diff options
59 files changed, 799 insertions, 1285 deletions
diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index 0c9701d1c..e380ed26a 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs | |||
@@ -1,4 +1,35 @@ | |||
1 | # move whitelist/blacklist to allow/deny | 1 | # Note: Entries (and sections) should be listed in topological order (that is, |
2 | fe0f975f447d59977d90c3226cc8c623b31b20b3 | 2 | # in the same order that is shown by `git log --oneline`) and they can be |
3 | # Revert "move whitelist/blacklist to allow/deny" | 3 | # generated with one of the following commands: |
4 | f43382f1e9707b4fd5e63c7bfe881912aa4ee994 | 4 | # |
5 | # TZ=UTC0 git show --date='format-local:%Y-%m-%d' --pretty='%H # %cd | %s' -s | ||
6 | # [<commit>...] | ||
7 | # | ||
8 | # TZ=UTC0 git log --date='format-local:%Y-%m-%d' --pretty='%H # %cd | %s' | ||
9 | # [<revision-range>] | ||
10 | |||
11 | # Landlock v1 | ||
12 | 97874c3bf923798b0e3ab119d169aaa9b1314221 # 2022-09-05 | Revert "Merge pull request #5315 from ChrysoliteAzalea/landlock" | ||
13 | b900bdc87463d79568aef46cb7e3b373fbff84b1 # 2022-09-05 | Revert "compile fix" | ||
14 | bfcacff665b750ae7b9fc984496df26fcd7cc53d # 2022-09-05 | Revert "tracelog disabled by default in /etc/firejail/firejail.config file" | ||
15 | 2a79f3a2689711e6151187063bb55a6af3160b6f # 2022-09-05 | Revert "README/README.md" | ||
16 | 67348ac9c2cdf9d30efbf9fd13eaf0a4adc3be00 # 2022-09-05 | Revert "typos" | ||
17 | 0cd20b7e81a7815f57055b38f0746ef14fed2cd0 # 2022-09-05 | Revert "fix syntax in configure.ac" | ||
18 | 26c74796f3c76b8f0ea0b95a863eb707ecced195 # 2022-09-05 | Revert "landlock: check for landlock support in glibc" | ||
19 | 5b206611c01e42a6d63c596be45bcf085832b035 # 2022-09-05 | Revert "landlock: support in firejail --version" | ||
20 | 2f3c19a87dd49b220f69f27f8c14c627277355d6 # 2022-09-04 | landlock: support in firejail --version | ||
21 | c5a052ffa4e2ccaf240635db116a49986808a2b6 # 2022-09-04 | landlock: check for landlock support in glibc | ||
22 | 2d885e5a091f847d7c2128506947b0f67dd2edab # 2022-09-04 | fix syntax in configure.ac | ||
23 | 0594c5d3d0f1ddc4049cf2ed38676a1cdc8d6843 # 2022-08-30 | typos | ||
24 | 796fa09636195d8751a7bbc1e1bc88bf8c3ac95a # 2022-08-30 | README/README.md | ||
25 | 6e687c30110a52f267c1779c4eeab82bded9cb77 # 2022-08-29 | tracelog disabled by default in /etc/firejail/firejail.config file | ||
26 | 836ffe37ff891886f15243eacc70963368d57a3f # 2022-08-29 | compile fix | ||
27 | c6d7474c138f92b3cb3992b5c57750af89eb3b77 # 2022-08-16 | tinyLL has been removed as it's no longer needed | ||
28 | 460fa7a6f98cc1e7aec2953e6523f32677d546c7 # 2022-08-16 | Proposed fixes. | ||
29 | 877fc99d541af83a9486dfff43580e33dedd8b4c # 2022-08-15 | Update quotation marks in src/zsh_completion/_firejail.in | ||
30 | ba828befe06b99b7dc2d504085cb40aa2d710998 # 2022-08-15 | Landlock functions are added to the code of Firejail, removing the dependency on tinyLL | ||
31 | 61b15442898eeb1db2d23b6b2eb72a705ceb368a # 2022-08-15 | Landlock support has been added. | ||
32 | |||
33 | # "move whitelist/blacklist to allow/deny" | ||
34 | f43382f1e9707b4fd5e63c7bfe881912aa4ee994 # 2021-07-18 | Revert "move whitelist/blacklist to allow/deny" | ||
35 | fe0f975f447d59977d90c3226cc8c623b31b20b3 # 2021-07-05 | move whitelist/blacklist to allow/deny | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 66ca0d321..1417bbb34 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -53,7 +53,7 @@ jobs: | |||
53 | 53 | ||
54 | # Initializes the CodeQL tools for scanning. | 54 | # Initializes the CodeQL tools for scanning. |
55 | - name: Initialize CodeQL | 55 | - name: Initialize CodeQL |
56 | uses: github/codeql-action/init@c7f292ea4f542c473194b33813ccd4c207a6c725 | 56 | uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4 |
57 | with: | 57 | with: |
58 | languages: ${{ matrix.language }} | 58 | languages: ${{ matrix.language }} |
59 | # If you wish to specify custom queries, you can do so here or in a config file. | 59 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -64,7 +64,7 @@ jobs: | |||
64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
65 | # If this step fails, then you should remove it and run the build manually (see below) | 65 | # If this step fails, then you should remove it and run the build manually (see below) |
66 | - name: Autobuild | 66 | - name: Autobuild |
67 | uses: github/codeql-action/autobuild@c7f292ea4f542c473194b33813ccd4c207a6c725 | 67 | uses: github/codeql-action/autobuild@86f3159a697a097a813ad9bfa0002412d97690a4 |
68 | 68 | ||
69 | # âšī¸ Command-line programs to run using the OS shell. | 69 | # âšī¸ Command-line programs to run using the OS shell. |
70 | # đ https://git.io/JvXDl | 70 | # đ https://git.io/JvXDl |
@@ -78,4 +78,4 @@ jobs: | |||
78 | # make release | 78 | # make release |
79 | 79 | ||
80 | - name: Perform CodeQL Analysis | 80 | - name: Perform CodeQL Analysis |
81 | uses: github/codeql-action/analyze@c7f292ea4f542c473194b33813ccd4c207a6c725 | 81 | uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4 |
@@ -253,8 +253,6 @@ cayday (https://github.com/caydey) | |||
253 | Christian Pinedo (https://github.com/chrpinedo) | 253 | Christian Pinedo (https://github.com/chrpinedo) |
254 | - added nicotine profile | 254 | - added nicotine profile |
255 | - allow python3 in totem profile | 255 | - allow python3 in totem profile |
256 | ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
257 | - Landlock support | ||
258 | creideiki (https://github.com/creideiki) | 256 | creideiki (https://github.com/creideiki) |
259 | - make the sandbox process reap all children | 257 | - make the sandbox process reap all children |
260 | - tor browser profile fix | 258 | - tor browser profile fix |
@@ -43,6 +43,8 @@ alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> | |||
43 | 43 | ||
44 | Project webpage: https://firejail.wordpress.com/ | 44 | Project webpage: https://firejail.wordpress.com/ |
45 | 45 | ||
46 | IRC: https://web.libera.chat/#firejail | ||
47 | |||
46 | Download and Installation: https://firejail.wordpress.com/download-2/ | 48 | Download and Installation: https://firejail.wordpress.com/download-2/ |
47 | 49 | ||
48 | Features: https://firejail.wordpress.com/features-3/ | 50 | Features: https://firejail.wordpress.com/features-3/ |
@@ -182,15 +184,6 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 184 | ||
