname, &s) != 0) { | 280 | if (stat(infname, &s) != 0) { |
236 | if (!arg_quiet) | 281 | if (!arg_quiet) |
237 | fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); | 282 | fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); |
238 | free(outfname); | 283 | goto out; |
239 | return 0; | ||
240 | } | 284 | } |
241 | uid_t uid = s.st_uid; | 285 | uid_t uid = s.st_uid; |
242 | gid_t gid = s.st_gid; | 286 | gid_t gid = s.st_gid; |
@@ -246,8 +290,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
246 | if ((s.st_size + size_cnt) > copy_limit) { | 290 | if ((s.st_size + size_cnt) > copy_limit) { |
247 | fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); | 291 | fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); |
248 | size_limit_reached = 1; | 292 | size_limit_reached = 1; |
249 | free(outfname); | 293 | goto out; |
250 | return 0; | ||
251 | } | 294 | } |
252 | 295 | ||
253 | file_cnt++; | 296 | file_cnt++; |
@@ -262,7 +305,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
262 | else if (ftype == FTW_SL) { | 305 | else if (ftype == FTW_SL) { |
263 | copy_link(infname, outfname, mode, uid, gid); | 306 | copy_link(infname, outfname, mode, uid, gid); |
264 | } | 307 | } |
265 | 308 | out: | |
309 | free(outfname); | ||
266 | return(0); | 310 | return(0); |
267 | } | 311 | } |
268 | 312 | ||
@@ -295,6 +339,7 @@ static char *check(const char *src) { | |||
295 | return rsrc; // normal exit from the function | 339 | return rsrc; // normal exit from the function |
296 | 340 | ||
297 | errexit: | 341 | errexit: |
342 | free(rsrc); | ||
298 | fprintf(stderr, "Error fcopy: invalid file %s\n", src); | 343 | fprintf(stderr, "Error fcopy: invalid file %s\n", src); |
299 | exit(1); | 344 | exit(1); |
300 | } | 345 | } |
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index 40f6b9679..43329be46 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firecfg | 2 | all: firecfg |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o | 9 | firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 721137cdc..16cd59aa5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -191,6 +191,10 @@ dropbox | |||
191 | d-feet | 191 | d-feet |
192 | easystroke | 192 | easystroke |
193 | ebook-viewer | 193 | ebook-viewer |
194 | ebook-convert | ||
195 | ebook-edit | ||
196 | ebook-meta | ||
197 | ebook-polish | ||
194 | electron-mail | 198 | electron-mail |
195 | electrum | 199 | electrum |
196 | element-desktop | 200 | element-desktop |
@@ -375,6 +379,8 @@ impressive | |||
375 | inkscape | 379 | inkscape |
376 | inkview | 380 | inkview |
377 | inox | 381 | inox |
382 | ipcalc | ||
383 | ipcalc-ng | ||
378 | iridium | 384 | iridium |
379 | iridium-browser | 385 | iridium-browser |
380 | jd-gui | 386 | jd-gui |
@@ -458,7 +464,7 @@ lynx | |||
458 | lyx | 464 | lyx |
459 | macrofusion | 465 | macrofusion |
460 | magicor | 466 | magicor |
461 | # man | 467 | man |
462 | manaplus | 468 | manaplus |
463 | marker | 469 | marker |
464 | masterpdfeditor | 470 | masterpdfeditor |
@@ -805,6 +811,8 @@ vivaldi-snapshot | |||
805 | vivaldi-stable | 811 | vivaldi-stable |
806 | vlc | 812 | vlc |
807 | vmware | 813 | vmware |
814 | vmware-player | ||
815 | vmware-workstation | ||
808 | vscodium | 816 | vscodium |
809 | vulturesclaw | 817 | vulturesclaw |
810 | vultureseye | 818 | vultureseye |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index b9bf13b9c..793d2cdd1 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firejail | 2 | all: firejail |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o | 9 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 19eb8ec6e..597f9915b 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -162,6 +162,21 @@ static CapsEntry capslist[] = { | |||
162 | #else | 162 | #else |
163 | {"audit_read", 37 }, | 163 | {"audit_read", 37 }, |
164 | #endif | 164 | #endif |
165 | #ifdef CAP_PERFMON | ||
166 | {"perfmon", CAP_PERFMON }, | ||
167 | #else | ||
168 | {"perfmon", 38 }, | ||
169 | #endif | ||
170 | #ifdef CAP_BPF | ||
171 | {"bpf", CAP_BPF }, | ||
172 | #else | ||
173 | {"bpf", 39 }, | ||
174 | #endif | ||
175 | #ifdef CAP_CHECKPOINT_RESTORE | ||
176 | {"checkpoint_restore", CAP_CHECKPOINT_RESTORE }, | ||
177 | #else | ||
178 | {"checkpoint_restore", 40 }, | ||
179 | #endif | ||
165 | 180 | ||
166 | // | 181 | // |
167 | // end of generated code | 182 | // end of generated code |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 71dc364c9..e1613b325 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -269,6 +269,14 @@ errout: | |||
269 | 269 | ||
270 | void print_compiletime_support(void) { | 270 | void print_compiletime_support(void) { |
271 | printf("Compile time support:\n"); | 271 | printf("Compile time support:\n"); |
272 | printf("\t- Always force nonewprivs support is %s\n", | ||
273 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
274 | "enabled" | ||
275 | #else | ||
276 | "disabled" | ||
277 | #endif | ||
278 | ); | ||
279 | |||
272 | printf("\t- AppArmor support is %s\n", | 280 | printf("\t- AppArmor support is %s\n", |
273 | #ifdef HAVE_APPARMOR | 281 | #ifdef HAVE_APPARMOR |
274 | "enabled" | 282 | "enabled" |
@@ -333,6 +341,13 @@ void print_compiletime_support(void) { | |||
333 | #endif | 341 | #endif |
334 | ); | 342 | ); |
335 | 343 | ||
344 | printf("\t- output logging is %s\n", | ||
345 | #ifdef HAVE_OUTPUT | ||
346 | "enabled" | ||
347 | #else | ||
348 | "disabled" | ||
349 | #endif | ||
350 | ); | ||
336 | printf("\t- overlayfs support is %s\n", | 351 | printf("\t- overlayfs support is %s\n", |
337 | #ifdef HAVE_OVERLAYFS | 352 | #ifdef HAVE_OVERLAYFS |
338 | "enabled" | 353 | "enabled" |
@@ -380,4 +395,6 @@ void print_compiletime_support(void) { | |||
380 | "disabled" | 395 | "disabled" |
381 | #endif | 396 | #endif |
382 | ); | 397 | ); |
398 | |||
399 | |||
383 | } | 400 | } |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 4b81d7758..658b84537 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -111,7 +111,7 @@ static int check_object_path(const char *path) { | |||
111 | } | 111 | } |
112 | ++p; | 112 | ++p; |
113 | } | 113 | } |
114 | return in_segment && segments >= 2; | 114 | return in_segment && segments >= 1; |
115 | } | 115 | } |
116 | 116 | ||
117 | int dbus_check_name(const char *name) { | 117 | int dbus_check_name(const char *name) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 719cd74ae..b21b5bef6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp | |||
328 | extern int arg_writable_run_user; // writable /run/user | 328 | extern int arg_writable_run_user; // writable /run/user |
329 | extern int arg_writable_var_log; // writable /var/log | 329 | extern int arg_writable_var_log; // writable /var/log |
330 | extern int arg_appimage; // appimage | 330 | extern int arg_appimage; // appimage |
331 | extern int arg_audit; // audit | ||
332 | extern char *arg_audit_prog; // audit | ||
333 | extern int arg_apparmor; // apparmor | 331 | extern int arg_apparmor; // apparmor |
334 | extern int arg_allow_debuggers; // allow debuggers | 332 | extern int arg_allow_debuggers; // allow debuggers |
335 | extern int arg_x11_block; // block X11 | 333 | extern int arg_x11_block; // block X11 |
@@ -451,6 +449,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname); | |||
451 | // add a profile entry in cfg.profile list; use str to populate the list | 449 | // add a profile entry in cfg.profile list; use str to populate the list |
452 | void profile_add(char *str); | 450 | void profile_add(char *str); |
453 | void profile_add_ignore(const char *str); | 451 | void profile_add_ignore(const char *str); |
452 | char *profile_list_normalize(char *list); | ||
453 | char *profile_list_compress(char *list); | ||
454 | void profile_list_augment(char **list, const char *items); | ||
454 | 455 | ||
455 | // list.c | 456 | // list.c |
456 | void list(void); | 457 | void list(void); |
@@ -649,6 +650,8 @@ void network_set_run_file(pid_t pid); | |||
649 | 650 | ||
650 | // fs_etc.c | 651 | // fs_etc.c |
651 | void fs_machineid(void); | 652 | void fs_machineid(void); |
653 | void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list); | ||
654 | void fs_private_dir_mount(const char *private_dir, const char *private_run_dir); | ||
652 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); | 655 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
653 | 656 | ||
654 | // no_sandbox.c | 657 | // no_sandbox.c |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index d152ed2f6..abec25d45 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <errno.h> | ||
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
23 | #include <sys/types.h> | 24 | #include <sys/types.h> |
@@ -138,7 +139,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
138 | } | 139 | } |
139 | 140 | ||
140 | 141 | ||
141 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { | 142 | void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list) { |
142 | assert(private_dir); | 143 | assert(private_dir); |
143 | assert(private_run_dir); | 144 | assert(private_run_dir); |
144 | assert(private_list); | 145 | assert(private_list); |
@@ -147,12 +148,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
147 | struct stat s; | 148 | struct stat s; |
148 | if (stat(private_dir, &s) == -1) { | 149 | if (stat(private_dir, &s) == -1) { |
149 | if (arg_debug) | 150 | if (arg_debug) |
150 | printf("Cannot find %s\n", private_dir); | 151 | printf("Cannot find %s: %s\n", private_dir, strerror(errno)); |
151 | return; | 152 | return; |
152 | } | 153 | } |
153 | 154 | ||
154 | timetrace_start(); | ||
155 | |||
156 | // create /run/firejail/mnt/etc directory | 155 | // create /run/firejail/mnt/etc directory |
157 | mkdir_attr(private_run_dir, 0755, 0, 0); | 156 | mkdir_attr(private_run_dir, 0755, 0, 0); |
158 | selinux_relabel_path(private_run_dir, private_dir); | 157 | selinux_relabel_path(private_run_dir, private_dir); |
@@ -185,9 +184,23 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
185 | free(dlist); | 184 | free(dlist); |
186 | fs_logger_print(); | 185 | fs_logger_print(); |
187 | } | 186 | } |
187 | } | ||
188 | |||
189 | void fs_private_dir_mount(const char *private_dir, const char *private_run_dir) { | ||
190 | assert(private_dir); | ||
191 | assert(private_run_dir); | ||
188 | 192 | ||
189 | if (arg_debug) | 193 | if (arg_debug) |
190 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); | 194 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); |
195 | |||
196 | // nothing to do if directory does not exist | ||
197 | struct stat s; | ||
198 | if (stat(private_dir, &s) == -1) { | ||
199 | if (arg_debug) | ||
200 | printf("Cannot find %s: %s\n", private_dir, strerror(errno)); | ||
201 | return; | ||
202 | } | ||
203 | |||
191 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) | 204 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) |
192 | errExit("mount bind"); | 205 | errExit("mount bind"); |
193 | fs_logger2("mount", private_dir); | 206 | fs_logger2("mount", private_dir); |
@@ -196,6 +209,11 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
196 | if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 209 | if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
197 | errExit("mounting tmpfs"); | 210 | errExit("mounting tmpfs"); |
198 | fs_logger2("tmpfs", private_run_dir); | 211 | fs_logger2("tmpfs", private_run_dir); |
212 | } | ||
199 | 213 | ||
214 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { | ||
215 | timetrace_start(); | ||
216 | fs_private_dir_copy(private_dir, private_run_dir, private_list); | ||
217 | fs_private_dir_mount(private_dir, private_run_dir); | ||
200 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 218 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
201 | } | 219 | } |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index a7f5b0bfc..7e9666fc0 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #define MAXBUF 4096 | 28 | #define MAXBUF 4096 |
29 | 29 | ||
30 | extern void fslib_install_stdc(void); | 30 | extern void fslib_install_stdc(void); |
31 | extern void fslib_install_firejail(void); | ||
31 | extern void fslib_install_system(void); | 32 | extern void fslib_install_system(void); |
32 | 33 | ||
33 | static int lib_cnt = 0; | 34 | static int lib_cnt = 0; |
@@ -137,33 +138,22 @@ void fslib_duplicate(const char *full_path) { | |||
137 | lib_cnt++; | 138 | lib_cnt++; |
138 | } | 139 | } |
139 | 140 | ||
140 | |||
141 | // requires full path for lib | 141 | // requires full path for lib |
142 | // it could be a library or an executable | 142 | // it could be a library or an executable |
143 | // lib is not copied, only libraries used by it | 143 | // lib is not copied, only libraries used by it |
144 | void fslib_copy_libs(const char *full_path) { | 144 | static void fslib_copy_libs(const char *full_path, unsigned mask) { |
145 | assert(full_path); | ||
146 | if (arg_debug || arg_debug_private_lib) | ||
147 | printf(" fslib_copy_libs %s\n", full_path); | ||
148 | |||
149 | // if library/executable does not exist or the user does not have read access to it | ||
150 | // print a warning and exit the function. | ||
151 | if (access(full_path, R_OK)) { | ||
152 | if (arg_debug || arg_debug_private_lib) | ||
153 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
154 | return; | ||
155 | } | ||
156 | |||
157 | // create an empty RUN_LIB_FILE and allow the user to write to it | 145 | // create an empty RUN_LIB_FILE and allow the user to write to it |
158 | unlink(RUN_LIB_FILE); // in case is there | 146 | unlink(RUN_LIB_FILE); // in case is there |
159 | create_empty_file_as_root(RUN_LIB_FILE, 0644); | 147 | create_empty_file_as_root(RUN_LIB_FILE, 0644); |
160 | if (chown(RUN_LIB_FILE, getuid(), getgid())) | 148 | if (mask & SBOX_USER) { |
161 | errExit("chown"); | 149 | if (chown(RUN_LIB_FILE, getuid(), getgid())) |
150 | errExit("chown"); | ||
151 | } | ||
162 | 152 | ||
163 | // run fldd to extract the list of files | 153 | // run fldd to extract the list of files |
164 | if (arg_debug || arg_debug_private_lib) | 154 | if (arg_debug || arg_debug_private_lib) |
165 | printf(" running fldd %s\n", full_path); | 155 | printf(" running fldd %s\n", full_path); |
166 | sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | 156 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); |
167 | 157 | ||
168 | // open the list of libraries and install them on by one | 158 | // open the list of libraries and install them on by one |
169 | FILE *fp = fopen(RUN_LIB_FILE, "r"); | 159 | FILE *fp = fopen(RUN_LIB_FILE, "r"); |
@@ -182,6 +172,34 @@ void fslib_copy_libs(const char *full_path) { | |||
182 | unlink(RUN_LIB_FILE); | 172 | unlink(RUN_LIB_FILE); |
183 | } | 173 | } |
184 | 174 | ||
175 | void fslib_copy_libs_parse_as_root(const char *full_path) { | ||
176 | assert(full_path); | ||
177 | if (arg_debug || arg_debug_private_lib) | ||
178 | printf(" fslib_copy_libs_parse_as_root %s\n", full_path); | ||
179 | |||
180 | struct stat s; | ||
181 | if (stat(full_path, &s)) { | ||
182 | if (arg_debug || arg_debug_private_lib) | ||
183 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
184 | return; | ||
185 | } | ||
186 | fslib_copy_libs(full_path, SBOX_ROOT); | ||
187 | } | ||
188 | |||
189 | // if library/executable does not exist or the user does not have read access to it | ||
190 | // print a warning and exit the function. | ||
191 | void fslib_copy_libs_parse_as_user(const char *full_path) { | ||
192 | assert(full_path); | ||
193 | if (arg_debug || arg_debug_private_lib) | ||
194 | printf(" fslib_copy_libs_parse_as_user %s\n", full_path); | ||
195 | |||
196 | if (access(full_path, R_OK)) { | ||
197 | if (arg_debug || arg_debug_private_lib) | ||
198 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
199 | return; | ||
200 | } | ||
201 | fslib_copy_libs(full_path, SBOX_USER); | ||
202 | } | ||
185 | 203 | ||
186 | void fslib_copy_dir(const char *full_path) { | 204 | void fslib_copy_dir(const char *full_path) { |
187 | assert(full_path); | 205 | assert(full_path); |
@@ -236,7 +254,7 @@ static void load_library(const char *fname) { | |||
236 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries | 254 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries |
237 | fslib_duplicate(fname); | 255 | fslib_duplicate(fname); |
238 | 256 | ||
239 | fslib_copy_libs(fname); | 257 | fslib_copy_libs_parse_as_user(fname); |
240 | } | 258 | } |
241 | } | 259 | } |
242 | } | 260 | } |
@@ -379,25 +397,12 @@ void fs_private_lib(void) { | |||
379 | printf("Installing standard C library\n"); | 397 | printf("Installing standard C library\n"); |
380 | fslib_install_stdc(); | 398 | fslib_install_stdc(); |
381 | 399 | ||
382 | // start timetrace | 400 | // install other libraries needed by firejail |
383 | timetrace_start(); | ||
384 | |||
385 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
386 | if (arg_debug || arg_debug_private_lib) | 401 | if (arg_debug || arg_debug_private_lib) |
387 | printf("Installing Firejail libraries\n"); | 402 | printf("Installing Firejail libraries\n"); |
388 | fslib_install_list(PATH_FIREJAIL); | 403 | fslib_install_firejail(); |
389 | |||
390 | // bring in firejail directory | ||
391 | fslib_install_list(LIBDIR "/firejail"); | ||
392 | |||
393 | // bring in dhclient libraries | ||
394 | if (any_dhcp()) { | ||
395 | if (arg_debug || arg_debug_private_lib) | ||
396 | printf("Installing dhclient libraries\n"); | ||
397 | fslib_install_list(RUN_MNT_DIR "/dhclient"); | ||
398 | } | ||
399 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | ||
400 | 404 | ||
405 | // start timetrace | ||
401 | timetrace_start(); | 406 | timetrace_start(); |
402 | 407 | ||
403 | // copy the libs in the new lib directory for the main exe | 408 | // copy the libs in the new lib directory for the main exe |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 30e993438..d46cfed86 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -22,7 +22,8 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | 23 | ||
24 | extern void fslib_duplicate(const char *full_path); | 24 | extern void fslib_duplicate(const char *full_path); |
25 | extern void fslib_copy_libs(const char *full_path); | 25 | extern void fslib_copy_libs_parse_as_user(const char *full_path); |
26 | extern void fslib_copy_libs_parse_as_root(const char *full_path); | ||
26 | extern void fslib_copy_dir(const char *full_path); | 27 | extern void fslib_copy_dir(const char *full_path); |
27 | 28 | ||
28 | //*************************************************************** | 29 | //*************************************************************** |
@@ -123,6 +124,52 @@ void fslib_install_stdc(void) { | |||
123 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); | 124 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); |
124 | } | 125 | } |
125 | 126 | ||
127 | //*************************************************************** | ||
128 | // Firejail libraries | ||
129 | //*************************************************************** | ||
130 | |||
131 | static void fdir(void) { | ||
132 | fslib_copy_dir(LIBDIR "/firejail"); | ||
133 | |||
134 | // executables and libraries from firejail directory | ||
135 | static const char * const fbin[] = { | ||
136 | PATH_FCOPY, // currently sufficient to find all needed libraries | ||
137 | // PATH_FSECCOMP, | ||
138 | // PATH_FSEC_OPTIMIZE, | ||
139 | // PATH_FSEC_PRINT, | ||
140 | // RUN_FIREJAIL_LIB_DIR "/libtrace.so", | ||
141 | // RUN_FIREJAIL_LIB_DIR "/libtracelog.so", | ||
142 | // RUN_FIREJAIL_LIB_DIR "/libpostexecseccomp.so", | ||
143 | NULL, | ||
144 | }; | ||
145 | |||
146 | // need to run fldd as root user, unprivileged users have no read permission on executables | ||
147 | int i; | ||
148 | for (i = 0; fbin[i]; i++) | ||
149 | fslib_copy_libs_parse_as_root(fbin[i]); | ||
150 | } | ||
151 | |||
152 | void fslib_install_firejail(void) { | ||
153 | timetrace_start(); | ||
154 | // bring in firejail executable libraries, in case we are redirected here | ||
155 | // by a firejail symlink from /usr/local/bin/firejail | ||
156 | fslib_copy_libs_parse_as_user(PATH_FIREJAIL); | ||
157 | |||
158 | // bring in firejail directory | ||
159 | fdir(); | ||
160 | |||
161 | // bring in dhclient libraries | ||
162 | if (any_dhcp()) | ||
163 | fslib_copy_libs_parse_as_user(RUN_MNT_DIR "/dhclient"); | ||
164 | |||
165 | #ifdef HAVE_X11 | ||
166 | // bring in xauth libraries | ||
167 | if (arg_x11_xorg) | ||
168 | fslib_copy_libs_parse_as_user("/usr/bin/xauth"); | ||
169 | #endif | ||
170 | |||
171 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | ||
172 | } | ||
126 | 173 | ||
127 | //*************************************************************** | 174 | //*************************************************************** |
128 | // various system libraries | 175 | // various system libraries |
@@ -268,7 +315,7 @@ void fslib_install_system(void) { | |||
268 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) | 315 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) |
269 | errExit("asprintf"); | 316 | errExit("asprintf"); |
270 | if (access(name, R_OK) == 0) { | 317 | if (access(name, R_OK) == 0) { |
271 | fslib_copy_libs(name); | 318 | fslib_copy_libs_parse_as_user(name); |
272 | fslib_copy_dir(name); | 319 | fslib_copy_dir(name); |
273 | } | 320 | } |
274 | else { | 321 | else { |
@@ -277,7 +324,7 @@ void fslib_install_system(void) { | |||
277 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) | 324 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) |
278 | errExit("asprintf"); | 325 | errExit("asprintf"); |
279 | if (access(name, R_OK) == 0) { | 326 | if (access(name, R_OK) == 0) { |
280 | fslib_copy_libs(name); | 327 | fslib_copy_libs_parse_as_user(name); |
281 | fslib_copy_dir(name); | 328 | fslib_copy_dir(name); |
282 | } | 329 | } |
283 | } | 330 | } |
@@ -288,7 +335,7 @@ void fslib_install_system(void) { | |||
288 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) | 335 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) |
289 | errExit("asprintf"); | 336 | errExit("asprintf"); |
290 | if (access(name, R_OK) == 0) { | 337 | if (access(name, R_OK) == 0) { |
291 | fslib_copy_libs(name); | 338 | fslib_copy_libs_parse_as_user(name); |
292 | fslib_copy_dir(name); | 339 | fslib_copy_dir(name); |
293 | } | 340 | } |
294 | else { | 341 | else { |
@@ -297,7 +344,7 @@ void fslib_install_system(void) { | |||
297 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) | 344 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) |
298 | errExit("asprintf"); | 345 | errExit("asprintf"); |
299 | if (access(name, R_OK) == 0) { | 346 | if (access(name, R_OK) == 0) { |
300 | fslib_copy_libs(name); | 347 | fslib_copy_libs_parse_as_user(name); |
301 | fslib_copy_dir(name); | 348 | fslib_copy_dir(name); |
302 | } | 349 | } |
303 | } | 350 | } |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index d1b3b5629..8cfeea582 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -46,7 +46,7 @@ static void mkdir_recursive(char *path) { | |||
46 | struct stat s; | 46 | struct stat s; |
47 | 47 | ||
48 | if (chdir("/")) { | 48 | if (chdir("/")) { |
49 | fprintf(stderr, "Error: can't chdir to /"); | 49 | fprintf(stderr, "Error: can't chdir to /\n"); |
50 | return; | 50 | return; |
51 | } | 51 | } |
52 | 52 | ||
@@ -63,7 +63,7 @@ static void mkdir_recursive(char *path) { | |||
63 | return; | 63 | return; |
64 | } | 64 | } |
65 | if (chdir(subdir)) { | 65 | if (chdir(subdir)) { |
66 | fprintf(stderr, "Error: can't chdir to %s", subdir); | 66 | fprintf(stderr, "Error: can't chdir to %s\n", subdir); |
67 | return; | 67 | return; |
68 | } | 68 | } |
69 | 69 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index a8011aa14..1575a7469 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
411 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
412 | 412 | ||
413 | int shfd = -1; | 413 | int shfd = -1; |
414 | if (!arg_shell_none && !arg_audit) | 414 | if (!arg_shell_none) |
415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
416 | 416 | ||
417 | EUID_ROOT(); | 417 | EUID_ROOT(); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 61533fcd9..9705c2436 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | |||
130 | int arg_writable_run_user = 0; // writable /run/user | 130 | int arg_writable_run_user = 0; // writable /run/user |
131 | int arg_writable_var_log = 0; // writable /var/log | 131 | int arg_writable_var_log = 0; // writable /var/log |
132 | int arg_appimage = 0; // appimage | 132 | int arg_appimage = 0; // appimage |
133 | int arg_audit = 0; // audit | ||
134 | char *arg_audit_prog = NULL; // audit | ||
135 | int arg_apparmor = 0; // apparmor | 133 | int arg_apparmor = 0; // apparmor |
136 | int arg_allow_debuggers = 0; // allow debuggers | 134 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 135 | int arg_x11_block = 0; // block X11 |
@@ -297,7 +295,7 @@ static void check_network(Bridge *br) { | |||
297 | else if (br->ipsandbox) { // for macvlan check network range | 295 | else if (br->ipsandbox) { // for macvlan check network range |
298 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); | 296 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); |
299 | if (rv) { | 297 | if (rv) { |
300 | fprintf(stderr, "%s", rv); | 298 | fprintf(stderr, "%s\n", rv); |
301 | exit(1); | 299 | exit(1); |
302 | } | 300 | } |
303 | } | 301 | } |
@@ -1233,10 +1231,12 @@ int main(int argc, char **argv, char **envp) { | |||
1233 | #endif | 1231 | #endif |
1234 | } | 1232 | } |
1235 | } | 1233 | } |
1234 | #ifdef HAVE_OUTPUT | ||
1236 | else { | 1235 | else { |
1237 | // check --output option and execute it; | 1236 | // check --output option and execute it; |
1238 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found | 1237 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found |
1239 | } | 1238 | } |
1239 | #endif | ||
1240 | EUID_ASSERT(); | 1240 | EUID_ASSERT(); |
1241 | 1241 | ||
1242 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1242 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
@@ -1285,15 +1285,10 @@ int main(int argc, char **argv, char **envp) { | |||
1285 | #endif | 1285 | #endif |
1286 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1286 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1287 | if (checkcfg(CFG_SECCOMP)) { | 1287 | if (checkcfg(CFG_SECCOMP)) { |
1288 | if (cfg.protocol) { | 1288 | const char *add = argv[i] + 11; |
1289 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); | 1289 | profile_list_augment(&cfg.protocol, add); |
1290 | } | 1290 | if (arg_debug) |
1291 | else { | 1291 | fprintf(stderr, "[option] combined protocol list: \"%s\"\n", cfg.protocol); |
1292 | // store list | ||
1293 | cfg.protocol = strdup(argv[i] + 11); | ||
1294 | if (!cfg.protocol) | ||
1295 | errExit("strdup"); | ||
1296 | } | ||
1297 | } | 1292 | } |
1298 | else | 1293 | else |
1299 | exit_err_feature("seccomp"); | 1294 | exit_err_feature("seccomp"); |
@@ -1589,7 +1584,26 @@ int main(int argc, char **argv, char **envp) { | |||
1589 | profile_add(line); | 1584 | profile_add(line); |
1590 | } | 1585 | } |
1591 | #endif | 1586 | #endif |
1592 | 1587 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | |
1588 | char *line; | ||
1589 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) | ||
1590 | errExit("asprintf"); | ||
1591 | /* Note: Applied both immediately in profile_check_line() | ||
1592 | * and later on via fs_blacklist(). | ||
1593 | */ | ||
1594 | profile_check_line(line, 0, NULL); | ||
1595 | profile_add(line); | ||
1596 | } | ||
1597 | else if (strncmp(argv[i], "--mkfile=", 9) == 0) { | ||
1598 | char *line; | ||
1599 | if (asprintf(&line, "mkfile %s", argv[i] + 9) == -1) | ||
1600 | errExit("asprintf"); | ||
1601 | /* Note: Applied both immediately in profile_check_line() | ||
1602 | * and later on via fs_blacklist(). | ||
1603 | */ | ||
1604 | profile_check_line(line, 0, NULL); | ||
1605 | profile_add(line); | ||
1606 | } | ||
1593 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | 1607 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { |
1594 | char *line; | 1608 | char *line; |
1595 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) | 1609 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) |
@@ -2592,28 +2606,6 @@ int main(int argc, char **argv, char **envp) { | |||
2592 | //************************************* | 2606 | //************************************* |
2593 | else if (strncmp(argv[i], "--timeout=", 10) == 0) | 2607 | else if (strncmp(argv[i], "--timeout=", 10) == 0) |
2594 | cfg.timeout = extract_timeout(argv[i] + 10); | 2608 | cfg.timeout = extract_timeout(argv[i] + 10); |
2595 | else if (strcmp(argv[i], "--audit") == 0) { | ||
2596 | arg_audit_prog = LIBDIR "/firejail/faudit"; | ||
2597 | profile_add_ignore("shell none"); | ||
2598 | arg_audit = 1; | ||
2599 | } | ||
2600 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | ||
2601 | if (strlen(argv[i] + 8) == 0) { | ||
2602 | fprintf(stderr, "Error: invalid audit program\n"); | ||
2603 | exit(1); | ||
2604 | } | ||
2605 | arg_audit_prog = strdup(argv[i] + 8); | ||
2606 | if (!arg_audit_prog) | ||
2607 | errExit("strdup"); | ||
2608 | |||
2609 | struct stat s; | ||
2610 | if (stat(arg_audit_prog, &s) != 0) { | ||
2611 | fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); | ||
2612 | exit(1); | ||
2613 | } | ||
2614 | profile_add_ignore("shell none"); | ||
2615 | arg_audit = 1; | ||
2616 | } | ||
2617 | else if (strcmp(argv[i], "--appimage") == 0) | 2609 | else if (strcmp(argv[i], "--appimage") == 0) |
2618 | arg_appimage = 1; | 2610 | arg_appimage = 1; |