183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 185 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
184 | 186 | ||
185 | ### Modified functionality | ||
186 | |||
187 | * modif: removed cgroups commands (#5190) | ||
188 | * modif: changed --disable-firetunnel into --enable-firetunnel in configure.ac (#5190) | ||
189 | * modif: disabled chroot by default in /etc/firejail/firejail.config (#5190) | ||
190 | * modif: shell none set as default (#5190) | ||
191 | * modif: removed --shell= (#5190) | ||
192 | * modif: private-lib disabled by default in /etc/firejail/firejail.config (#5190) | ||
193 | |||
194 | ### Restrict namespaces | 187 | ### Restrict namespaces |
195 | 188 | ||
196 | ````` | 189 | ````` |
@@ -228,90 +221,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
228 | kernel. For more information, please see APPARMOR section beâ | 221 | kernel. For more information, please see APPARMOR section beâ |
229 | ````` | 222 | ````` |
230 | 223 | ||
231 | ### Landlock support - EXPERIMENTAL | ||
232 | For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build | ||
233 | or in the executable archives we provide. It will be "officially" released | ||
234 | in 0.9.74, sometime early next year. For now, use --enable-landlock during software compile: | ||
235 | ````` | ||
236 | $ ./configure --enable-landlock | ||
237 | ````` | ||
238 | The functionality is segragated with ifdefs in the code, at times it might not even compile! | ||
239 | Work in progress, the interface described in the man page below could change. | ||
240 | ````` | ||
241 | --landlock | ||
242 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
243 | basic access rules to it. See LANDLOCK section for more informaâ | ||
244 | tion. | ||
245 | |||
246 | --landlock.proc=no|ro|rw | ||
247 | Add an access rule for /proc directory (read-only if set to ro | ||
248 | and read-write if set to rw). The access rule for /proc is added | ||
249 | after this directory is set up in the sandbox. Access rules for | ||
250 | /proc set up with other Landlock-related command-line options | ||
251 | have no effect. | ||
252 | |||
253 | --landlock.read=path | ||
254 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
255 | a read access rule for path. | ||
256 | |||
257 | --landlock.write=path | ||
258 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
259 | a write access rule for path. | ||
260 | |||
261 | --landlock.special=path | ||
262 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
263 | a permission rule to create FIFO pipes, Unix domain sockets and | ||
264 | block devices beneath given path. | ||
265 | |||
266 | --landlock.execute=path | ||
267 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
268 | an execution permission rule for path. | ||
269 | |||
270 | Example: | ||
271 | $ firejail --landlock.read=/ --landlock.write=/home --landâ | ||
272 | lock.execute=/usr | ||
273 | |||
274 | LANDLOCK | ||
275 | Landlock is a Linux security module first introduced in the 5.13 verâ | ||
276 | sion of Linux kernel. It allows unprivileged processes to restrict | ||
277 | their access to the filesystem. Once imposed, these restrictions can | ||
278 | never be removed, and all child processes created by a Landlock-reâ | ||
279 | stricted processes inherit these restrictions. Firejail supports Landâ | ||
280 | lock as an additional sandboxing feature. It can be used to ensure that | ||
281 | a sandboxed application can only access files and directories that it | ||
282 | was explicitly allowed to access. Firejail supports populating the | ||
283 | ruleset with both basic set of rules and with custom set of rules. Baâ | ||
284 | sic set of rules allows read-only access to /bin, /dev, /etc, /lib, | ||
285 | /opt, /proc, /usr and /var, read-write access to the home directory, | ||
286 | and allows execution of binaries located in /bin, /opt and /usr. | ||
287 | |||
288 | Important notes: | ||
289 | |||
290 | - A process can install a Landlock ruleset only if it has either | ||
291 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
292 | Privileges" restriction enabled. Because of this, enabling the | ||
293 | Landlock feature will also cause Firejail to enable the "No New | ||
294 | Privileges" restriction, regardless of the profile or the | ||
295 | --no-new-privs command line option. | ||
296 | |||
297 | - Access to the /proc directory is managed through the --landâ | ||
298 | lock.proc command line option. | ||
299 | |||
300 | - Access to the /etc directory is automatically allowed. To | ||
301 | override this, use the --writable-etc command line option. You | ||
302 | can also use the --private-etc option to restrict access to the | ||
303 | /etc directory. | ||
304 | |||
305 | To enable Landlock self-restriction on top of your current Firejail seâ | ||
306 | curity features, pass --landlock flag to Firejail command line. You can | ||
307 | also use --landlock.read, --landlock.write, --landlock.special and | ||
308 | --landlock.execute options together with --landlock or instead of it. | ||
309 | Example: | ||
310 | |||
311 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro | ||
312 | mc | ||
313 | ````` | ||
314 | |||
315 | ### Profile Statistics | 224 | ### Profile Statistics |
316 | 225 | ||
317 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 226 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -1,22 +1,20 @@ | |||
1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.71) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: removed cgroups commands (#5190) | ||
4 | * modif: changed --disable-firetunnel into --enable-firetunnel in | ||
5 | configure.ac (#5190) | ||
6 | * modif: disabled chroot by default in /etc/firejail/firejail.config (#5190) | ||
7 | * modif: shell none set as default (#5190) | ||
8 | * modif: removed --shell= (#5190) | ||
9 | * modif: private-lib disabled by default in /etc/firejail/firejail.config | ||
10 | (#5190) | ||
11 | * modif: tracelog disabled by default in /etc/firejail/firejail.config | ||
12 | (#5190) | ||
13 | * feature: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: On failing to remount a fuse filesystem, give warning instead of |
14 | erroring out (#5240 #5242) | 4 | erroring out (#5240 #5242) |
15 | * feature: restrict namespaces (--restrict-namespaces) implemented as | 5 | * feature: restrict namespaces (--restrict-namespaces) implemented as |
16 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) | 6 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) |