2619 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2611 | else if (strcmp(argv[i], "--shell=none") == 0) { |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index f1ad6430a..ee3c00872 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -120,7 +120,7 @@ void net_configure_sandbox_ip(Bridge *br) { | |||
120 | // check network range | 120 | // check network range |
121 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); | 121 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); |
122 | if (rv) { | 122 | if (rv) { |
123 | fprintf(stderr, "%s", rv); | 123 | fprintf(stderr, "%s\n", rv); |
124 | exit(1); | 124 | exit(1); |
125 | } | 125 | } |
126 | // send an ARP request and check if there is anybody on this IP address | 126 | // send an ARP request and check if there is anybody on this IP address |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 3120fe527..60a82821e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -168,29 +168,17 @@ void run_no_sandbox(int argc, char **argv) { | |||
168 | errExit("setresuid"); | 168 | errExit("setresuid"); |
169 | 169 | ||
170 | // process limited subset of options | 170 | // process limited subset of options |
171 | // and find first non option arg: | ||
172 | // - first argument not starting with --, | ||
173 | // - whatever follows after -c (example: firejail -c ls) | ||
174 | int prog_index = 0; | ||
171 | int i; | 175 | int i; |
172 | for (i = 0; i < argc; i++) { | 176 | for (i = 1; i < argc; i++) { |
173 | if (strcmp(argv[i], "--debug") == 0) | 177 | if (strcmp(argv[i], "--debug") == 0) |
174 | arg_debug = 1; | 178 | arg_debug = 1; |
175 | else if (strncmp(argv[i], "--shell=", 8) == 0) | 179 | else if (strncmp(argv[i], "--shell=", 8) == 0) |
176 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); | 180 | fwarning("shell-related command line options are disregarded\n"); |
177 | } | 181 | else if (strcmp(argv[i], "-c") == 0) { |
178 | |||
179 | // use $SHELL to get shell used in sandbox, guess shell otherwise | ||
180 | cfg.shell = guess_shell(); | ||
181 | if (!cfg.shell) { | ||
182 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
183 | exit(1); | ||
184 | } | ||
185 | else if (arg_debug) | ||
186 | printf("Selecting %s as shell\n", cfg.shell); | ||
187 | |||
188 | int prog_index = 0; | ||
189 | // find first non option arg: | ||
190 | // - first argument not starting with --, | ||
191 | // - whatever follows after -c (example: firejail -c ls) | ||
192 | for (i = 1; i < argc; i++) { | ||
193 | if (strcmp(argv[i], "-c") == 0) { | ||
194 | prog_index = i + 1; | 182 | prog_index = i + 1; |
195 | if (prog_index == argc) { | 183 | if (prog_index == argc) { |
196 | fprintf(stderr, "Error: option -c requires an argument\n"); | 184 | fprintf(stderr, "Error: option -c requires an argument\n"); |
@@ -199,36 +187,36 @@ void run_no_sandbox(int argc, char **argv) { | |||
199 | break; | 187 | break; |
200 | } | 188 | } |
201 | // check first argument not starting with -- | 189 | // check first argument not starting with -- |
202 | if (strncmp(argv[i],"--",2) != 0) { | 190 | else if (strncmp(argv[i],"--",2) != 0) { |
203 | prog_index = i; | 191 | prog_index = i; |
204 | break; | 192 | break; |
205 | } | 193 | } |
206 | } | 194 | } |
207 | 195 | ||
208 | // if shell is /usr/bin/firejail, replace it with /bin/bash | ||
209 | // if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { | ||
210 | // cfg.shell = "/bin/bash"; | ||
211 | // prog_index = 0; | ||
212 | // } | ||
213 | |||
214 | if (prog_index == 0) { | 196 | if (prog_index == 0) { |
215 | assert(cfg.command_line == NULL); // runs cfg.shell | 197 | // got no command, require a shell and try to execute it |
198 | cfg.shell = guess_shell(); | ||
199 | if (!cfg.shell) { | ||
200 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | assert(cfg.command_line == NULL); | ||
216 | cfg.window_title = cfg.shell; | 205 | cfg.window_title = cfg.shell; |
217 | } else { | 206 | } else { |
207 | // this sandbox might not allow execution of a shell | ||
208 | // force --shell=none in order to not break firecfg symbolic links | ||
209 | arg_shell_none = 1; | ||
210 | |||
218 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 211 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
219 | } | 212 | } |
220 | 213 | ||
214 | fwarning("an existing sandbox was detected. " | ||
215 | "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell); | ||
216 | |||
221 | cfg.original_argv = argv; | 217 | cfg.original_argv = argv; |
222 | cfg.original_program_index = prog_index; | 218 | cfg.original_program_index = prog_index; |
223 | 219 | ||
224 | char *command; | ||
225 | if (prog_index == 0) | ||
226 | command = cfg.shell; | ||
227 | else | ||
228 | command = argv[prog_index]; | ||
229 | fwarning("an existing sandbox was detected. " | ||
230 | "%s will run without any additional sandboxing features\n", command); | ||
231 | |||
232 | arg_quiet = 1; | 220 | arg_quiet = 1; |
233 | 221 | ||
234 | start_application(1, -1, NULL); | 222 | start_application(1, -1, NULL); |
diff --git a/src/firejail/output.c b/src/firejail/output.c index db9728a3d..835dff2db 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | #ifdef HAVE_OUTPUT | ||
25 | void check_output(int argc, char **argv) { | 26 | void check_output(int argc, char **argv) { |
26 | EUID_ASSERT(); | 27 | EUID_ASSERT(); |
27 | 28 | ||
@@ -149,3 +150,4 @@ void check_output(int argc, char **argv) { | |||
149 | perror("execvp"); | 150 | perror("execvp"); |
150 | exit(1); | 151 | exit(1); |
151 | } | 152 | } |
153 | #endif | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b706839a1..f3266c23e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -911,15 +911,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
911 | 911 | ||
912 | if (strncmp(ptr, "protocol ", 9) == 0) { | 912 | if (strncmp(ptr, "protocol ", 9) == 0) { |
913 | if (checkcfg(CFG_SECCOMP)) { | 913 | if (checkcfg(CFG_SECCOMP)) { |
914 | if (cfg.protocol) { | 914 | const char *add = ptr + 9; |
915 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); | 915 | profile_list_augment(&cfg.protocol, add); |
916 | return 0; | 916 | if (arg_debug) |
917 | } | 917 | fprintf(stderr, "[profile] combined protocol list: \"%s\"\n", cfg.protocol); |
918 | |||
919 | // store list | ||
920 | cfg.protocol = strdup(ptr + 9); | ||
921 | if (!cfg.protocol) | ||
922 | errExit("strdup"); | ||
923 | } | 918 | } |
924 | else | 919 | else |
925 | warning_feature_disabled("seccomp"); | 920 | warning_feature_disabled("seccomp"); |
@@ -931,7 +926,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
931 | return 0; | 926 | return 0; |
932 | } | 927 | } |
933 | if (strncmp(ptr, "rmenv ", 6) == 0) { | 928 | if (strncmp(ptr, "rmenv ", 6) == 0) { |
934 | unsetenv(ptr + 6); // Remove also immediately from Firejail itself | ||
935 | env_store(ptr + 6, RMENV); | 929 | env_store(ptr + 6, RMENV); |
936 | return 0; | 930 | return 0; |
937 | } | 931 | } |
@@ -1774,3 +1768,143 @@ void profile_read(const char *fname) { | |||
1774 | } | 1768 | } |
1775 | fclose(fp); | 1769 | fclose(fp); |
1776 | } | 1770 | } |
1771 | |||
1772 | char *profile_list_normalize(char *list) | ||
1773 | { | ||
1774 | /* Remove redundant commas. | ||
1775 | * | ||
1776 | * As result is always shorter than original, | ||
1777 | * in-place copying can be used. | ||
1778 | */ | ||
1779 | size_t i = 0; | ||
1780 | size_t j = 0; | ||
1781 | int c; | ||
1782 | while (list[i] == ',') | ||
1783 | ++i; | ||
1784 | while ((c = list[i++])) { | ||
1785 | if (c == ',') { | ||
1786 | while (list[i] == ',') | ||
1787 | ++i; | ||
1788 | if (list[i] == 0) | ||
1789 | break; | ||
1790 | } | ||
1791 | list[j++] = c; | ||
1792 | } | ||
1793 | list[j] = 0; | ||
1794 | return list; | ||
1795 | } | ||
1796 | |||
1797 | char *profile_list_compress(char *list) | ||
1798 | { | ||
1799 | size_t i; | ||
1800 | |||
1801 | /* Comma separated list is processed so that: | ||
1802 | * "item" -> adds item to list | ||
1803 | * "-item" -> removes item from list | ||
1804 | * "+item" -> adds item to list | ||
1805 | * "=item" -> clear list, add item | ||
1806 | * | ||
1807 | * For example: | ||
1808 | * ,a,,,b,,,c, -> a,b,c | ||
1809 | * a,,b,,,c,a -> a,b,c | ||
1810 | * a,b,c,-a -> b,c | ||
1811 | * a,b,c,-a,a -> b,c,a | ||
1812 | * a,+b,c -> a,b,c | ||
1813 | * a,b,=c,d -> c,d | ||
1814 | * a,b,c,= -> | ||
1815 | */ | ||
1816 | profile_list_normalize(list); | ||
1817 | |||
1818 | /* Count items: comma count + 1 */ | ||
1819 | size_t count = 1; | ||
1820 | for (i = 0; list[i]; ++i) { | ||
1821 | if (list[i] == ',') | ||
1822 | ++count; | ||
1823 | } | ||
1824 | |||
1825 | /* Collect items in an array */ | ||
1826 | char *in[count]; | ||
1827 | count = 0; | ||
1828 | in[count++] = list; | ||
1829 | for (i = 0; list[i]; ++i) { | ||
1830 | if (list[i] != ',') | ||
1831 | continue; | ||
1832 | list[i] = 0; | ||
1833 | in[count++] = list + i + 1; | ||
1834 | } | ||
1835 | |||
1836 | /* Filter array: add, remove, reset, filter out duplicates */ | ||
1837 | for (i = 0; i < count; ++i) { | ||
1838 | char *item = in[i]; | ||
1839 | assert(item); | ||
1840 | |||
1841 | size_t k; | ||
1842 | switch (*item) { | ||
1843 | case '-': | ||
1844 | ++item; | ||
1845 | /* Do not include this item */ | ||
1846 | in[i] = 0; | ||
1847 | /* Remove if already included */ | ||
1848 | for (k = 0; k < i; ++k) { | ||
1849 | if (in[k] && !strcmp(in[k], item)) { | ||
1850 | in[k] = 0; | ||
1851 | break; | ||
1852 | } | ||
1853 | } | ||
1854 | break; | ||
1855 | case '+': | ||
1856 | /* Allow +/- symmetry */ | ||
1857 | in[i] = ++item; | ||
1858 | /* FALLTHRU */ | ||
1859 | default: | ||
1860 | /* Adding empty item is a NOP */ | ||
1861 | if (!*item) { | ||
1862 | in[i] = 0; | ||
1863 | break; | ||
1864 | } | ||
1865 | /* Include item unless it is already included */ | ||
1866 | for (k = 0; k < i; ++k) { | ||
1867 | if (in[k] && !strcmp(in[k], item)) { | ||
1868 | in[i] = 0; | ||
1869 | break; | ||
1870 | } | ||
1871 | } | ||
1872 | break; | ||
1873 | case '=': | ||
1874 | in[i] = ++item; | ||
1875 | /* Include non-empty item */ | ||
1876 | if (!*item) | ||
1877 | in[i] = 0; | ||
1878 | /* Remove all allready included items */ | ||
1879 | for (k = 0; k < i; ++k) | ||
1880 | in[k] = 0; | ||
1881 | break; | ||
1882 | } | ||
1883 | } | ||
1884 | |||
1885 | /* Copying back using in-place data works because the | ||
1886 | * original order is retained and no item gets longer | ||
1887 | * than what it used to be. | ||
1888 | */ | ||
1889 | char *pos = list; | ||
1890 | for (i = 0; i < count; ++i) { | ||
1891 | char *item = in[i]; | ||
1892 | if (!item) | ||
1893 | continue; | ||
1894 | if (pos > list) | ||
1895 | *pos++ = ','; | ||
1896 | while (*item) | ||
1897 | *pos++ = *item++; | ||
1898 | } | ||
1899 | *pos = 0; | ||
1900 | return list; | ||
1901 | } | ||
1902 | |||
1903 | void profile_list_augment(char **list, const char *items) | ||
1904 | { | ||
1905 | char *tmp = 0; | ||
1906 | if (asprintf(&tmp, "%s,%s", *list ?: "", items ?: "") < 0) | ||
1907 | errExit("asprintf"); | ||
1908 | free(*list); | ||
1909 | *list = profile_list_compress(tmp); | ||
1910 | } | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 08f9a14a7..4b9203c36 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -80,8 +80,6 @@ static void pulseaudio_fallback(const char *path) { | |||
80 | 80 | ||
81 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); | 81 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); |
82 | env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV); | 82 | env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV); |
83 | if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) | ||
84 | errExit("setenv"); | ||
85 | } | 83 | } |
86 | 84 | ||
87 | // disable shm in pulseaudio (issue #69) | 85 | // disable shm in pulseaudio (issue #69) |
@@ -176,8 +174,7 @@ void pulseaudio_init(void) { | |||
176 | char *p; | 174 | char *p; |
177 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | 175 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) |
178 | errExit("asprintf"); | 176 | errExit("asprintf"); |
179 | if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0) | 177 | env_store_name_val("PULSE_CLIENTCONFIG", p, SETENV); |
180 | errExit("setenv"); | ||
181 | fs_logger2("create", p); | 178 | fs_logger2("create", p); |
182 | free(p); | 179 | free(p); |
183 | 180 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9a4be5cc0..b6e0468c6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -475,23 +475,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
475 | } | 475 | } |
476 | 476 | ||
477 | //**************************************** | 477 | //**************************************** |
478 | // audit | ||
479 | //**************************************** | ||
480 | if (arg_audit) { | ||
481 | assert(arg_audit_prog); | ||
482 | |||
483 | #ifdef HAVE_GCOV | ||
484 | __gcov_dump(); | ||
485 | #endif | ||
486 | seccomp_install_filters(); | ||
487 | if (set_sandbox_status) | ||
488 | *set_sandbox_status = SANDBOX_DONE; | ||
489 | execl(arg_audit_prog, arg_audit_prog, NULL); | ||
490 | } | ||
491 | //**************************************** | ||
492 | // start the program without using a shell | 478 | // start the program without using a shell |
493 | //**************************************** | 479 | //**************************************** |
494 | else if (arg_shell_none) { | 480 | if (arg_shell_none) { |
495 | if (arg_debug) { | 481 | if (arg_debug) { |
496 | int i; | 482 | int i; |
497 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 483 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
@@ -589,12 +575,12 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
589 | } | 575 | } |
590 | 576 | ||
591 | static void enforce_filters(void) { | 577 | static void enforce_filters(void) { |
578 | fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n"); | ||
592 | // enforce NO_NEW_PRIVS | 579 | // enforce NO_NEW_PRIVS |
593 | arg_nonewprivs = 1; | 580 | arg_nonewprivs = 1; |
594 | force_nonewprivs = 1; | 581 | force_nonewprivs = 1; |
595 | 582 | ||
596 | // disable all capabilities | 583 | // disable all capabilities |
597 | fmessage("\n** Warning: dropping all Linux capabilities **\n\n"); | ||
598 | arg_caps_drop_all = 1; | 584 | arg_caps_drop_all = 1; |
599 | 585 | ||
600 | // drop all supplementary groups; /etc/group file inside chroot | 586 | // drop all supplementary groups; /etc/group file inside chroot |
@@ -795,14 +781,18 @@ int sandbox(void* sandbox_arg) { | |||
795 | exit(rv); | 781 | exit(rv); |
796 | } | 782 | } |
797 | 783 | ||
798 | // need ld.so.preload if tracing or seccomp with any non-default lists | 784 | #ifdef HAVE_FORCE_NONEWPRIVS |
799 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 785 | bool always_enforce_filters = true; |
786 | #else | ||
787 | bool always_enforce_filters = false; | ||
788 | #endif | ||
800 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 789 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