17 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | 7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 |
18 | #5317) | 8 | #5317) |
19 | * feature: Landlock support (#5269) | 9 | * modif: removed --cgroup= command (#5190 #5200) |
10 | * modif: set --shell=none as the default (#5190) | ||
11 | * modif: removed --shell= command (#5190 #5196 #5209) | ||
12 | * modif: disabled firetunnel by default in configure.ac (#5190) | ||
13 | * modif: disabled chroot by default in /etc/firejail/firejail.config (#5190) | ||
14 | * modif: disabled private-lib by default in /etc/firejail/firejail.config | ||
15 | (#5190 #5216) | ||
16 | * modif: disabled tracelog by default in /etc/firejail/firejail.config | ||
17 | (#5190) | ||
20 | * bugfix: Flood of seccomp audit log entries (#5207) | 18 | * bugfix: Flood of seccomp audit log entries (#5207) |
21 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | 19 | * build: deduplicate configure-time vars into new config files (#5140 #5284) |
22 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 20 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
@@ -29,6 +27,10 @@ firejail (0.9.71) baseline; urgency=low | |||
29 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 | 27 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 |
30 | #5290) | 28 | #5290) |
31 | * docs: set vim filetype on man pages for syntax highlighting (#5296) | 29 | * docs: set vim filetype on man pages for syntax highlighting (#5296) |
30 | * docs: note that blacklist/whitelist follow symlinks (#5344) | ||
31 | * docs: Add IRC channel info to README.md (#5361) | ||
32 | * docs: man: Note that some commands can be disabled in firejail.config | ||
33 | (#5366) | ||
32 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 34 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
33 | 35 | ||
34 | firejail (0.9.70) baseline; urgency=low | 36 | firejail (0.9.70) baseline; urgency=low |
diff --git a/config.mk.in b/config.mk.in index 150ac8e15..9973b7eaa 100644 --- a/config.mk.in +++ b/config.mk.in | |||
@@ -41,7 +41,6 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | |||
41 | HAVE_IDS=@HAVE_IDS@ | 41 | HAVE_IDS=@HAVE_IDS@ |
42 | HAVE_GCOV=@HAVE_GCOV@ | 42 | HAVE_GCOV=@HAVE_GCOV@ |
43 | HAVE_SELINUX=@HAVE_SELINUX@ | 43 | HAVE_SELINUX=@HAVE_SELINUX@ |
44 | HAVE_LANDLOCK=@HAVE_LANDLOCK@ | ||
45 | HAVE_SUID=@HAVE_SUID@ | 44 | HAVE_SUID=@HAVE_SUID@ |
46 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | 45 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ |
47 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | 46 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ |
@@ -50,7 +49,7 @@ HAVE_LTS=@HAVE_LTS@ | |||
50 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | 49 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ |
51 | HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ | 50 | HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ |
52 | 51 | ||
53 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_LANDLOCK) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 52 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
54 | 53 | ||
55 | CC=@CC@ | 54 | CC=@CC@ |
56 | CFLAGS=@CFLAGS@ | 55 | CFLAGS=@CFLAGS@ |
@@ -624,6 +624,9 @@ ac_includes_default="\ | |||
624 | 624 | ||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | EGREP | ||
628 | GREP | ||
629 | CPP | ||
627 | HAVE_LTS | 630 | HAVE_LTS |
628 | HAVE_ONLY_SYSCFG_PROFILES | 631 | HAVE_ONLY_SYSCFG_PROFILES |
629 | HAVE_FORCE_NONEWPRIVS | 632 | HAVE_FORCE_NONEWPRIVS |
@@ -648,10 +651,6 @@ HAVE_OVERLAYFS | |||
648 | HAVE_DBUSPROXY | 651 | HAVE_DBUSPROXY |
649 | EXTRA_LDFLAGS | 652 | EXTRA_LDFLAGS |
650 | EXTRA_CFLAGS | 653 | EXTRA_CFLAGS |
651 | EGREP | ||
652 | GREP | ||
653 | CPP | ||
654 | HAVE_LANDLOCK | ||
655 | HAVE_SELINUX | 654 | HAVE_SELINUX |
656 | AA_LIBS | 655 | AA_LIBS |
657 | AA_CFLAGS | 656 | AA_CFLAGS |
@@ -714,7 +713,6 @@ enable_sanitizer | |||
714 | enable_ids | 713 | enable_ids |
715 | enable_apparmor | 714 | enable_apparmor |
716 | enable_selinux | 715 | enable_selinux |
717 | enable_landlock | ||
718 | enable_dbusproxy | 716 | enable_dbusproxy |
719 | enable_output | 717 | enable_output |
720 | enable_usertmpfs | 718 | enable_usertmpfs |
@@ -1376,7 +1374,6 @@ Optional Features: | |||
1376 | --enable-ids enable ids | 1374 | --enable-ids enable ids |
1377 | --enable-apparmor enable apparmor | 1375 | --enable-apparmor enable apparmor |
1378 | --enable-selinux SELinux labeling support | 1376 | --enable-selinux SELinux labeling support |
1379 | --enable-landlock Landlock self-restriction support | ||
1380 | --disable-dbusproxy disable dbus proxy | 1377 | --disable-dbusproxy disable dbus proxy |
1381 | --disable-output disable --output logging | 1378 | --disable-output disable --output logging |
1382 | --disable-usertmpfs disable tmpfs as regular user | 1379 | --disable-usertmpfs disable tmpfs as regular user |
@@ -3345,11 +3342,336 @@ if test "x$enable_selinux" = "xyes"; then : | |||
3345 | 3342 | ||
3346 | fi | 3343 | fi |
3347 | 3344 | ||
3348 | HAVE_LANDLOCK="" | ||
3349 | 3345 | ||
3350 | # Check whether --enable-landlock was given. | 3346 | |
3351 | if test "${enable_landlock+set}" = set; then : | 3347 | |
3352 | enableval=$enable_landlock; | 3348 | |
3349 | HAVE_DBUSPROXY="" | ||
3350 | |||
3351 | # Check whether --enable-dbusproxy was given. | ||
3352 | if test "${enable_dbusproxy+set}" = set; then : | ||
3353 | enableval=$enable_dbusproxy; | ||
3354 | fi | ||
3355 | |||
3356 | if test "x$enable_dbusproxy" != "xno"; then : | ||
3357 | |||
3358 | HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" | ||
3359 | |||
3360 | fi | ||
3361 | |||
3362 | # overlayfs features temporarily disabled pending fixes | ||
3363 | HAVE_OVERLAYFS="" | ||
3364 | |||
3365 | #AC_ARG_ENABLE([overlayfs], | ||
3366 | # [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])]) | ||
3367 | #AS_IF([test "x$enable_overlayfs" != "xno"], [ | ||
3368 | # HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | ||
3369 | #]) | ||
3370 | |||
3371 | HAVE_OUTPUT="" | ||
3372 | |||
3373 | # Check whether --enable-output was given. | ||
3374 | if test "${enable_output+set}" = set; then : | ||
3375 | enableval=$enable_output; | ||
3376 | fi | ||
3377 | |||
3378 | if test "x$enable_output" != "xno"; then : | ||
3379 | |||
3380 | HAVE_OUTPUT="-DHAVE_OUTPUT" | ||
3381 | |||
3382 | fi | ||
3383 | |||
3384 | HAVE_USERTMPFS="" | ||
3385 | |||
3386 | # Check whether --enable-usertmpfs was given. | ||
3387 | if test "${enable_usertmpfs+set}" = set; then : | ||
3388 | enableval=$enable_usertmpfs; | ||
3389 | fi | ||
3390 | |||
3391 | if test "x$enable_usertmpfs" != "xno"; then : | ||
3392 | |||
3393 | HAVE_USERTMPFS="-DHAVE_USERTMPFS" | ||
3394 | |||
3395 | fi | ||
3396 | |||
3397 | HAVE_MAN="no" | ||
3398 | |||
3399 | # Check whether --enable-man was given. | ||
3400 | if test "${enable_man+set}" = set; then : | ||
3401 | enableval=$enable_man; | ||
3402 | fi | ||
3403 | |||
3404 | if test "x$enable_man" != "xno"; then : | ||
3405 | |||
3406 | HAVE_MAN="-DHAVE_MAN" | ||
3407 | # Extract the first word of "gawk", so it can be a program name with args. | ||
3408 | set dummy gawk; ac_word=$2 | ||
3409 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3410 | $as_echo_n "checking for $ac_word... " >&6; } | ||
3411 | if ${ac_cv_prog_HAVE_GAWK+:} false; then : | ||
3412 | $as_echo_n "(cached) " >&6 | ||
3413 | else | ||
3414 | if test -n "$HAVE_GAWK"; then | ||
3415 | ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test. | ||
3416 | else | ||
3417 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3418 | for as_dir in $PATH | ||
3419 | do | ||
3420 | IFS=$as_save_IFS | ||
3421 | test -z "$as_dir" && as_dir=. | ||
3422 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3423 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | ||
3424 | ac_cv_prog_HAVE_GAWK="yes" | ||
3425 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | ||
3426 | break 2 | ||
3427 | fi | ||
3428 | done | ||
3429 | done | ||
3430 | IFS=$as_save_IFS | ||
3431 | |||
3432 | test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no" | ||
3433 | fi | ||
3434 | fi | ||
3435 | HAVE_GAWK=$ac_cv_prog_HAVE_GAWK | ||
3436 | if test -n "$HAVE_GAWK"; then | ||
3437 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5 | ||
3438 | $as_echo "$HAVE_GAWK" >&6; } | ||
3439 | else | ||
3440 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3441 | $as_echo "no" >&6; } | ||
3442 | fi | ||
3443 | |||
3444 | |||
3445 | if test "x$HAVE_GAWK" != "xyes"; then : | ||
3446 | as_fn_error $? "*** gawk not found ***" "$LINENO" 5 | ||
3447 | fi | ||
3448 | |||
3449 | fi | ||
3450 | |||
3451 | HAVE_FIRETUNNEL="" | ||
3452 | |||
3453 | # Check whether --enable-firetunnel was given. | ||
3454 | if test "${enable_firetunnel+set}" = set; then : | ||
3455 | enableval=$enable_firetunnel; | ||
3456 | fi | ||
3457 | |||
3458 | if test "x$enable_firetunnel" = "xyes"; then : | ||
3459 | |||
3460 | HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" | ||
3461 | |||
3462 | fi | ||
3463 | |||
3464 | HAVE_PRIVATE_HOME="" | ||
3465 | |||
3466 | # Check whether --enable-private-home was given. | ||
3467 | if test "${enable_private_home+set}" = set; then : | ||
3468 | enableval=$enable_private_home; | ||
3469 | fi | ||
3470 | |||
3471 | if test "x$enable_private_home" != "xno"; then : | ||
3472 | |||
3473 | HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" | ||
3474 | |||
3475 | fi | ||
3476 | |||
3477 | HAVE_CHROOT="" | ||
3478 | |||
3479 | # Check whether --enable-chroot was given. | ||
3480 | if test "${enable_chroot+set}" = set; then : | ||
3481 | enableval=$enable_chroot; | ||
3482 | fi | ||
3483 | |||
3484 | if test "x$enable_chroot" != "xno"; then : | ||
3485 | |||
3486 | HAVE_CHROOT="-DHAVE_CHROOT" | ||
3487 | |||
3488 | fi | ||
3489 | |||
3490 | HAVE_GLOBALCFG="" | ||
3491 | |||
3492 | # Check whether --enable-globalcfg was given. | ||
3493 | if test "${enable_globalcfg+set}" = set; then : | ||
3494 | enableval=$enable_globalcfg; | ||
3495 | fi | ||
3496 | |||
3497 | if test "x$enable_globalcfg" != "xno"; then : | ||
3498 | |||
3499 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | ||
3500 | |||
3501 | fi | ||
3502 | |||
3503 | HAVE_NETWORK="" | ||
3504 | |||
3505 | # Check whether --enable-network was given. | ||
3506 | if test "${enable_network+set}" = set; then : | ||
3507 | enableval=$enable_network; | ||
3508 | fi | ||
3509 | |||
3510 | if test "x$enable_network" != "xno"; then : | ||
3511 | |||
3512 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
3513 | |||
3514 | fi | ||
3515 | |||
3516 | HAVE_USERNS="" | ||
3517 | |||
3518 | # Check whether --enable-userns was given. | ||
3519 | if test "${enable_userns+set}" = set; then : | ||
3520 | enableval=$enable_userns; | ||
3521 | fi | ||
3522 | |||
3523 | if test "x$enable_userns" != "xno"; then : | ||
3524 | |||
3525 | HAVE_USERNS="-DHAVE_USERNS" | ||
3526 | |||
3527 | fi | ||
3528 | |||
3529 | HAVE_X11="" | ||
3530 | |||
3531 | # Check whether --enable-x11 was given. | ||
3532 | if test "${enable_x11+set}" = set; then : | ||
3533 | enableval=$enable_x11; | ||
3534 | fi | ||
3535 | |||
3536 | if test "x$enable_x11" != "xno"; then : | ||
3537 | |||
3538 | HAVE_X11="-DHAVE_X11" | ||
3539 | |||
3540 | fi | ||
3541 | |||
3542 | HAVE_FILE_TRANSFER="" | ||
3543 | |||
3544 | # Check whether --enable-file-transfer was given. | ||
3545 | if test "${enable_file_transfer+set}" = set; then : | ||
3546 | enableval=$enable_file_transfer; | ||
3547 | fi | ||
3548 | |||
3549 | if test "x$enable_file_transfer" != "xno"; then : | ||
3550 | |||
3551 | HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" | ||
3552 | |||
3553 | fi | ||
3554 | |||
3555 | HAVE_SUID="" | ||
3556 | |||
3557 | # Check whether --enable-suid was given. | ||
3558 | if test "${enable_suid+set}" = set; then : | ||
3559 | enableval=$enable_suid; | ||
3560 | fi | ||
3561 | |||
3562 | if test "x$enable_suid" != "xno"; then : | ||
3563 | |||
3564 | HAVE_SUID="-DHAVE_SUID" | ||
3565 | |||
3566 | fi | ||
3567 | |||
3568 | HAVE_FATAL_WARNINGS="" | ||
3569 | |||
3570 | # Check whether --enable-fatal_warnings was given. | ||
3571 | if test "${enable_fatal_warnings+set}" = set; then : | ||
3572 | enableval=$enable_fatal_warnings; | ||
3573 | fi | ||
3574 | |||
3575 | if test "x$enable_fatal_warnings" = "xyes"; then : | ||
3576 | |||
3577 | HAVE_FATAL_WARNINGS="-W -Wall -Werror" | ||
3578 | |||
3579 | fi | ||
3580 | |||
3581 | BUSYBOX_WORKAROUND="no" | ||
3582 | |||
3583 | # Check whether --enable-busybox-workaround was given. | ||
3584 | if test "${enable_busybox_workaround+set}" = set; then : | ||
3585 | enableval=$enable_busybox_workaround; | ||
3586 | fi | ||
3587 | |||
3588 | if test "x$enable_busybox_workaround" = "xyes"; then : | ||
3589 | |||
3590 | BUSYBOX_WORKAROUND="yes" | ||