801 | // and drop all capabilities | 790 | // and drop all capabilities |
802 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | 791 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) |
803 | enforce_filters(); | 792 | enforce_filters(); |
804 | need_preload = arg_trace || arg_tracelog; | 793 | |
805 | } | 794 | // need ld.so.preload if tracing or seccomp with any non-default lists |
795 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | ||
806 | 796 | ||
807 | // trace pre-install | 797 | // trace pre-install |
808 | if (need_preload) | 798 | if (need_preload) |
@@ -969,11 +959,35 @@ int sandbox(void* sandbox_arg) { | |||
969 | else if (arg_overlay) | 959 | else if (arg_overlay) |
970 | fwarning("private-etc feature is disabled in overlay\n"); | 960 | fwarning("private-etc feature is disabled in overlay\n"); |
971 | else { | 961 | else { |
972 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | 962 | /* Current /etc/passwd and /etc/group files are bind |
973 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE | 963 | * mounted filtered versions of originals. Leaving |
964 | * them underneath private-etc mount causes problems | ||
965 | * in devices with older kernels, e.g. attempts to | ||
966 | * update the real /etc/passwd file yield EBUSY. | ||
967 | * | ||
968 | * As we do want to retain filtered /etc content: | ||
969 | * 1. duplicate /etc content to RUN_ETC_DIR | ||
970 | * 2. unmount bind mounts from /etc | ||
971 | * 3. mount RUN_ETC_DIR at /etc | ||
972 | */ | ||
973 | timetrace_start(); | ||
974 | fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | ||
975 | |||
976 | if (umount2("/etc/group", MNT_DETACH) == -1) | ||
977 | fprintf(stderr, "/etc/group: unmount: %s\n", strerror(errno)); | ||
978 | if (umount2("/etc/passwd", MNT_DETACH) == -1) | ||
979 | fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno)); | ||
980 | |||
981 | fs_private_dir_mount("/etc", RUN_ETC_DIR); | ||
982 | fmessage("Private /etc installed in %0.2f ms\n", timetrace_end()); | ||
983 | |||
974 | // create /etc/ld.so.preload file again | 984 | // create /etc/ld.so.preload file again |
975 | if (need_preload) | 985 | if (need_preload) |
976 | fs_trace_preload(); | 986 | fs_trace_preload(); |
987 | |||
988 | // openSUSE configuration is split between /etc and /usr/etc | ||
989 | // process private-etc a second time | ||
990 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); | ||
977 | } | 991 | } |
978 | } | 992 | } |
979 | 993 | ||
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 933c93b0d..f9c41f661 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -203,15 +203,16 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
203 | } | 203 | } |
204 | } | 204 | } |
205 | 205 | ||
206 | if (filtermask & SBOX_ROOT) { | 206 | if (filtermask & SBOX_USER) |
207 | drop_privs(1); | ||
208 | else if (filtermask & SBOX_ROOT) { | ||
207 | // elevate privileges in order to get grsecurity working | 209 | // elevate privileges in order to get grsecurity working |
208 | if (setreuid(0, 0)) | 210 | if (setreuid(0, 0)) |
209 | errExit("setreuid"); | 211 | errExit("setreuid"); |
210 | if (setregid(0, 0)) | 212 | if (setregid(0, 0)) |
211 | errExit("setregid"); | 213 | errExit("setregid"); |
212 | } | 214 | } |
213 | else if (filtermask & SBOX_USER) | 215 | else assert(0); |
214 | drop_privs(1); | ||
215 | 216 | ||
216 | if (arg[0]) { // get rid of scan-build warning | 217 | if (arg[0]) { // get rid of scan-build warning |
217 | int fd = open(arg[0], O_PATH | O_CLOEXEC); | 218 | int fd = open(arg[0], O_PATH | O_CLOEXEC); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2c6bbf98f..397150158 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -33,7 +33,6 @@ static char *usage_str = | |||
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 35 | " --appimage - sandbox an AppImage application.\n" |
36 | " --audit[=test-program] - audit the sandbox.\n" | ||
37 | #ifdef HAVE_NETWORK | 36 | #ifdef HAVE_NETWORK |
38 | " --bandwidth=name|pid - set bandwidth limits.\n" | 37 | " --bandwidth=name|pid - set bandwidth limits.\n" |
39 | #endif | 38 | #endif |
@@ -56,6 +55,7 @@ static char *usage_str = | |||
56 | #endif | 55 | #endif |
57 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 56 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
58 | " --cpu.print=name|pid - print the cpus in use.\n" | 57 | " --cpu.print=name|pid - print the cpus in use.\n" |
58 | #ifdef HAVE_DBUSPROXY | ||
59 | " --dbus-log=file - set DBus log file location.\n" | 59 | " --dbus-log=file - set DBus log file location.\n" |
60 | " --dbus-system=filter|none - set system DBus access policy.\n" | 60 | " --dbus-system=filter|none - set system DBus access policy.\n" |
61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" | 61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" |
@@ -71,6 +71,7 @@ static char *usage_str = | |||
71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" | 71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" |
72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" | 72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" |
73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
74 | #endif | ||
74 | " --debug - print sandbox debug messages.\n" | 75 | " --debug - print sandbox debug messages.\n" |
75 | " --debug-blacklists - debug blacklisting.\n" | 76 | " --debug-blacklists - debug blacklisting.\n" |
76 | " --debug-caps - print all recognized capabilities.\n" | 77 | " --debug-caps - print all recognized capabilities.\n" |
@@ -125,6 +126,8 @@ static char *usage_str = | |||
125 | " --machine-id - preserve /etc/machine-id\n" | 126 | " --machine-id - preserve /etc/machine-id\n" |
126 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" | 127 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
127 | "\tmemory mappings that are both writable and executable.\n" | 128 | "\tmemory mappings that are both writable and executable.\n" |
129 | " --mkdir=dirname - create a directory.\n" | ||
130 | " --mkfile=filename - create a file.\n" | ||
128 | #ifdef HAVE_NETWORK | 131 | #ifdef HAVE_NETWORK |
129 | " --mtu=number - set interface MTU.\n" | 132 | " --mtu=number - set interface MTU.\n" |
130 | #endif | 133 | #endif |
@@ -161,14 +164,18 @@ static char *usage_str = | |||
161 | " --novideo - disable video devices.\n" | 164 | " --novideo - disable video devices.\n" |
162 | " --nou2f - disable U2F devices.\n" | 165 | " --nou2f - disable U2F devices.\n" |
163 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | 166 | " --nowhitelist=filename - disable whitelist for file or directory.\n" |
167 | #ifdef HAVE_OUTPUT | ||
164 | " --output=logfile - stdout logging and log rotation.\n" | 168 | " --output=logfile - stdout logging and log rotation.\n" |
165 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 169 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
170 | #endif | ||
171 | #ifdef HAVE_OVERLAYFS | ||
166 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" | 172 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" |
167 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" | 173 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" |
168 | "\tfilesystem, and store it in name directory.\n" | 174 | "\tfilesystem, and store it in name directory.\n" |
169 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" | 175 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" |
170 | "\tcurrent filesystem.\n" | 176 | "\tcurrent filesystem.\n" |
171 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" | 177 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" |
178 | #endif | ||
172 | " --private - temporary home directory.\n" | 179 | " --private - temporary home directory.\n" |
173 | " --private=directory - use directory as user home.\n" | 180 | " --private=directory - use directory as user home.\n" |
174 | " --private-cache - temporary ~/.cache directory.\n" | 181 | " --private-cache - temporary ~/.cache directory.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index f3709b5fd..53c671794 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -400,6 +400,8 @@ void touch_file_as_user(const char *fname, mode_t mode) { | |||
400 | SET_PERMS_STREAM(fp, -1, -1, mode); | 400 | SET_PERMS_STREAM(fp, -1, -1, mode); |
401 | fclose(fp); | 401 | fclose(fp); |
402 | } | 402 | } |
403 | else | ||
404 | fwarning("cannot create %s\n", fname); | ||
403 | #ifdef HAVE_GCOV | 405 | #ifdef HAVE_GCOV |
404 | __gcov_flush(); | 406 | __gcov_flush(); |
405 | #endif | 407 | #endif |
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index 9ee798fe9..a1b6692aa 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firemon | 2 | all: firemon |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o | 9 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index 37b139d38..ba87d16cd 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fldd | 2 | all: fldd |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o | 9 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index bd5fe9e7a..7447c6d3f 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fnet | 2 | all: fnet |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o | 9 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 6fe650a17..825262482 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fnetfilter | 2 | all: fnetfilter |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fnetfilter: $(OBJS) ../lib/common.o | 9 | fnetfilter: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index cc5ac7e35..a2187e89c 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fsec-optimize | 2 | all: fsec-optimize |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o | 9 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index bf39a8c77..824fb5daf 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fsec-print | 2 | all: fsec-print |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o | 9 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index b776a73ce..41abfce17 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fseccomp | 2 | all: fseccomp |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o | 9 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in index 32cdc63d3..05caf81be 100644 --- a/src/ftee/Makefile.in +++ b/src/ftee/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: ftee | 2 | all: ftee |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | ftee: $(OBJS) | 9 | ftee: $(OBJS) |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/jailtest/Makefile.in b/src/jailtest/Makefile.in new file mode 100644 index 000000000..6306d24ec --- /dev/null +++ b/src/jailtest/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: jailtest | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h | ||
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
8 | |||
9 | jailtest: $(OBJS) | ||
10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | ||
11 | |||
12 | .PHONY: clean | ||
13 | clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/jailtest/access.c b/src/jailtest/access.c new file mode 100644 index 000000000..4e737dc7a --- /dev/null +++ b/src/jailtest/access.c | |||
@@ -0,0 +1,143 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | typedef struct { | ||
25 | char *tfile; | ||
26 | char *tdir; | ||
27 | } TestDir; | ||
28 | |||
29 | #define MAX_TEST_FILES 16 | ||
30 | TestDir td[MAX_TEST_FILES]; | ||
31 | static int files_cnt = 0; | ||
32 | |||
33 | void access_setup(const char *directory) { | ||
34 | // I am root! | ||
35 | assert(directory); | ||
36 | assert(user_home_dir); | ||
37 | |||
38 | if (files_cnt >= MAX_TEST_FILES) { | ||
39 | fprintf(stderr, "Error: maximum number of test directories exceded\n"); | ||
40 | exit(1); | ||
41 | } | ||
42 | |||
43 | char *fname = strdup(directory); | ||
44 | if (!fname) | ||
45 | errExit("strdup"); | ||
46 | if (strncmp(fname, "~/", 2) == 0) { | ||
47 | free(fname); | ||
48 | if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1) | ||
49 | errExit("asprintf"); | ||
50 | } | ||
51 | |||
52 | char *path = realpath(fname, NULL); | ||
53 | free(fname); | ||
54 | if (path == NULL) { | ||
55 | fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory); | ||
56 | return; | ||
57 | } | ||
58 | |||
59 | // file in home directory | ||
60 | if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { | ||
61 | fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory); | ||
62 | free(path); | ||
63 | return; | ||
64 | } | ||
65 | |||
66 | // try to open the dir as root | ||
67 | DIR *dir = opendir(path); | ||
68 | if (!dir) { | ||
69 | fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); | ||
70 | free(path); | ||
71 | return; | ||
72 | } | ||
73 | closedir(dir); | ||
74 | |||
75 | // create a test file | ||
76 | char *test_file; | ||
77 | if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1) | ||
78 | errExit("asprintf"); | ||
79 | |||
80 | FILE *fp = fopen(test_file, "w"); | ||
81 | if (!fp) { | ||
82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | ||
83 | return; | ||
84 | } | ||
85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | ||
86 | fclose(fp); | ||
87 | int rv = chown(test_file, user_uid, user_gid); | ||
88 | if (rv) | ||
89 | errExit("chown"); | ||
90 | |||
91 | char *dname = strdup(directory); | ||
92 | if (!dname) | ||
93 | errExit("strdup"); | ||
94 | td[files_cnt].tdir = dname; | ||
95 | td[files_cnt].tfile = test_file; | ||
96 | files_cnt++; | ||
97 | } | ||
98 | |||
99 | void access_destroy(void) { | ||
100 | // remove test files | ||
101 | int i; | ||
102 | |||
103 | for (i = 0; i < files_cnt; i++) { | ||
104 | int rv = unlink(td[i].tfile); | ||
105 | (void) rv; | ||
106 | } | ||
107 | files_cnt = 0; | ||
108 | } | ||
109 | |||
110 | void access_test(void) { | ||
111 | // I am root in sandbox mount namespace | ||
112 | assert(user_uid); | ||
113 | int i; | ||
114 | |||
115 | pid_t child = fork(); | ||
116 | if (child == -1) | ||
117 | errExit("fork"); | ||
118 | |||
119 | if (child == 0) { // child | ||
120 | // drop privileges | ||
121 | if (setgid(user_gid) != 0) | ||
122 | errExit("setgid"); | ||
123 | if (setuid(user_uid) != 0) | ||
124 | errExit("setuid"); | ||
125 | |||
126 | for (i = 0; i < files_cnt; i++) { | ||
127 | assert(td[i].tfile); | ||
128 | |||
129 | // try to open the file for reading | ||
130 | FILE *fp = fopen(td[i].tfile, "r"); | ||
131 | if (fp) { | ||
132 | |||
133 | printf(" Warning: I can read %s\n", td[i].tdir); | ||
134 | fclose(fp); | ||
135 | } | ||
136 | } | ||
137 | exit(0); | ||
138 | } | ||
139 | |||
140 | // wait for the child to finish | ||
141 | int status; | ||
142 | wait(&status); | ||
143 | } | ||
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c new file mode 100644 index 000000000..9ddfea3de --- /dev/null +++ b/src/jailtest/apparmor.c | |||
@@ -0,0 +1,40 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | |||
22 | #ifdef HAVE_APPARMOR | ||