3591 | |||
3592 | fi | ||
3593 | |||
3594 | |||
3595 | HAVE_GCOV="" | ||
3596 | |||
3597 | # Check whether --enable-gcov was given. | ||
3598 | if test "${enable_gcov+set}" = set; then : | ||
3599 | enableval=$enable_gcov; | ||
3600 | fi | ||
3601 | |||
3602 | if test "x$enable_gcov" = "xyes"; then : | ||
3603 | |||
3604 | HAVE_GCOV="--coverage -DHAVE_GCOV" | ||
3605 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage" | ||
3606 | |||
3607 | fi | ||
3608 | |||
3609 | HAVE_CONTRIB_INSTALL="yes" | ||
3610 | |||
3611 | # Check whether --enable-contrib-install was given. | ||
3612 | if test "${enable_contrib_install+set}" = set; then : | ||
3613 | enableval=$enable_contrib_install; | ||
3614 | fi | ||
3615 | |||
3616 | if test "x$enable_contrib_install" = "xno"; then : | ||
3617 | |||
3618 | HAVE_CONTRIB_INSTALL="no" | ||
3619 | |||
3620 | fi | ||
3621 | |||
3622 | HAVE_FORCE_NONEWPRIVS="" | ||
3623 | |||
3624 | # Check whether --enable-force-nonewprivs was given. | ||
3625 | if test "${enable_force_nonewprivs+set}" = set; then : | ||
3626 | enableval=$enable_force_nonewprivs; | ||
3627 | fi | ||
3628 | |||
3629 | if test "x$enable_force_nonewprivs" = "xyes"; then : | ||
3630 | |||
3631 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" | ||
3632 | |||
3633 | fi | ||
3634 | |||
3635 | HAVE_ONLY_SYSCFG_PROFILES="" | ||
3636 | |||
3637 | # Check whether --enable-only-syscfg-profiles was given. | ||
3638 | if test "${enable_only_syscfg_profiles+set}" = set; then : | ||
3639 | enableval=$enable_only_syscfg_profiles; | ||
3640 | fi | ||
3641 | |||
3642 | if test "x$enable_only_syscfg_profiles" = "xyes"; then : | ||
3643 | |||
3644 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" | ||
3645 | |||
3646 | fi | ||
3647 | |||
3648 | HAVE_LTS="" | ||
3649 | |||
3650 | # Check whether --enable-lts was given. | ||
3651 | if test "${enable_lts+set}" = set; then : | ||
3652 | enableval=$enable_lts; | ||
3653 | fi | ||
3654 | |||
3655 | if test "x$enable_lts" = "xyes"; then : | ||
3656 | |||
3657 | HAVE_LTS="-DHAVE_LTS" | ||
3658 | HAVE_IDS="" | ||
3659 | HAVE_DBUSPROXY="" | ||
3660 | HAVE_OVERLAYFS="" | ||
3661 | HAVE_OUTPUT="" | ||
3662 | HAVE_USERTMPFS="" | ||
3663 | HAVE_MAN="-DHAVE_MAN" | ||
3664 | HAVE_FIRETUNNEL="" | ||
3665 | HAVE_PRIVATE_HOME="" | ||
3666 | HAVE_CHROOT="" | ||
3667 | HAVE_GLOBALCFG="" | ||
3668 | HAVE_USERNS="" | ||
3669 | HAVE_X11="" | ||
3670 | HAVE_FILE_TRANSFER="" | ||
3671 | HAVE_SUID="-DHAVE_SUID" | ||
3672 | BUSYBOX_WORKAROUND="no" | ||
3673 | HAVE_CONTRIB_INSTALL="no", | ||
3674 | |||
3353 | fi | 3675 | fi |
3354 | 3676 | ||
3355 | ac_ext=c | 3677 | ac_ext=c |
@@ -3749,352 +4071,6 @@ fi | |||
3749 | done | 4071 | done |
3750 | 4072 | ||
3751 | 4073 | ||
3752 | if test "x$enable_landlock" = "xyes"; then : | ||
3753 | |||
3754 | ac_fn_c_check_header_mongrel "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default" | ||
3755 | if test "x$ac_cv_header_linux_landlock_h" = xyes; then : | ||
3756 | |||
3757 | else | ||
3758 | as_fn_error $? "*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***" "$LINENO" 5 | ||
3759 | fi | ||
3760 | |||
3761 | |||
3762 | HAVE_LANDLOCK="-DHAVE_LANDLOCK" | ||
3763 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS" | ||
3764 | |||
3765 | fi | ||
3766 | |||
3767 | |||
3768 | |||
3769 | |||
3770 | HAVE_DBUSPROXY="" | ||
3771 | |||
3772 | # Check whether --enable-dbusproxy was given. | ||
3773 | if test "${enable_dbusproxy+set}" = set; then : | ||
3774 | enableval=$enable_dbusproxy; | ||
3775 | fi | ||
3776 | |||
3777 | if test "x$enable_dbusproxy" != "xno"; then : | ||
3778 | |||
3779 | HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" | ||
3780 | |||
3781 | fi | ||
3782 | |||
3783 | # overlayfs features temporarily disabled pending fixes | ||
3784 | HAVE_OVERLAYFS="" | ||
3785 | |||
3786 | #AC_ARG_ENABLE([overlayfs], | ||
3787 | # [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])]) | ||
3788 | #AS_IF([test "x$enable_overlayfs" != "xno"], [ | ||
3789 | # HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | ||
3790 | #]) | ||
3791 | |||
3792 | HAVE_OUTPUT="" | ||
3793 | |||
3794 | # Check whether --enable-output was given. | ||
3795 | if test "${enable_output+set}" = set; then : | ||
3796 | enableval=$enable_output; | ||
3797 | fi | ||
3798 | |||
3799 | if test "x$enable_output" != "xno"; then : | ||
3800 | |||
3801 | HAVE_OUTPUT="-DHAVE_OUTPUT" | ||
3802 | |||
3803 | fi | ||
3804 | |||
3805 | HAVE_USERTMPFS="" | ||
3806 | |||
3807 | # Check whether --enable-usertmpfs was given. | ||
3808 | if test "${enable_usertmpfs+set}" = set; then : | ||
3809 | enableval=$enable_usertmpfs; | ||
3810 | fi | ||
3811 | |||
3812 | if test "x$enable_usertmpfs" != "xno"; then : | ||
3813 | |||
3814 | HAVE_USERTMPFS="-DHAVE_USERTMPFS" | ||
3815 | |||
3816 | fi | ||
3817 | |||
3818 | HAVE_MAN="no" | ||
3819 | |||
3820 | # Check whether --enable-man was given. | ||
3821 | if test "${enable_man+set}" = set; then : | ||
3822 | enableval=$enable_man; | ||
3823 | fi | ||
3824 | |||
3825 | if test "x$enable_man" != "xno"; then : | ||
3826 | |||
3827 | HAVE_MAN="-DHAVE_MAN" | ||
3828 | # Extract the first word of "gawk", so it can be a program name with args. | ||
3829 | set dummy gawk; ac_word=$2 | ||
3830 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3831 | $as_echo_n "checking for $ac_word... " >&6; } | ||
3832 | if ${ac_cv_prog_HAVE_GAWK+:} false; then : | ||
3833 | $as_echo_n "(cached) " >&6 | ||
3834 | else | ||
3835 | if test -n "$HAVE_GAWK"; then | ||
3836 | ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test. | ||
3837 | else | ||
3838 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3839 | for as_dir in $PATH | ||
3840 | do | ||
3841 | IFS=$as_save_IFS | ||
3842 | test -z "$as_dir" && as_dir=. | ||
3843 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3844 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | ||
3845 | ac_cv_prog_HAVE_GAWK="yes" | ||
3846 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | ||
3847 | break 2 | ||
3848 | fi | ||
3849 | done | ||
3850 | done | ||
3851 | IFS=$as_save_IFS | ||
3852 | |||
3853 | test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no" | ||
3854 | fi | ||
3855 | fi | ||
3856 | HAVE_GAWK=$ac_cv_prog_HAVE_GAWK | ||
3857 | if test -n "$HAVE_GAWK"; then | ||
3858 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5 | ||
3859 | $as_echo "$HAVE_GAWK" >&6; } | ||
3860 | else | ||
3861 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3862 | $as_echo "no" >&6; } | ||
3863 | fi | ||
3864 | |||
3865 | |||
3866 | if test "x$HAVE_GAWK" != "xyes"; then : | ||
3867 | as_fn_error $? "*** gawk not found ***" "$LINENO" 5 | ||
3868 | fi | ||
3869 | |||
3870 | fi | ||
3871 | |||
3872 | HAVE_FIRETUNNEL="" | ||
3873 | |||
3874 | # Check whether --enable-firetunnel was given. | ||
3875 | if test "${enable_firetunnel+set}" = set; then : | ||
3876 | enableval=$enable_firetunnel; | ||
3877 | fi | ||
3878 | |||
3879 | if test "x$enable_firetunnel" = "xyes"; then : | ||
3880 | |||
3881 | HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" | ||
3882 | |||
3883 | fi | ||
3884 | |||
3885 | HAVE_PRIVATE_HOME="" | ||
3886 | |||
3887 | # Check whether --enable-private-home was given. | ||
3888 | if test "${enable_private_home+set}" = set; then : | ||
3889 | enableval=$enable_private_home; | ||
3890 | fi | ||
3891 | |||
3892 | if test "x$enable_private_home" != "xno"; then : | ||
3893 | |||
3894 | HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" | ||
3895 | |||
3896 | fi | ||
3897 | |||
3898 | HAVE_CHROOT="" | ||
3899 | |||
3900 | # Check whether --enable-chroot was given. | ||
3901 | if test "${enable_chroot+set}" = set; then : | ||
3902 | enableval=$enable_chroot; | ||
3903 | fi | ||
3904 | |||
3905 | if test "x$enable_chroot" != "xno"; then : | ||
3906 | |||
3907 | HAVE_CHROOT="-DHAVE_CHROOT" | ||
3908 | |||
3909 | fi | ||
3910 | |||
3911 | HAVE_GLOBALCFG="" | ||
3912 | |||
3913 | # Check whether --enable-globalcfg was given. | ||
3914 | if test "${enable_globalcfg+set}" = set; then : | ||
3915 | enableval=$enable_globalcfg; | ||
3916 | fi | ||
3917 | |||
3918 | if test "x$enable_globalcfg" != "xno"; then : | ||
3919 | |||
3920 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | ||
3921 | |||
3922 | fi | ||
3923 | |||
3924 | HAVE_NETWORK="" | ||
3925 | |||
3926 | # Check whether --enable-network was given. | ||
3927 | if test "${enable_network+set}" = set; then : | ||
3928 | enableval=$enable_network; | ||
3929 | fi | ||
3930 | |||
3931 | if test "x$enable_network" != "xno"; then : | ||
3932 | |||
3933 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
3934 | |||
3935 | fi | ||
3936 | |||
3937 | HAVE_USERNS="" | ||
3938 | |||
3939 | # Check whether --enable-userns was given. | ||
3940 | if test "${enable_userns+set}" = set; then : | ||
3941 | enableval=$enable_userns; | ||
3942 | fi | ||
3943 | |||
3944 | if test "x$enable_userns" != "xno"; then : | ||
3945 | |||
3946 | HAVE_USERNS="-DHAVE_USERNS" | ||
3947 | |||
3948 | fi | ||
3949 | |||
3950 | HAVE_X11="" | ||
3951 | |||
3952 | # Check whether --enable-x11 was given. | ||
3953 | if test "${enable_x11+set}" = set; then : | ||
3954 | enableval=$enable_x11; | ||
3955 | fi | ||
3956 | |||
3957 | if test "x$enable_x11" != "xno"; then : | ||
3958 | |||
3959 | HAVE_X11="-DHAVE_X11" | ||
3960 | |||
3961 | fi | ||
3962 | |||
3963 | HAVE_FILE_TRANSFER="" | ||
3964 | |||
3965 | # Check whether --enable-file-transfer was given. | ||
3966 | if test "${enable_file_transfer+set}" = set; then : | ||
3967 | enableval=$enable_file_transfer; | ||
3968 | fi | ||
3969 | |||
3970 | if test "x$enable_file_transfer" != "xno"; then : | ||
3971 | |||
3972 | HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" | ||
3973 | |||
3974 | fi | ||
3975 | |||
3976 | HAVE_SUID="" | ||
3977 | |||
3978 | # Check whether --enable-suid was given. | ||
3979 | if test "${enable_suid+set}" = set; then : | ||
3980 | enableval=$enable_suid; | ||
3981 | fi | ||
3982 | |||
3983 | if test "x$enable_suid" != "xno"; then : | ||
3984 | |||
3985 | HAVE_SUID="-DHAVE_SUID" | ||
3986 | |||
3987 | fi | ||
3988 | |||
3989 | HAVE_FATAL_WARNINGS="" | ||
3990 | |||
3991 | # Check whether --enable-fatal_warnings was given. | ||
3992 | if test "${enable_fatal_warnings+set}" = set; then : | ||
3993 | enableval=$enable_fatal_warnings; | ||
3994 | fi | ||
3995 | |||
3996 | if test "x$enable_fatal_warnings" = "xyes"; then : | ||
3997 | |||
3998 | HAVE_FATAL_WARNINGS="-W -Wall -Werror" | ||
3999 | |||
4000 | fi | ||
4001 | |||
4002 | BUSYBOX_WORKAROUND="no" | ||
4003 | |||
4004 | # Check whether --enable-busybox-workaround was given. | ||
4005 | if test "${enable_busybox_workaround+set}" = set; then : | ||
4006 | enableval=$enable_busybox_workaround; | ||
4007 | fi | ||
4008 | |||
4009 | if test "x$enable_busybox_workaround" = "xyes"; then : | ||
4010 | |||
4011 | BUSYBOX_WORKAROUND="yes" | ||
4012 | |||
4013 | fi | ||
4014 | |||
4015 | |||
4016 | HAVE_GCOV="" | ||
4017 | |||
4018 | # Check whether --enable-gcov was given. | ||
4019 | if test "${enable_gcov+set}" = set; then : | ||
4020 | enableval=$enable_gcov; | ||
4021 | fi | ||
4022 | |||
4023 | if test "x$enable_gcov" = "xyes"; then : | ||
4024 | |||
4025 | HAVE_GCOV="--coverage -DHAVE_GCOV" | ||
4026 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage" | ||
4027 | |||
4028 | fi | ||
4029 | |||
4030 | HAVE_CONTRIB_INSTALL="yes" | ||
4031 | |||
4032 | # Check whether --enable-contrib-install was given. | ||
4033 | if test "${enable_contrib_install+set}" = set; then : | ||
4034 | enableval=$enable_contrib_install; | ||
4035 | fi | ||
4036 | |||
4037 | if test "x$enable_contrib_install" = "xno"; then : | ||
4038 | |||
4039 | HAVE_CONTRIB_INSTALL="no" | ||
4040 | |||
4041 | fi | ||
4042 | |||
4043 | HAVE_FORCE_NONEWPRIVS="" | ||
4044 | |||
4045 | # Check whether --enable-force-nonewprivs was given. | ||
4046 | if test "${enable_force_nonewprivs+set}" = set; then : | ||
4047 | enableval=$enable_force_nonewprivs; | ||
4048 | fi | ||
4049 | |||
4050 | if test "x$enable_force_nonewprivs" = "xyes"; then : | ||
4051 | |||
4052 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" | ||
4053 | |||
4054 | fi | ||
4055 | |||
4056 | HAVE_ONLY_SYSCFG_PROFILES="" | ||
4057 | |||
4058 | # Check whether --enable-only-syscfg-profiles was given. | ||
4059 | if test "${enable_only_syscfg_profiles+set}" = set; then : | ||
4060 | enableval=$enable_only_syscfg_profiles; | ||
4061 | fi | ||
4062 | |||
4063 | if test "x$enable_only_syscfg_profiles" = "xyes"; then : | ||
4064 | |||
4065 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" | ||
4066 | |||
4067 | fi | ||
4068 | |||
4069 | HAVE_LTS="" | ||
4070 | |||
4071 | # Check whether --enable-lts was given. | ||
4072 | if test "${enable_lts+set}" = set; then : | ||
4073 | enableval=$enable_lts; | ||
4074 | fi | ||