23 | #include <sys/apparmor.h> | ||
24 | |||
25 | void apparmor_test(pid_t pid) { | ||
26 | char *label = NULL; | ||
27 | char *mode = NULL; | ||
28 | int rv = aa_gettaskcon(pid, &label, &mode); | ||
29 | if (rv == -1 || mode == NULL) | ||
30 | printf(" Warning: AppArmor not enabled\n"); | ||
31 | } | ||
32 | |||
33 | |||
34 | #else | ||
35 | void apparmor_test(pid_t pid) { | ||
36 | (void) pid; | ||
37 | return; | ||
38 | } | ||
39 | #endif | ||
40 | |||
diff --git a/src/faudit/faudit.h b/src/jailtest/jailtest.h index cfed1504b..10174cc9a 100644 --- a/src/faudit/faudit.h +++ b/src/jailtest/jailtest.h | |||
@@ -17,52 +17,42 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifndef JAILTEST_H | ||
21 | #define JAILTEST_H | ||
20 | 22 | ||
21 | #ifndef FAUDIT_H | 23 | #include "../include/common.h" |
22 | #define FAUDIT_H | ||
23 | #define _GNU_SOURCE | ||
24 | #include <stdio.h> | ||
25 | #include <stdlib.h> | ||
26 | #include <stdint.h> | ||
27 | #include <string.h> | ||
28 | #include <unistd.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/stat.h> | ||
31 | #include <sys/mount.h> | ||
32 | #include <assert.h> | ||
33 | |||
34 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) | ||
35 | 24 | ||
36 | // main.c | 25 | // main.c |
37 | extern char *prog; | 26 | extern uid_t user_uid; |
38 | 27 | extern gid_t user_gid; | |
39 | // pid.c | 28 | extern char *user_name; |
40 | void pid_test(void); | 29 | extern char *user_home_dir; |
41 | 30 | extern char *user_run_dir; | |
42 | // caps.c | ||
43 | void caps_test(void); | ||
44 | 31 | ||
45 | // seccomp.c | 32 | // access.c |
46 | void seccomp_test(void); | 33 | void access_setup(const char *directory); |
47 | 34 | void access_test(void); | |
48 | // syscall.c | 35 | void access_destroy(void); |
49 | void syscall_helper(int argc, char **argv); | ||
50 | void syscall_run(const char *name); | ||
51 | 36 | ||
52 | // files.c | 37 | // noexec.c |
53 | void files_test(void); | 38 | void noexec_setup(void); |
39 | void noexec_test(const char *msg); | ||
54 | 40 | ||
55 | // network.c | 41 | // virtual.c |
56 | void network_test(void); | 42 | void virtual_setup(const char *directory); |
43 | void virtual_destroy(void); | ||
44 | void virtual_test(void); | ||
57 | 45 | ||
58 | // dbus.c | 46 | // apparmor.c |
59 | int check_unix(const char *sockfile); | 47 | void apparmor_test(pid_t pid); |
60 | void dbus_test(void); | ||
61 | 48 | ||
62 | // dev.c | 49 | // seccomp.c |
63 | void dev_test(void); | 50 | void seccomp_test(pid_t pid); |
64 | 51 | ||
65 | // x11.c | 52 | // utils.c |
66 | void x11_test(void); | 53 | char *get_sudo_user(void); |
54 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | ||
55 | int find_child(pid_t pid); | ||
56 | pid_t switch_to_child(pid_t pid); | ||
67 | 57 | ||
68 | #endif | 58 | #endif \ No newline at end of file |
diff --git a/src/jailtest/main.c b/src/jailtest/main.c new file mode 100644 index 000000000..850277bc5 --- /dev/null +++ b/src/jailtest/main.c | |||
@@ -0,0 +1,167 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include "../include/firejail_user.h" | ||
22 | #include "../include/pid.h" | ||
23 | #include <sys/wait.h> | ||
24 | |||
25 | uid_t user_uid = 0; | ||
26 | gid_t user_gid = 0; | ||
27 | char *user_name = NULL; | ||
28 | char *user_home_dir = NULL; | ||
29 | char *user_run_dir = NULL; | ||
30 | int arg_debug = 0; | ||
31 | |||
32 | static char *usage_str = | ||
33 | "Usage: jailtest [options] directory [directory]\n\n" | ||
34 | "Options:\n" | ||
35 | " --debug - print debug messages.\n" | ||
36 | " --help, -? - this help screen.\n" | ||
37 | " --version - print program version and exit.\n"; | ||
38 | |||
39 | |||
40 | static void usage(void) { | ||
41 | printf("firetest - version %s\n\n", VERSION); | ||
42 | puts(usage_str); | ||
43 | } | ||
44 | |||
45 | static void cleanup(void) { | ||
46 | // running only as root | ||
47 | if (getuid() == 0) { | ||
48 | if (arg_debug) | ||
49 | printf("cleaning up!\n"); | ||
50 | access_destroy(); | ||
51 | virtual_destroy(); | ||
52 | } | ||
53 | } | ||
54 | |||
55 | int main(int argc, char **argv) { | ||
56 | int i; | ||
57 | int findex = 0; | ||
58 | |||
59 | for (i = 1; i < argc; i++) { | ||
60 | if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) { | ||
61 | usage(); | ||
62 | return 0; | ||
63 | } | ||
64 | else if (strcmp(argv[i], "--version") == 0) { | ||
65 | printf("firetest version %s\n\n", VERSION); | ||
66 | return 0; | ||
67 | } | ||
68 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test | ||
69 | printf(" Warning: I can run programs in %s\n", argv[i] + 8); | ||
70 | return 0; | ||
71 | } | ||
72 | else if (strcmp(argv[i], "--debug") == 0) | ||
73 | arg_debug = 1; | ||
74 | else if (strncmp(argv[i], "--", 2) == 0) { | ||
75 | fprintf(stderr, "Error: invalid option\n"); | ||
76 | return 1; | ||
77 | } | ||
78 | else { | ||
79 | findex = i; | ||
80 | break; | ||
81 | } | ||
82 | } | ||
83 | |||
84 | // user setup | ||
85 | if (getuid() != 0) { | ||
86 | fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); | ||
87 | exit(1); | ||
88 | } | ||
89 | user_name = get_sudo_user(); | ||
90 | assert(user_name); | ||
91 | user_home_dir = get_homedir(user_name, &user_uid, &user_gid); | ||
92 | if (user_uid == 0) { | ||
93 | fprintf(stderr, "Error: root user not supported\n"); | ||
94 | exit(1); | ||
95 | } | ||
96 | if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) | ||
97 | errExit("asprintf"); | ||
98 | |||
99 | // test setup | ||
100 | atexit(cleanup); | ||
101 | access_setup("~/.ssh"); | ||
102 | access_setup("~/.gnupg"); | ||
103 | if (findex > 0) { | ||
104 | for (i = findex; i < argc; i++) | ||
105 | access_setup(argv[i]); | ||
106 | } | ||
107 | |||
108 | noexec_setup(); | ||
109 | virtual_setup(user_home_dir); | ||
110 | virtual_setup("/tmp"); | ||
111 | virtual_setup("/var/tmp"); | ||
112 | virtual_setup("/dev"); | ||
113 | virtual_setup("/etc"); | ||
114 | virtual_setup("/bin"); | ||
115 | virtual_setup("/usr/share"); | ||
116 | virtual_setup(user_run_dir); | ||
117 | |||
118 | |||
119 | |||
120 | // print processes | ||
121 | pid_read(0); | ||
122 | for (i = 0; i < max_pids; i++) { | ||
123 | if (pids[i].level == 1) { | ||
124 | uid_t uid = pid_get_uid(i); | ||
125 | if (uid != user_uid) // not interested in other user sandboxes | ||
126 | continue; | ||
127 | |||
128 | // in case the pid is that of a firejail process, use the pid of the first child process | ||
129 | uid_t pid = find_child(i); | ||
130 | printf("\n"); | ||
131 | pid_print_list(i, 0); // no wrapping | ||
132 | apparmor_test(pid); | ||
133 | seccomp_test(pid); | ||
134 | fflush(0); | ||
135 | |||
136 | pid_t child = fork(); | ||
137 | if (child == -1) | ||
138 | errExit("fork"); | ||
139 | if (child == 0) { | ||
140 | int rv = join_namespace(pid, "mnt"); | ||
141 | if (rv == 0) { | ||
142 | virtual_test(); | ||
143 | noexec_test(user_home_dir); | ||
144 | noexec_test("/tmp"); | ||
145 | noexec_test("/var/tmp"); | ||
146 | noexec_test(user_run_dir); | ||
147 | access_test(); | ||
148 | } | ||
149 | else { | ||
150 | printf(" Error: I cannot join the process mount space\n"); | ||
151 | exit(1); | ||
152 | } | ||
153 | |||
154 | // drop privileges in order not to trigger cleanup() | ||
155 | if (setgid(user_gid) != 0) | ||
156 | errExit("setgid"); | ||
157 | if (setuid(user_uid) != 0) | ||
158 | errExit("setuid"); | ||
159 | return 0; | ||
160 | } | ||
161 | int status; | ||
162 | wait(&status); | ||
163 | } | ||
164 | } | ||
165 | |||
166 | return 0; | ||
167 | } | ||
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c new file mode 100644 index 000000000..4347b7eef --- /dev/null +++ b/src/jailtest/noexec.c | |||
@@ -0,0 +1,113 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <sys/wait.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <fcntl.h> | ||
24 | |||
25 | static unsigned char *execfile = NULL; | ||
26 | static int execfile_len = 0; | ||
27 | |||
28 | void noexec_setup(void) { | ||
29 | // grab a copy of myself | ||
30 | char *self = realpath("/proc/self/exe", NULL); | ||
31 | if (self) { | ||
32 | struct stat s; | ||
33 | if (access(self, X_OK) == 0 && stat(self, &s) == 0) { | ||
34 | assert(s.st_size); | ||
35 | execfile = malloc(s.st_size); | ||
36 | |||
37 | int fd = open(self, O_RDONLY); | ||
38 | if (fd == -1) | ||
39 | errExit("open"); | ||
40 | int len = 0; | ||
41 | do { | ||
42 | int rv = read(fd, execfile + len, s.st_size - len); | ||
43 | if (rv == -1) | ||
44 | errExit("read"); | ||
45 | if (rv == 0) { | ||
46 | // something went wrong! | ||
47 | free(execfile); | ||
48 | execfile = NULL; | ||
49 | printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n"); | ||
50 | break; | ||
51 | } | ||
52 | len += rv; | ||
53 | } | ||
54 | while (len < s.st_size); | ||
55 | execfile_len = s.st_size; | ||
56 | close(fd); | ||
57 | } | ||
58 | } | ||
59 | } | ||
60 | |||
61 | |||
62 | void noexec_test(const char *path) { | ||
63 | assert(user_uid); | ||
64 | |||
65 | // I am root in sandbox mount namespace | ||
66 | if (!execfile) | ||
67 | return; | ||
68 | |||
69 | char *fname; | ||
70 | if (asprintf(&fname, "%s/jailtest-noexec-%d", path, getpid()) == -1) | ||
71 | errExit("asprintf"); | ||
72 | |||
73 | pid_t child = fork(); | ||
74 | if (child == -1) | ||
75 | errExit("fork"); | ||
76 | |||
77 | if (child == 0) { // child | ||
78 | // drop privileges | ||
79 | if (setgid(user_gid) != 0) | ||
80 | errExit("setgid"); | ||
81 | if (setuid(user_uid) != 0) | ||
82 | errExit("setuid"); | ||
83 | int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700); | ||
84 | if (fd == -1) { | ||
85 | printf(" I cannot create files in %s, skipping noexec...\n", path); | ||
86 | exit(1); | ||
87 | } | ||
88 | |||
89 | int len = 0; | ||
90 | while (len < execfile_len) { | ||
91 | int rv = write(fd, execfile + len, execfile_len - len); | ||
92 | if (rv == -1 || rv == 0) { | ||
93 | printf(" I cannot create files in %s, skipping noexec....\n", path); | ||
94 | exit(1); | ||
95 | } | ||
96 | len += rv; | ||
97 | } | ||
98 | fchmod(fd, 0700); | ||
99 | close(fd); | ||
100 | |||
101 | char *arg; | ||
102 | if (asprintf(&arg, "--hello=%s", path) == -1) | ||
103 | errExit("asprintf"); | ||
104 | int rv = execl(fname, fname, arg, NULL); | ||
105 | (void) rv; // if we get here execl failed | ||
106 | exit(0); | ||
107 | } | ||
108 | |||
109 | int status; | ||
110 | wait(&status); | ||
111 | int rv = unlink(fname); | ||
112 | (void) rv; | ||
113 | } \ No newline at end of file | ||
diff --git a/src/faudit/dev.c b/src/jailtest/seccomp.c index 61cb1cabe..2cecb4b4d 100644 --- a/src/faudit/dev.c +++ b/src/jailtest/seccomp.c | |||
@@ -17,31 +17,31 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "faudit.h" | 20 | #include "jailtest.h" |
21 | #include <dirent.h> | 21 | #define MAXBUF 4096 |
22 | 22 | ||
23 | void dev_test(void) { | 23 | void seccomp_test(pid_t pid) { |
24 | DIR *dir; | 24 | char *file; |
25 | if (!(dir = opendir("/dev"))) { | 25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) |
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | 26 | errExit("asprintf"); |
27 | |||
28 | FILE *fp = fopen(file, "r"); | ||
29 | if (!fp) { | ||
30 | printf(" Error: cannot open %s\n", file); | ||
31 | free(file); | ||
27 | return; | 32 | return; |
28 | } | 33 | } |
29 | 34 | ||
30 | struct dirent *entry; | 35 | char buf[MAXBUF]; |
31 | printf("INFO: files visible in /dev directory: "); | 36 | while (fgets(buf, MAXBUF, fp)) { |
32 | int cnt = 0; | 37 | if (strncmp(buf, "Seccomp:", 8) == 0) { |
33 | while ((entry = readdir(dir)) != NULL) { | 38 | int val = -1; |
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 39 | int rv = sscanf(buf + 8, "\t%d", &val); |
35 | continue; | 40 | if (rv != 1 || val == 0) |
36 | 41 | printf(" Warning: seccomp not enabled\n"); | |
37 | printf("%s, ", entry->d_name); | 42 | break; |
38 | cnt++; | 43 | } |
39 | } | 44 | } |
40 | printf("\n"); | 45 | fclose(fp); |
41 | 46 | free(file); | |
42 | if (cnt > 20) | ||
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | ||
44 | else | ||
45 | printf("GOOD: Access to /dev directory is restricted.\n"); | ||
46 | closedir(dir); | ||
47 | } | 47 | } |
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c new file mode 100644 index 000000000..41c21b753 --- /dev/null +++ b/src/jailtest/utils.c | |||
@@ -0,0 +1,102 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include "../include/pid.h" | ||
22 | #include <errno.h> | ||
23 | #include <pwd.h> | ||
24 | #include <dirent.h> | ||
25 | |||
26 | #define BUFLEN 4096 | ||
27 | |||
28 | char *get_sudo_user(void) { | ||
29 | char *user = getenv("SUDO_USER"); | ||
30 | if (!user) { | ||
31 | user = getpwuid(getuid())->pw_name; | ||
32 | if (!user) { | ||
33 | fprintf(stderr, "Error: cannot detect login user\n"); | ||
34 | exit(1); | ||
35 | } | ||
36 | } | ||
37 | |||
38 | return user; | ||
39 | } | ||
40 | |||
41 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { | ||
42 | // find home directory | ||
43 | struct passwd *pw = getpwnam(user); | ||
44 | if (!pw) | ||
45 | goto errexit; | ||
46 | |||
47 | char *home = pw->pw_dir; | ||
48 | if (!home) | ||
49 | goto errexit; | ||
50 | |||
51 | *uid = pw->pw_uid; | ||
52 | *gid = pw->pw_gid; | ||
53 | |||
54 | return home; | ||
55 | |||
56 | errexit: | ||
57 | fprintf(stderr, "Error: cannot find home directory for user %s\n", user); | ||
58 | exit(1); | ||
59 | } | ||
60 | |||
61 | // find the second child process for the specified pid | ||
62 | // return -1 if not found | ||
63 | // | ||
64 | // Example: | ||
65 | //14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
66 | // 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
67 | // 14792:netblue:/usr/bin/transmission-qt | ||
68 | // We need 14792, the first real sandboxed process | ||
69 | // duplicate from src/firemon/main.c | ||
70 | int find_child(int id) { | ||
71 | int i; | ||
72 | int first_child = -1; | ||
73 | |||
74 | // find the first child | ||
75 | for (i = 0; i < max_pids; i++) { | ||
76 | if (pids[i].level == 2 && pids[i].parent == id) { | ||
77 | // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) | ||
78 | char *cmdline = pid_proc_cmdline(i); | ||
79 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { | ||
80 | free(cmdline); | ||
81 | continue; | ||
82 | } | ||
83 | free(cmdline); | ||
84 | first_child = i; | ||
85 | break; | ||
86 | } | ||
87 | } | ||
88 | |||
89 | if (first_child == -1) | ||
90 | return -1; | ||
91 | |||
92 | // find the second-level child | ||
93 | for (i = 0; i < max_pids; i++) { | ||
94 | if (pids[i].level == 3 && pids[i].parent == first_child) | ||
95 | return i; | ||
96 | } | ||
97 | |||
98 | // if a second child is not found, return the first child pid | ||
99 | // this happens for processes sandboxed with --join | ||
100 | return first_child; | ||
101 | } | ||
102 | |||