4075 | |||
4076 | if test "x$enable_lts" = "xyes"; then : | ||
4077 | |||
4078 | HAVE_LTS="-DHAVE_LTS" | ||
4079 | HAVE_IDS="" | ||
4080 | HAVE_DBUSPROXY="" | ||
4081 | HAVE_OVERLAYFS="" | ||
4082 | HAVE_OUTPUT="" | ||
4083 | HAVE_USERTMPFS="" | ||
4084 | HAVE_MAN="-DHAVE_MAN" | ||
4085 | HAVE_FIRETUNNEL="" | ||
4086 | HAVE_PRIVATE_HOME="" | ||
4087 | HAVE_CHROOT="" | ||
4088 | HAVE_GLOBALCFG="" | ||
4089 | HAVE_USERNS="" | ||
4090 | HAVE_X11="" | ||
4091 | HAVE_FILE_TRANSFER="" | ||
4092 | HAVE_SUID="-DHAVE_SUID" | ||
4093 | BUSYBOX_WORKAROUND="no" | ||
4094 | HAVE_CONTRIB_INSTALL="no", | ||
4095 | |||
4096 | fi | ||
4097 | |||
4098 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" | 4074 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" |
4099 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : | 4075 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : |
4100 | 4076 | ||
diff --git a/configure.ac b/configure.ac index 58a399597..8a488ff43 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -81,19 +81,10 @@ AS_IF([test "x$enable_selinux" = "xyes"], [ | |||
81 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux" | 81 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux" |
82 | ]) | 82 | ]) |
83 | 83 | ||
84 | HAVE_LANDLOCK="" | ||
85 | AC_SUBST([HAVE_LANDLOCK]) | ||
86 | AC_ARG_ENABLE([landlock], | ||
87 | [AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])]) | ||
88 | AS_IF([test "x$enable_landlock" = "xyes"], [ | ||
89 | AC_CHECK_HEADER([linux/landlock.h], [], AC_MSG_ERROR([*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***])) | ||
90 | HAVE_LANDLOCK="-DHAVE_LANDLOCK" | ||
91 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS" | ||
92 | ]) | ||
93 | |||
94 | AC_SUBST([EXTRA_CFLAGS]) | 84 | AC_SUBST([EXTRA_CFLAGS]) |
95 | AC_SUBST([EXTRA_LDFLAGS]) | 85 | AC_SUBST([EXTRA_LDFLAGS]) |
96 | 86 | ||
87 | |||
97 | HAVE_DBUSPROXY="" | 88 | HAVE_DBUSPROXY="" |
98 | AC_SUBST([HAVE_DBUSPROXY]) | 89 | AC_SUBST([HAVE_DBUSPROXY]) |
99 | AC_ARG_ENABLE([dbusproxy], | 90 | AC_ARG_ENABLE([dbusproxy], |
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index 397438e1e..35348088e 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh | |||
@@ -17,7 +17,7 @@ if [ -z "${1##*/firejail}" ]; then | |||
17 | else | 17 | else |
18 | # First argument is not named firejail, then add default unless environment | 18 | # First argument is not named firejail, then add default unless environment |
19 | # variable already set. | 19 | # variable already set. |
20 | set -- ${FIREJAIL:=$(which firejail)} "$@" | 20 | set -- ${FIREJAIL:=$(command -v firejail)} "$@" |
21 | fi | 21 | fi |
22 | 22 | ||
23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & | 23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & |
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 7c1c33421..0c8ebdbd8 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
52 | 52 | ||
53 | " Commands grabbed from: src/firejail/profile.c | 53 | " Commands grabbed from: src/firejail/profile.c |
54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|landlock|landlock.proc|landlock.read|landlock.write|landlock.special|landlock.execute|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 7ad491460..b86e0bbe4 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -1172,6 +1172,7 @@ blacklist ${HOME}/yt-dlp.conf | |||
1172 | blacklist ${HOME}/yt-dlp.conf.txt | 1172 | blacklist ${HOME}/yt-dlp.conf.txt |
1173 | blacklist ${RUNUSER}/*firefox* | 1173 | blacklist ${RUNUSER}/*firefox* |
1174 | blacklist ${RUNUSER}/akonadi | 1174 | blacklist ${RUNUSER}/akonadi |
1175 | blacklist ${RUNUSER}/psd/*firefox* | ||
1175 | blacklist /tmp/.wine-* | 1176 | blacklist /tmp/.wine-* |
1176 | blacklist /tmp/akonadi-* | 1177 | blacklist /tmp/akonadi-* |
1177 | blacklist /var/games/nethack | 1178 | blacklist /var/games/nethack |
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile index 3f274b21c..68fcf157f 100644 --- a/etc/profile-a-l/Discord.profile +++ b/etc/profile-a-l/Discord.profile | |||
@@ -3,15 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include Discord.local | 4 | include Discord.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | 7 | #include globals.local | |
8 | noblacklist ${HOME}/.config/discord | ||
9 | |||
10 | mkdir ${HOME}/.config/discord | ||
11 | whitelist ${HOME}/.config/discord | ||
12 | |||
13 | private-bin Discord | ||
14 | private-opt Discord | ||
15 | 8 | ||
16 | # Redirect | 9 | # Redirect |
17 | include discord-common.profile | 10 | include discord.profile |
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile index d24e73ed8..ee6576955 100644 --- a/etc/profile-a-l/DiscordCanary.profile +++ b/etc/profile-a-l/DiscordCanary.profile | |||
@@ -3,15 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include DiscordCanary.local | 4 | include DiscordCanary.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | 7 | #include globals.local | |
8 | noblacklist ${HOME}/.config/discordcanary | ||
9 | |||
10 | mkdir ${HOME}/.config/discordcanary | ||
11 | whitelist ${HOME}/.config/discordcanary | ||
12 | |||
13 | private-bin DiscordCanary | ||
14 | private-opt DiscordCanary | ||
15 | 8 | ||
16 | # Redirect | 9 | # Redirect |
17 | include discord-common.profile | 10 | include discord-canary.profile |
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile index 0daab7dcd..bb0bc3513 100644 --- a/etc/profile-a-l/arduino.profile +++ b/etc/profile-a-l/arduino.profile | |||
@@ -10,13 +10,10 @@ noblacklist ${HOME}/.arduino15 | |||
10 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | # Allow java (blacklisted by disable-devel.inc) | 13 | # Allows files commonly used by IDEs |
14 | include allow-java.inc | 14 | include allow-common-devel.inc |
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-programs.inc | 17 | include disable-programs.inc |
21 | include disable-xdg.inc | 18 | include disable-xdg.inc |
22 | 19 | ||
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 4ee61b66d..20d5657eb 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile | |||
@@ -10,8 +10,12 @@ noblacklist ${HOME}/.cache/darktable | |||
10 | noblacklist ${HOME}/.config/darktable | 10 | noblacklist ${HOME}/.config/darktable |
11 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | 14 | include allow-lua.inc |
14 | 15 | ||
16 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
17 | include allow-perl.inc | ||
18 | |||
15 | include disable-common.inc | 19 | include disable-common.inc |