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c new file mode 100644 index 000000000..fcdcf9720 --- /dev/null +++ b/src/jailtest/virtual.c | |||
@@ -0,0 +1,125 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | |||
25 | #define MAX_TEST_FILES 16 | ||
26 | static char *dirs[MAX_TEST_FILES]; | ||
27 | static char *files[MAX_TEST_FILES]; | ||
28 | static int files_cnt = 0; | ||
29 | |||
30 | void virtual_setup(const char *directory) { | ||
31 | // I am root! | ||
32 | assert(directory); | ||
33 | assert(*directory == '/'); | ||
34 | assert(files_cnt < MAX_TEST_FILES); | ||
35 | |||
36 | // try to open the dir as root | ||
37 | DIR *dir = opendir(directory); | ||
38 | if (!dir) { | ||
39 | fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); | ||
40 | return; | ||
41 | } | ||
42 | closedir(dir); | ||
43 | |||
44 | // create a test file | ||
45 | char *test_file; | ||
46 | if (asprintf(&test_file, "%s/jailtest-private-%d", directory, getpid()) == -1) | ||
47 | errExit("asprintf"); | ||
48 | |||
49 | FILE *fp = fopen(test_file, "w"); | ||
50 | if (!fp) { | ||
51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | ||
52 | return; | ||
53 | } | ||
54 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | ||
55 | fclose(fp); | ||
56 | if (strcmp(directory, user_home_dir) == 0) { | ||
57 | int rv = chown(test_file, user_uid, user_gid); | ||
58 | if (rv) | ||
59 | errExit("chown"); | ||
60 | } | ||
61 | |||
62 | char *dname = strdup(directory); | ||
63 | if (!dname) | ||
64 | errExit("strdup"); | ||
65 | dirs[files_cnt] = dname; | ||
66 | files[files_cnt] = test_file; | ||
67 | files_cnt++; | ||
68 | } | ||
69 | |||
70 | void virtual_destroy(void) { | ||
71 | // remove test files | ||
72 | int i; | ||
73 | |||
74 | for (i = 0; i < files_cnt; i++) { | ||
75 | int rv = unlink(files[i]); | ||
76 | (void) rv; | ||
77 | } | ||
78 | files_cnt = 0; | ||
79 | } | ||
80 | |||
81 | void virtual_test(void) { | ||
82 | // I am root in sandbox mount namespace | ||
83 | assert(user_uid); | ||
84 | int i; | ||
85 | |||
86 | int cnt = 0; | ||
87 | cnt += printf(" Virtual dirs: "); fflush(0); | ||
88 | |||
89 | for (i = 0; i < files_cnt; i++) { | ||
90 | assert(files[i]); | ||
91 | |||
92 | // I am root! | ||
93 | pid_t child = fork(); | ||
94 | if (child == -1) | ||
95 | errExit("fork"); | ||
96 | |||
97 | if (child == 0) { // child | ||
98 | // drop privileges | ||
99 | if (setgid(user_gid) != 0) | ||
100 | errExit("setgid"); | ||
101 | if (setuid(user_uid) != 0) | ||
102 | errExit("setuid"); | ||
103 | |||
104 | // try to open the file for reading | ||
105 | FILE *fp = fopen(files[i], "r"); | ||
106 | if (fp) | ||
107 | fclose(fp); | ||
108 | else { | ||
109 | if (cnt == 0) | ||
110 | cnt += printf("\n "); | ||
111 | cnt += printf("%s, ", dirs[i]); | ||
112 | if (cnt > 60) | ||
113 | cnt = 0; | ||
114 | } | ||
115 | fflush(0); | ||
116 | exit(cnt); | ||
117 | } | ||
118 | |||
119 | // wait for the child to finish | ||
120 | int status; | ||
121 | wait(&status); | ||
122 | cnt = WEXITSTATUS(status); | ||
123 | } | ||
124 | printf("\n"); | ||
125 | } | ||
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 681252832..49c8057b3 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in | |||
@@ -1,11 +1,14 @@ | |||
1 | include ../common.mk | 1 | include ../common.mk |
2 | 2 | ||
3 | .PHONY: all | ||
3 | all: $(OBJS) | 4 | all: $(OBJS) |
4 | 5 | ||
5 | %.o : %.c $(H_FILE_LIST) | 6 | %.o : %.c $(H_FILE_LIST) |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 8 | ||
9 | .PHONY: clean | ||
8 | clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist | 10 | clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist |
9 | 11 | ||
12 | .PHONY: distclean | ||
10 | distclean: clean | 13 | distclean: clean |
11 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in index edd4534b8..e3e5716ca 100644 --- a/src/libpostexecseccomp/Makefile.in +++ b/src/libpostexecseccomp/Makefile.in | |||
@@ -11,6 +11,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | .PHONY: all | ||
14 | all: libpostexecseccomp.so | 15 | all: libpostexecseccomp.so |
15 | 16 | ||
16 | %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h | 17 | %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h |
@@ -19,7 +20,9 @@ all: libpostexecseccomp.so | |||
19 | libpostexecseccomp.so: $(OBJS) | 20 | libpostexecseccomp.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 21 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 22 | ||
23 | .PHONY: clean | ||
22 | clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist | 24 | clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist |
23 | 25 | ||
26 | .PHONY: distclean | ||
24 | distclean: clean | 27 | distclean: clean |
25 | rm -fr Makefile | 28 | rm -fr Makefile |
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in index 5c7d0f885..095037569 100644 --- a/src/libtrace/Makefile.in +++ b/src/libtrace/Makefile.in | |||
@@ -11,6 +11,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | .PHONY: all | ||
14 | all: libtrace.so | 15 | all: libtrace.so |
15 | 16 | ||
16 | %.o : %.c $(H_FILE_LIST) | 17 | %.o : %.c $(H_FILE_LIST) |
@@ -19,8 +20,9 @@ all: libtrace.so | |||
19 | libtrace.so: $(OBJS) | 20 | libtrace.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 21 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 22 | ||
22 | 23 | .PHONY: clean | |
23 | clean:; rm -fr $(OBJS) libtrace.so *.plist | 24 | clean:; rm -fr $(OBJS) libtrace.so *.plist |
24 | 25 | ||
26 | .PHONY: distclean | ||
25 | distclean: clean | 27 | distclean: clean |
26 | rm -fr Makefile | 28 | rm -fr Makefile |
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in index b1ac9e57c..5bac19c04 100644 --- a/src/libtracelog/Makefile.in +++ b/src/libtracelog/Makefile.in | |||
@@ -11,6 +11,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | .PHONY: all | ||
14 | all: libtracelog.so | 15 | all: libtracelog.so |
15 | 16 | ||
16 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h | 17 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h |
@@ -19,8 +20,9 @@ all: libtracelog.so | |||
19 | libtracelog.so: $(OBJS) | 20 | libtracelog.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 21 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 22 | ||
22 | 23 | .PHONY: clean | |
23 | clean:; rm -fr $(OBJS) libtracelog.so *.plist | 24 | clean:; rm -fr $(OBJS) libtracelog.so *.plist |
24 | 25 | ||
26 | .PHONY: distclean | ||
25 | distclean: clean | 27 | distclean: clean |
26 | rm -fr Makefile | 28 | rm -fr Makefile |
diff --git a/src/man/Makefile.in b/src/man/Makefile.in index 1c4444307..3711d5cec 100644 --- a/src/man/Makefile.in +++ b/src/man/Makefile.in | |||
@@ -1,10 +1,14 @@ | |||
1 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man | 1 | .PHONY: all |
2 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailtest.man | ||
3 | |||
2 | include ../common.mk | 4 | include ../common.mk |
3 | 5 | ||
4 | %.man: %.txt | 6 | %.man: %.txt |
5 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ | 7 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ |
6 | 8 | ||
9 | .PHONY: clean | ||
7 | clean:; rm -fr *.man | 10 | clean:; rm -fr *.man |
8 | 11 | ||
12 | .PHONY: distclean | ||
9 | distclean: clean | 13 | distclean: clean |
10 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 2c02aee47..dbb9397c6 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
130 | .PP | 130 | .PP |
131 | Homepage: https://firejail.wordpress.com | 131 | Homepage: https://firejail.wordpress.com |
132 | .SH SEE ALSO | 132 | .SH SEE ALSO |
133 | \&\flfirejail\fR\|(1), | 133 | .BR firejail (1), |
134 | \&\flfiremon\fR\|(1), | 134 | .BR firemon (1), |
135 | \&\flfirejail-profile\fR\|(5), | 135 | .BR firejail-profile (5), |
136 | \&\flfirejail-login\fR\|(5) | 136 | .BR firejail-login (5), |
137 | \&\flfirejail-users\fR\|(5) | 137 | .BR firejail-users (5), |
138 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 430e86cc8..ce27729b7 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
34 | .PP | 34 | .PP |
35 | Homepage: https://firejail.wordpress.com | 35 | Homepage: https://firejail.wordpress.com |
36 | .SH SEE ALSO | 36 | .SH SEE ALSO |
37 | \&\flfirejail\fR\|(1), | 37 | .BR firejail (1), |
38 | \&\flfiremon\fR\|(1), | 38 | .BR firemon (1), |
39 | \&\flfirecfg\fR\|(1), | 39 | .BR firecfg (1), |
40 | \&\flfirejail-profile\fR\|(5) | 40 | .BR firejail-profile (5), |
41 | \&\flfirejail-users\fR\|(5) | 41 | .BR firejail-users (5), |
42 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5e77b5f70..b25fc9181 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -266,7 +266,7 @@ Mount new /root and /home/user directories in temporary | |||
266 | filesystems. All modifications are discarded when the sandbox is | 266 | filesystems. All modifications are discarded when the sandbox is |
267 | closed. | 267 | closed. |
268 | .TP | 268 | .TP |
269 | \fBprivate=directory | 269 | \fBprivate directory |
270 | Use directory as user home. | 270 | Use directory as user home. |
271 | .TP | 271 | .TP |
272 | \fBprivate-bin file,file | 272 | \fBprivate-bin file,file |
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
889 | .PP | 889 | .PP |
890 | Homepage: https://firejail.wordpress.com | 890 | Homepage: https://firejail.wordpress.com |
891 | .SH SEE ALSO | 891 | .SH SEE ALSO |
892 | \&\flfirejail\fR\|(1), | 892 | .BR firejail (1), |
893 | \&\flfiremon\fR\|(1), | 893 | .BR firemon (1), |
894 | \&\flfirecfg\fR\|(1), | 894 | .BR firecfg (1), |
895 | \&\flfirejail-login\fR\|(5), | 895 | .BR firejail-login (5), |
896 | \&\flfirejail-users\fR\|(5), | 896 | .BR firejail-users (5), |
897 | .BR jailtest (1) | ||
898 | |||
897 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 899 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
898 | .UE | 900 | .UE |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 6fa09e05e..c5a9c1848 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o | |||
54 | .PP | 54 | .PP |
55 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
56 | .SH SEE ALSO | 56 | .SH SEE ALSO |
57 | \&\flfirejail\fR\|(1), | 57 | .BR firejail (1), |
58 | \&\flfiremon\fR\|(1), | 58 | .BR firemon (1), |
59 | \&\flfirecfg\fR\|(1), | 59 | .BR firecfg (1), |
60 | \&\flfirejail-profile\fR\|(5) | 60 | .BR firejail-profile (5), |
61 | \&\flfirejail-login\fR\|(5) | 61 | .BR firejail-login (5), |
62 | .BR jailtest (1) | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e85a02ee8..68deb85ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -42,6 +42,15 @@ Miscellaneous: | |||
42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} | 42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} |
43 | .RE | 43 | .RE |
44 | .SH DESCRIPTION | 44 | .SH DESCRIPTION |
45 | #ifdef HAVE_LTS | ||
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | ||
47 | LTS is usually supported for two or three years. | ||
48 | During this time only bugs and the occasional documentation problems are fixed. | ||
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | ||
50 | .br | ||
51 | |||
52 | .br | ||
53 | #endif | ||
45 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 54 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
46 | restricting the running environment of untrusted applications using Linux | 55 | restricting the running environment of untrusted applications using Linux |
47 | namespaces, seccomp-bpf and Linux capabilities. | 56 | namespaces, seccomp-bpf and Linux capabilities. |
@@ -146,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage | |||
146 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 155 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
147 | #endif | 156 | #endif |
148 | .TP | 157 | .TP |
149 | \fB\-\-audit | ||
150 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
151 | .TP | ||
152 | \fB\-\-audit=test-program | ||
153 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
154 | .TP | ||
155 | \fB\-\-bandwidth=name|pid | 158 | \fB\-\-bandwidth=name|pid |
156 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 159 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
157 | .TP | 160 | .TP |
@@ -1105,6 +1108,26 @@ Example: | |||
1105 | $ firejail \-\-machine-id | 1108 | $ firejail \-\-machine-id |
1106 | 1109 | ||
1107 | .TP | 1110 | .TP |
1111 | \fB\-\-mkdir=dirname | ||
1112 | Create a directory in user home. Parent directories are created as needed. | ||
1113 | .br | ||
1114 | |||
1115 | .br | ||
1116 | Example: | ||
1117 | .br | ||
1118 | $ firejail --mkdir=~/work/project | ||
1119 | |||
1120 | .TP | ||
1121 | \fB\-\-mkfile=filename | ||
1122 | Create an empty file in user home. | ||
1123 | .br | ||
1124 | |||
1125 | .br | ||
1126 | Example: | ||
1127 | .br | ||
1128 | $ firejail --mkfile=~/work/project/readme | ||
1129 | |||
1130 | .TP | ||
1108 | \fB\-\-memory-deny-write-execute | 1131 | \fB\-\-memory-deny-write-execute |
1109 | Install a seccomp filter to block attempts to create memory mappings | 1132 | Install a seccomp filter to block attempts to create memory mappings |
1110 | that are both writable and executable, to change mappings to be | 1133 | that are both writable and executable, to change mappings to be |
@@ -1622,6 +1645,7 @@ Disable video devices. | |||
1622 | \fB\-\-nowhitelist=dirname_or_filename | 1645 | \fB\-\-nowhitelist=dirname_or_filename |
1623 | Disable whitelist for this directory or file. | 1646 | Disable whitelist for this directory or file. |
1624 | 1647 | ||
1648 | #ifdef HAVE_OUTPUT | ||
1625 | .TP | 1649 | .TP |
1626 | \fB\-\-output=logfile | 1650 | \fB\-\-output=logfile |
1627 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | 1651 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log |
@@ -1652,6 +1676,7 @@ $ ls -l sandboxlog* | |||
1652 | .TP | 1676 | .TP |
1653 | \fB\-\-output-stderr=logfile | 1677 | \fB\-\-output-stderr=logfile |
1654 | Similar to \-\-output, but stderr is also stored. | 1678 | Similar to \-\-output, but stderr is also stored. |
1679 | #endif | ||
1655 | 1680 | ||
1656 | #ifdef HAVE_OVERLAYFS | 1681 | #ifdef HAVE_OVERLAYFS |
1657 | .TP | 1682 | .TP |
@@ -2451,7 +2476,7 @@ $ firejail --seccomp.print=browser | |||
2451 | $ | 2476 | $ |
2452 | 2477 | ||
2453 | .TP | 2478 | .TP |
2454 | \fB\-\-seccomp-error-action= kill | ERRNO | 2479 | \fB\-\-seccomp-error-action= kill | ERRNO | log |
2455 | By default, if a seccomp filter blocks a system call, the process gets | 2480 | By default, if a seccomp filter blocks a system call, the process gets |
2456 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2481 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2457 | number can be returned, for example ENOSYS or EACCES. The process can | 2482 | number can be returned, for example ENOSYS or EACCES. The process can |
@@ -2941,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2941 | $ firejail --apparmor firefox | 2966 | $ firejail --apparmor firefox |
2942 | #endif | 2967 | #endif |
2943 | 2968 | ||
2944 | .SH AUDIT | ||
2945 | Audit feature allows the user to point out gaps in security profiles. The | ||
2946 | implementation replaces the program to be sandboxed with a test program. By | ||
2947 | default, we use faudit program distributed with Firejail. A custom test program | ||
2948 | can also be supplied by the user. Examples: | ||
2949 | |||
2950 | Running the default audit program: | ||
2951 | .br | ||
2952 | $ firejail --audit transmission-gtk | ||
2953 | |||
2954 | Running a custom audit program: | ||
2955 | .br | ||
2956 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
2957 | |||
2958 | In the examples above, the sandbox configures transmission-gtk profile and | ||
2959 | starts the test program. The real program, transmission-gtk, will not be | ||
2960 | started. | ||
2961 | |||
2962 | You can also audit a specific profile without specifying a program. | ||
2963 | .br | ||
2964 | $ firejail --audit --profile=/etc/firejail/zoom.profile | ||
2965 | |||
2966 | Limitations: audit feature is not implemented for --x11 commands. | ||
2967 | |||
2968 | .SH DESKTOP INTEGRATION | 2969 | .SH DESKTOP INTEGRATION |
2969 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2970 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2970 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2971 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
@@ -3332,11 +3333,13 @@ This program is free software; you can redistribute it and/or modify it under th | |||
3332 | .PP | 3333 | .PP |
3333 | Homepage: https://firejail.wordpress.com | 3334 | Homepage: https://firejail.wordpress.com |
3334 | .SH SEE ALSO | 3335 | .SH SEE ALSO |
3335 | \&\flfiremon\fR\|(1), | 3336 | .BR firemon (1), |
3336 | \&\flfirecfg\fR\|(1), | 3337 | .BR firecfg (1), |
3337 | \&\flfirejail-profile\fR\|(5), | 3338 | .BR firejail-profile (5), |
3338 | \&\flfirejail-login\fR\|(5), | 3339 | .BR firejail-login (5), |
3339 | \&\flfirejail-users\fR\|(5), | 3340 | .BR firejail-users (5), |
3341 | .BR jailtest (1) | ||
3342 | |||
3340 | .UR https://github.com/netblue30/firejail/wiki | 3343 | .UR https://github.com/netblue30/firejail/wiki |
3341 | .UE , | 3344 | .UE , |
3342 | .UR https://github.com/netblue30/firejail | 3345 | .UR https://github.com/netblue30/firejail |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index cea6c0265..64f15a1f0 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
115 | .PP | 115 | .PP |
116 | Homepage: https://firejail.wordpress.com | 116 | Homepage: https://firejail.wordpress.com |
117 | .SH SEE ALSO | 117 | .SH SEE ALSO |
118 | \&\flfirejail\fR\|(1), | 118 | .BR firejail (1), |
119 | \&\flfirecfg\fR\|(1), | 119 | .BR firecfg (1), |
120 | \&\flfirejail-profile\fR\|(5), | 120 | .BR firejail-profile (5), |
121 | \&\flfirejail-login\fR\|(5) | 121 | .BR firejail-login (5), |
122 | \&\flfirejail-users\fR\|(5) | 122 | .BR firejail-users (5), |
123 | .BR jailtest (1) | ||
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt new file mode 100644 index 000000000..b52fc5eed --- /dev/null +++ b/src/man/jailtest.txt | |||
@@ -0,0 +1,106 @@ | |||
1 | .TH JAILTEST 1 "MONTH YEAR" "VERSION" "JAILTEST man page" | ||
2 | .SH NAME | ||
3 | jailtest \- Simple utility program to test running sandboxes | ||
4 | .SH SYNOPSIS | ||
5 | sudo jailtest [OPTIONS] [directory] | ||
6 | .SH DESCRIPTION | ||
7 | WORK IN PROGRESS! | ||
8 | jailtest attaches itself to all sandboxes started by the user and performs some basic tests | ||
9 | on the sandbox filesystem: | ||
10 | .TP | ||
11 | \fB1. Virtual directories | ||
12 | jailtest extracts a list with the main virtual directories installed by the sandbox. | ||
13 | These directories are build by firejail at startup using --private* and --whitelist commands. | ||
14 | .TP | ||
15 | \fB2. Noexec test | ||
16 | jailtest inserts executable programs in /home/username, /tmp, and /var/tmp directories | ||
17 | and tries to run them from inside the sandbox, thus testing if the directory is executable or not. | ||
18 | .TP | ||
19 | \fB3. Read access test | ||
20 | jailtest creates test files in the directories specified by the user and tries to read | ||
21 | them from inside the sandbox. | ||
22 | .TP | ||
23 | \fB4. AppArmor test | ||
24 | .TP | ||
25 | \fB5. Seccomp test | ||
26 | .TP | ||
27 | The program is started as root using sudo. | ||
28 | |||
29 | .SH OPTIONS | ||
30 | .TP | ||
31 | \fB\-\-debug | ||
32 | Print debug messages. | ||
33 | .TP | ||
34 | \fB\-?\fR, \fB\-\-help\fR | ||
35 | Print options and exit. | ||
36 | .TP | ||
37 | \fB\-\-version | ||
38 | Print program version and exit. | ||
39 | .TP | ||
40 | \fB[directory] | ||
41 | One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. | ||
42 | |||
43 | .SH OUTPUT | ||
44 | For each sandbox detected we print the following line: | ||
45 | |||
46 | PID:USER:Sandbox Name:Command | ||
47 | |||
48 | It is followed by relevant sandbox information, such as the virtual directories and various warnings. | ||
49 | |||
50 | .SH EXAMPLE | ||
51 | |||
52 | $ sudo jailtest | ||
53 | .br | ||
54 | 2014:netblue::firejail /usr/bin/gimp | ||
55 | .br | ||
56 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
57 | .br | ||
58 | Warning: I can run programs in /home/netblue | ||
59 | .br | ||
60 | |||
61 | .br | ||
62 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
63 | .br | ||
64 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
65 | .br | ||
66 | Warning: I can read ~/.ssh | ||
67 | .br | ||
68 | |||
69 | .br | ||
70 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | ||
71 | .br | ||
72 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
73 | .br | ||
74 | |||
75 | .br | ||
76 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
77 | .br | ||
78 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
79 | .br | ||
80 | /run/user/1000, | ||
81 | .br | ||
82 | |||
83 | .br | ||
84 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
85 | .br | ||
86 | Warning: AppArmor not enabled | ||
87 | .br | ||
88 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
89 | .br | ||
90 | /usr/share, /run/user/1000, | ||
91 | .br | ||
92 | Warning: I can run programs in /home/netblue | ||
93 | .br | ||
94 | |||
95 | |||
96 | .SH LICENSE | ||
97 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
98 | .PP | ||
99 | Homepage: https://firejail.wordpress.com | ||
100 | .SH SEE ALSO | ||
101 | .BR firejail (1), | ||
102 | .BR firemon (1), | ||
103 | .BR firecfg (1), | ||
104 | .BR firejail-profile (5), | ||
105 | .BR firejail-login (5), | ||
106 | .BR firejail-users (5), | ||
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index 2beaa3ed6..e025f5939 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: profstats | 2 | all: profstats |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | profstats: $(OBJS) | 9 | profstats: $(OBJS) |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c index 6cd850752..8da9c452b 100644 --- a/src/tools/extract_caps.c +++ b/src/tools/extract_caps.c | |||
@@ -17,6 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include <ctype.h> | ||
20 | #include <stdio.h> | 21 | #include <stdio.h> |
21 | #include <stdlib.h> | 22 | #include <stdlib.h> |
22 | #include <string.h> | 23 | #include <string.h> |
diff --git a/src/zsh_completion/Makefile.in b/src/zsh_completion/Makefile.in index 3f756aa5f..a83cccf6c 100644 --- a/src/zsh_completion/Makefile.in +++ b/src/zsh_completion/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: _firejail | 2 | all: _firejail |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -7,8 +8,10 @@ _firejail: _firejail.in | |||
7 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 8 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
8 | rm $@.tmp | 9 | rm $@.tmp |
9 | 10 | ||
11 | .PHONY: clean | ||
10 | clean: | 12 | clean: |
11 | rm -fr _firejail | 13 | rm -fr _firejail |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 7e8df138e..f58f0d4b9 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -76,6 +76,8 @@ _firejail_args=( | |||
76 | '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails' | 76 | '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails' |
77 | '--list[list all sandboxes]' | 77 | '--list[list all sandboxes]' |
78 | '(--dns)'{--dns=,--dns=}'[set DNS server]: :' | 78 | '(--dns)'{--dns=,--dns=}'[set DNS server]: :' |
79 | '*--mkdir=-[create a directory]:' | ||
80 | '*--mkfile=-[create a file]:' | ||
79 | '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :' | 81 | '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :' |
80 | '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails' | 82 | '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails' |
81 | '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files' | 83 | '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files' |
@@ -112,8 +114,6 @@ _firejail_args=( | |||
112 | '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)' | 114 | '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)' |
113 | # Should be _files, a comma and files or files -/ | 115 | # Should be _files, a comma and files or files -/ |
114 | '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 116 | '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
115 | '--audit[audit the sandbox]' | ||
116 | '(--audit)'{--audit=,--audit=}'[audit the sandbox with a test-program]: :' | ||
117 | '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :' | 117 | '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :' |
118 | '*'{--env=,--env=}'[set environment variable]: :' | 118 | '*'{--env=,--env=}'[set environment variable]: :' |
119 | '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :' | 119 | '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :' |
diff --git a/test/Makefile.in b/test/Makefile.in index d41ab39d1..264314a3b 100644 --- a/test/Makefile.in +++ b/test/Makefile.in | |||
@@ -1,13 +1,14 @@ | |||
1 | TESTS=$(patsubst %/,%,$(wildcard */)) | 1 | TESTS=$(patsubst %/,%,$(wildcard */)) |
2 | 2 | ||
3 | .PHONY: $(TESTS) | 3 | .PHONY: $(TESTS) |
4 | |||
5 | $(TESTS): | 4 | $(TESTS): |
6 | cd $@ && ./$@.sh 2>&1 | tee $@.log | 5 | cd $@ && ./$@.sh 2>&1 | tee $@.log |
7 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log | 6 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log |
8 | 7 | ||
8 | .PHONY: clean | ||
9 | clean: | 9 | clean: |
10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | 10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done |
11 | 11 | ||
12 | .PHONY: distclean | ||
12 | distclean: clean | 13 | distclean: clean |
13 | rm -f Makefile | 14 | rm -f Makefile |
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh deleted file mode 100755 index 583d77a26..000000000 --- a/test/arguments/arguments.sh +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export LC_ALL=C | ||
7 | |||
8 | if [ -f /etc/debian_version ]; then | ||
9 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") | ||
10 | export PATH="$PATH:$libdir" | ||
11 | fi | ||
12 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | ||
13 | |||
14 | echo "TESTING: 1. regular bash session" | ||
15 | ./bashrun.exp | ||
16 | sleep 1 | ||
17 | |||
18 | echo "TESTING: 2. symbolic link to firejail" | ||
19 | ./symrun.exp | ||
20 | rm -fr symtest | ||
21 | sleep 1 | ||
22 | |||
23 | echo "TESTING: 3. --join option" | ||
24 | ./joinrun.exp | ||
25 | sleep 1 | ||
26 | |||
27 | echo "TESTING: 4. --output option" | ||
28 | ./outrun.exp | ||
29 | rm out | ||
30 | rm out.* | ||
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp deleted file mode 100755 index 22c38bd4c..000000000 --- a/test/arguments/bashrun.exp +++ /dev/null | |||
@@ -1,89 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./bashrun.sh\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1.1.1\n";exit} | ||
13 | "Arguments:" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1.1.2\n";exit} | ||
17 | "#arg1#" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1.1.3\n";exit} | ||
21 | "#arg2#" | ||
22 | } | ||
23 | |||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 1.2.1\n";exit} | ||
26 | "Arguments:" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1.2.2\n";exit} | ||
30 | "#arg1 tail#" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 1.2.3\n";exit} | ||
34 | "#arg2 tail#" | ||
35 | } | ||
36 | |||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.3.1\n";exit} | ||
39 | "Arguments:" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 1.3.2\n";exit} | ||
43 | "#arg1 tail#" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 1.3.3\n";exit} | ||
47 | "#arg2 tail#" | ||
48 | } | ||
49 | |||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 1.4.1\n";exit} | ||
52 | "Arguments:" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 1.4.2\n";exit} | ||
56 | "#arg1 tail#" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 1.4.3\n";exit} | ||
60 | "#arg2 tail#" | ||
61 | } | ||
62 | |||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 1.5.1\n";exit} | ||
65 | "Arguments:" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 1.5.2\n";exit} | ||
69 | "#arg1&tail#" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 1.5.3\n";exit} | ||
73 | "#arg2&tail#" | ||
74 | } | ||
75 | |||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 1.6.1\n";exit} | ||
78 | "Arguments:" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 1.6.2\n";exit} | ||
82 | "#arg1&tail#" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 1.6.3\n";exit} | ||
86 | "#arg2&tail#" | ||
87 | } | ||
88 | |||
89 | puts "\nall done\n" | ||
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh deleted file mode 100755 index ba4118cdd..000000000 --- a/test/arguments/bashrun.sh +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | echo "TESTING: 1.1 - simple args" | ||
7 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1 arg2 | ||
8 | |||
9 | # simple quotes, testing spaces in file names | ||
10 | echo "TESTING: 1.2 - args with space and \"" | ||
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail" | ||
12 | |||
13 | echo "TESTING: 1.3 - args with space and '" | ||
14 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail' | ||
15 | |||
16 | # escaped space in file names | ||
17 | echo "TESTING: 1.4 - args with space and \\" | ||
18 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail | ||
19 | |||
20 | # & char appears in URLs - URLs should be quoted | ||
21 | echo "TESTING: 1.5 - args with & and \"" | ||
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail" | ||
23 | |||
24 | echo "TESTING: 1.6 - args with & and '" | ||
25 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp deleted file mode 100755 index 6095f0e55..000000000 --- a/test/arguments/joinrun.exp +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | |||
11 | send -- "firejail --name=joinrun\r" | ||
12 | sleep 2 | ||
13 | |||
14 | spawn $env(SHELL) | ||
15 | send -- "./joinrun.sh\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 3.1.1\n";exit} | ||
18 | "Arguments:" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3.1.2\n";exit} | ||
22 | "#arg1#" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.1.3\n";exit} | ||
26 | "#arg2#" | ||
27 | } | ||
28 | |||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 3.2.1\n";exit} | ||
31 | "Arguments:" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3.2.2\n";exit} | ||
35 | "#arg1 tail#" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 3.2.3\n";exit} | ||
39 | "#arg2 tail#" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 3.3.1\n";exit} | ||
43 | "Arguments:" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 3.3.2\n";exit} | ||
47 | "#arg1 tail#" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 3.3.3\n";exit} | ||
51 | "#arg2 tail#" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 3.4.1\n";exit} | ||
55 | "Arguments:" | ||
56 | } | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 3.4.2\n";exit} | ||
59 | "#arg1 tail#" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 3.4.3\n";exit} | ||
63 | "#arg2 tail#" | ||
64 | } | ||
65 | |||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 3.5.1\n";exit} | ||
68 | "Arguments:" | ||
69 | } | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 3.5.2\n";exit} | ||
72 | "#arg1&tail#" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 3.5.3\n";exit} | ||
76 | "#arg2&tail#" | ||
77 | } | ||
78 | |||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 3.6.1\n";exit} | ||
81 | "Arguments:" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 3.6.2\n";exit} | ||
85 | "#arg1&tail#" | ||
86 | } | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 3.6.3\n";exit} | ||
89 | "#arg2&tail#" | ||
90 | } | ||
91 | |||
92 | puts "\nall done\n" | ||
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh deleted file mode 100755 index c929f0879..000000000 --- a/test/arguments/joinrun.sh +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | echo "TESTING: 3.1 - simple args" | ||
7 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2 | ||
8 | |||
9 | # simple quotes, testing spaces in file names | ||
10 | echo "TESTING: 3.2 - args with space and \"" | ||
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail" | ||
12 | |||
13 | echo "TESTING: 3.3 - args with space and '" | ||
14 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail' | ||
15 | |||
16 | # escaped space in file names | ||
17 | echo "TESTING: 3.4 - args with space and \\" | ||
18 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail | ||
19 | |||
20 | # & char appears in URLs - URLs should be quoted | ||
21 | echo "TESTING: 3.5 - args with & and \"" | ||
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail" | ||
23 | |||
24 | echo "TESTING: 3.6 - args with & and '" | ||
25 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp deleted file mode 100755 index e727d44fb..000000000 --- a/test/arguments/outrun.exp +++ /dev/null | |||
@@ -1,93 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./outrun.sh\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 4.1.1\n";exit} | ||
13 | "Arguments:" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 4.1.2\n";exit} | ||
17 | "#arg1#" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 4.1.3\n";exit} | ||
21 | "#arg2#" | ||
22 | } | ||
23 | |||
24 | exit | ||
25 | #*************************************************** | ||
26 | # breaking down from here on - bug to fix | ||
27 | #*************************************************** | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 4.2.1\n";exit} | ||
30 | "Arguments:" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4.2.2\n";exit} | ||
34 | "#arg1 tail#" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 4.2.3\n";exit} | ||
38 | "#arg2 tail#" | ||
39 | } | ||
40 | |||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 4.3.1\n";exit} | ||
43 | "Arguments:" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 4.3.2\n";exit} | ||
47 | "#arg1 tail#" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 4.3.3\n";exit} | ||
51 | "#arg2 tail#" | ||
52 | } | ||
53 | |||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 4.4.1\n";exit} | ||
56 | "Arguments:" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 4.4.2\n";exit} | ||
60 | "#arg1 tail#" | ||
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 4.4.3\n";exit} | ||
64 | "#arg2 tail#" | ||
65 | } | ||
66 | |||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 4.5.1\n";exit} | ||
69 | "Arguments:" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 4.5.2\n";exit} | ||
73 | "#arg1&tail#" | ||
74 | } | ||
75 | expect { | ||
76 | timeout {puts "TESTING ERROR 4.5.3\n";exit} | ||
77 | "#arg2&tail#" | ||
78 | } | ||
79 | |||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 4.6.1\n";exit} | ||
82 | "Arguments:" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 4.6.2\n";exit} | ||
86 | "#arg1&tail#" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 4.6.3\n";exit} | ||
90 | "#arg2&tail#" | ||
91 | } | ||
92 | |||
93 | puts "\nall done\n" | ||
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh deleted file mode 100755 index b7870bb70..000000000 --- a/test/arguments/outrun.sh +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | echo "TESTING: 4.1 - simple args" | ||
7 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1 arg2 | ||
8 | |||
9 | # simple quotes, testing spaces in file names | ||
10 | echo "TESTING: 4.2 - args with space and \"" | ||
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail" | ||
12 | |||
13 | echo "TESTING: 4.3 - args with space and '" | ||
14 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail' | ||
15 | |||
16 | # escaped space in file names | ||
17 | echo "TESTING: 4.4 - args with space and \\" | ||
18 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail | ||
19 | |||
20 | # & char appears in URLs - URLs should be quoted | ||
21 | echo "TESTING: 4.5 - args with & and \"" | ||
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail" | ||
23 | |||
24 | echo "TESTING: 4.6 - args with & and '" | ||
25 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp deleted file mode 100755 index b1f660715..000000000 --- a/test/arguments/symrun.exp +++ /dev/null | |||
@@ -1,74 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./symrun.sh\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 2.1.1\n";exit} | ||
13 | "Arguments:" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2.1.2\n";exit} | ||
17 | "#arg1#" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2.1.3\n";exit} | ||
21 | "#arg2#" | ||
22 | } | ||
23 | |||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2.3.1\n";exit} | ||
26 | "Arguments:" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 2.3.2\n";exit} | ||
30 | "#arg1 tail#" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2.3.3\n";exit} | ||
34 | "#arg2 tail#" | ||
35 | } | ||
36 | |||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 2.4.1\n";exit} | ||
39 | "Arguments:" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 2.4.2\n";exit} | ||
43 | "#arg1 tail#" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 2.4.3\n";exit} | ||
47 | "#arg2 tail#" | ||
48 | } | ||
49 | |||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 2.5.1\n";exit} | ||
52 | "Arguments:" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 2.5.2\n";exit} | ||
56 | "#arg1&tail#" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 2.5.3\n";exit} | ||
60 | "#arg2&tail#" | ||
61 | } | ||
62 | |||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 2.6.1\n";exit} | ||
65 | "Arguments:" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 2.6.2\n";exit} | ||
69 | "#arg1&tail#" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 2.6.3\n";exit} | ||
73 | "#arg2&tail#" | ||
74 | } | ||
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh deleted file mode 100755 index 7bc4d21cf..000000000 --- a/test/arguments/symrun.sh +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | mkdir symtest | ||
7 | ln -s /usr/bin/firejail symtest/faudit | ||
8 | |||
9 | # search for faudit in current directory | ||
10 | export PATH=$PATH:. | ||
11 | export FIREJAIL_TEST_ARGUMENTS=yes | ||
12 | |||
13 | echo "TESTING: 2.1 - simple args" | ||
14 | symtest/faudit arg1 arg2 | ||
15 | |||
16 | # simple quotes, testing spaces in file names | ||
17 | echo "TESTING: 2.2 - args with space and \"" | ||
18 | symtest/faudit "arg1 tail" "arg2 tail" | ||
19 | |||
20 | echo "TESTING: 2.3 - args with space and '" | ||
21 | symtest/faudit 'arg1 tail' 'arg2 tail' | ||
22 | |||
23 | # escaped space in file names | ||
24 | echo "TESTING: 2.4 - args with space and \\" | ||
25 | symtest/faudit arg1\ tail arg2\ tail | ||
26 | |||
27 | # & char appears in URLs - URLs should be quoted | ||
28 | echo "TESTING: 2.5 - args with & and \"" | ||
29 | symtest/faudit "arg1&tail" "arg2&tail" | ||
30 | |||
31 | echo "TESTING: 2.6 - args with & and '" | ||
32 | symtest/faudit 'arg1&tail' 'arg2&tail' | ||
33 | |||
34 | rm -fr symtest | ||
diff --git a/test/utils/audit.exp b/test/utils/audit.exp deleted file mode 100755 index ba537c3af..000000000 --- a/test/utils/audit.exp +++ /dev/null | |||
@@ -1,167 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --audit\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Firejail Audit" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "is running in a PID namespace" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "container/sandbox firejail" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "seccomp BPF enabled" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "all capabilities are disabled" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "dev directory seems to be fully populated" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
37 | "Parent is shutting down, bye..." | ||
38 | } | ||
39 | after 100 | ||
40 | |||
41 | |||
42 | send -- "firejail --audit\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 6\n";exit} | ||
45 | "Firejail Audit" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 7\n";exit} | ||
49 | "is running in a PID namespace" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 8\n";exit} | ||
53 | "container/sandbox firejail" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 9\n";exit} | ||
57 | "seccomp BPF enabled" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 10\n";exit} | ||
61 | "all capabilities are disabled" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 11\n";exit} | ||
65 | "dev directory seems to be fully populated" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 11.1\n";exit} | ||
69 | "Parent is shutting down, bye..." | ||
70 | } | ||
71 | after 100 | ||
72 | |||
73 | send -- "firejail --audit=blablabla\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 12\n";exit} | ||
76 | "cannot find the audit program" | ||
77 | } | ||
78 | after 100 | ||
79 | |||
80 | send -- "firejail --audit=\r" | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 12\n";exit} | ||
83 | "invalid audit program" | ||
84 | } | ||
85 | after 100 | ||
86 | |||
87 | # run audit executable without a sandbox | ||
88 | send -- "faudit\r" | ||
89 | expect { | ||
90 | timeout {puts "TESTING ERROR 13\n";exit} | ||
91 | "is not running in a PID namespace" | ||
92 | } | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 14\n";exit} | ||
95 | "BAD: seccomp disabled" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 15\n";exit} | ||
99 | "BAD: the capability map is" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 16\n";exit} | ||
103 | "MAYBE: /dev directory seems to be fully populated" | ||
104 | } | ||
105 | after 100 | ||
106 | |||
107 | # test seccomp | ||
108 | send -- "firejail --seccomp.drop=mkdir --audit\r" | ||
109 | expect { | ||
110 | timeout {puts "TESTING ERROR 17\n";exit} | ||
111 | "Firejail Audit" | ||
112 | } | ||
113 | expect { | ||
114 | timeout {puts "TESTING ERROR 18\n";exit} | ||
115 | "GOOD: seccomp BPF enabled" | ||
116 | } | ||
117 | expect { | ||
118 | timeout {puts "TESTING ERROR 19\n";exit} | ||
119 | "UGLY: mount syscall permitted" | ||
120 | } | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 20\n";exit} | ||
123 | "UGLY: umount2 syscall permitted" | ||
124 | } | ||
125 | expect { | ||
126 | timeout {puts "TESTING ERROR 21\n";exit} | ||
127 | "UGLY: ptrace syscall permitted" | ||
128 | } | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 22\n";exit} | ||
131 | "UGLY: swapon syscall permitted" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 23\n";exit} | ||
135 | "UGLY: swapoff syscall permitted" | ||
136 | } | ||
137 | expect { | ||
138 | timeout {puts "TESTING ERROR 24\n";exit} | ||
139 | "UGLY: init_module syscall permitted" | ||
140 | } | ||
141 | expect { | ||
142 | timeout {puts "TESTING ERROR 25\n";exit} | ||
143 | "UGLY: delete_module syscall permitted" | ||
144 | } | ||
145 | expect { | ||
146 | timeout {puts "TESTING ERROR 26\n";exit} | ||
147 | "UGLY: chroot syscall permitted" | ||
148 | } | ||
149 | expect { | ||
150 | timeout {puts "TESTING ERROR 27\n";exit} | ||
151 | "UGLY: pivot_root syscall permitted" | ||
152 | } | ||
153 | expect { | ||
154 | timeout {puts "TESTING ERROR 28\n";exit} | ||
155 | "UGLY: iopl syscall permitted" | ||
156 | } | ||
157 | expect { | ||
158 | timeout {puts "TESTING ERROR 29\n";exit} | ||
159 | "UGLY: ioperm syscall permitted" | ||
160 | } | ||
161 | expect { | ||
162 | timeout {puts "TESTING ERROR 30\n";exit} | ||
163 | "GOOD: all capabilities are disabled" | ||
164 | } | ||
165 | after 100 | ||
166 | |||
167 | puts "\nall done\n" | ||
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 9ef409ae7..c021d6287 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -8,7 +8,7 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | |||
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | if [ -f /etc/debian_version ]; then | 10 | if [ -f /etc/debian_version ]; then |
11 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") | 11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") |
12 | export PATH="$PATH:$libdir" | 12 | export PATH="$PATH:$libdir" |
13 | fi | 13 | fi |
14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
@@ -18,13 +18,6 @@ echo "TESTING: build (test/utils/build.exp)" | |||
18 | rm -f ~/firejail-test-file-7699 | 18 | rm -f ~/firejail-test-file-7699 |
19 | rm -f firejail-test-file-4388 | 19 | rm -f firejail-test-file-4388 |
20 | 20 | ||
21 | if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then | ||
22 | echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" | ||
23 | else | ||
24 | echo "TESTING: audit (test/utils/audit.exp)" | ||
25 | ./audit.exp | ||
26 | fi | ||
27 | |||
28 | echo "TESTING: name (test/utils/name.exp)" | 21 | echo "TESTING: name (test/utils/name.exp)" |
29 | ./name.exp | 22 | ./name.exp |
30 | 23 | ||