16 | include disable-devel.inc | 20 | include disable-devel.inc |
17 | include disable-exec.inc | 21 | include disable-exec.inc |
@@ -33,7 +37,7 @@ novideo | |||
33 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
34 | seccomp | 38 | seccomp |
35 | 39 | ||
36 | #private-bin darktable | 40 | #private-bin darktable,exiftool,perl |
37 | private-dev | 41 | private-dev |
38 | private-tmp | 42 | private-tmp |
39 | 43 | ||
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index f1056482c..c1f0e3a14 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.kde4/share/apps/digikam | |||
13 | noblacklist ${HOME}/.local/share/kxmlgui5/digikam | 13 | noblacklist ${HOME}/.local/share/kxmlgui5/digikam |
14 | noblacklist ${PICTURES} | 14 | noblacklist ${PICTURES} |
15 | 15 | ||
16 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
17 | include allow-perl.inc | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile index 43db95b8a..245b07b8d 100644 --- a/etc/profile-a-l/discord-canary.profile +++ b/etc/profile-a-l/discord-canary.profile | |||
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.config/discordcanary | |||
10 | mkdir ${HOME}/.config/discordcanary | 10 | mkdir ${HOME}/.config/discordcanary |
11 | whitelist ${HOME}/.config/discordcanary | 11 | whitelist ${HOME}/.config/discordcanary |
12 | 12 | ||
13 | private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9] | 13 | private-bin discord-canary,DiscordCanary |
14 | private-opt discord-canary | 14 | private-opt discord-canary,DiscordCanary |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include discord-common.profile | 17 | include discord-common.profile |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index c04e38899..bf49c8d48 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -23,7 +23,7 @@ ignore novideo | |||
23 | whitelist ${HOME}/.config/BetterDiscord | 23 | whitelist ${HOME}/.config/BetterDiscord |
24 | whitelist ${HOME}/.local/share/betterdiscordctl | 24 | whitelist ${HOME}/.local/share/betterdiscordctl |
25 | 25 | ||
26 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 26 | private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh |
27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl | 27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl |
28 | 28 | ||
29 | join-or-start discord | 29 | join-or-start discord |
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index 8ef02a30f..02d1c65cd 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile | |||
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.config/discord | |||
10 | mkdir ${HOME}/.config/discord | 10 | mkdir ${HOME}/.config/discord |
11 | whitelist ${HOME}/.config/discord | 11 | whitelist ${HOME}/.config/discord |
12 | 12 | ||
13 | private-bin discord | 13 | private-bin discord,Discord |
14 | private-opt discord | 14 | private-opt discord,Discord |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include discord-common.profile | 17 | include discord-common.profile |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 702e271eb..0e1d30958 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -17,6 +17,7 @@ include globals.local | |||
17 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | 19 | noblacklist ${RUNUSER}/*firefox* |
20 | noblacklist ${RUNUSER}/psd/*firefox* | ||
20 | 21 | ||
21 | blacklist /usr/libexec | 22 | blacklist /usr/libexec |
22 | 23 | ||
@@ -37,6 +38,7 @@ whitelist /usr/share/gtk-doc/html | |||
37 | whitelist /usr/share/mozilla | 38 | whitelist /usr/share/mozilla |
38 | whitelist /usr/share/webext | 39 | whitelist /usr/share/webext |
39 | whitelist ${RUNUSER}/*firefox* | 40 | whitelist ${RUNUSER}/*firefox* |
41 | whitelist ${RUNUSER}/psd/*firefox* | ||
40 | include whitelist-usr-share-common.inc | 42 | include whitelist-usr-share-common.inc |
41 | 43 | ||
42 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. | 44 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 81574517d..268c3b334 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/geeqie | |||
10 | noblacklist ${HOME}/.config/geeqie | 10 | noblacklist ${HOME}/.config/geeqie |
11 | noblacklist ${HOME}/.local/share/geeqie | 11 | noblacklist ${HOME}/.local/share/geeqie |
12 | 12 | ||
13 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
14 | include allow-perl.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index fc142e2dc..d4587a303 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${PICTURES} | |||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | 13 | # Allow /bin/sh (blacklisted by disable-shell.inc) |
14 | include allow-bin-sh.inc | 14 | include allow-bin-sh.inc |
15 | 15 | ||
16 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
17 | include allow-perl.inc | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-exec.inc | 21 | include disable-exec.inc |
@@ -35,7 +38,7 @@ novideo | |||
35 | protocol unix | 38 | protocol unix |
36 | seccomp | 39 | seccomp |
37 | 40 | ||
38 | private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize | 41 | private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize |
39 | private-cache | 42 | private-cache |
40 | private-dev | 43 | private-dev |
41 | private-tmp | 44 | private-tmp |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 4829f1fde..8e047ce90 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -42,22 +42,6 @@ _firejail() | |||
42 | _filedir -d | 42 | _filedir -d |
43 | return 0 | 43 | return 0 |
44 | ;; | 44 | ;; |
45 | --landlock.read) | ||
46 | _filedir | ||
47 | return 0 | ||
48 | ;; | ||
49 | --landlock.write) | ||
50 | _filedir | ||
51 | return 0 | ||
52 | ;; | ||
53 | --landlock.special) | ||
54 | _filedir | ||
55 | return 0 | ||
56 | ;; | ||
57 | --landlock.execute) | ||
58 | _filedir | ||
59 | return 0 | ||
60 | ;; | ||
61 | --tmpfs) | 45 | --tmpfs) |
62 | _filedir | 46 | _filedir |
63 | return 0 | 47 | return 0 |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fd2f3621e..62b8c4dc4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -378,14 +378,6 @@ void print_compiletime_support(void) { | |||
378 | #endif | 378 | #endif |
379 | ); | 379 | ); |
380 | 380 | ||
381 | printf("\t- Landlock support is %s\n", | ||
382 | #ifdef HAVE_LANDLOCK | ||
383 | "enabled" | ||
384 | #else | ||
385 | "disabled" | ||
386 | #endif | ||
387 | ); | ||
388 | |||
389 | printf("\t- networking support is %s\n", | 381 | printf("\t- networking support is %s\n", |
390 | #ifdef HAVE_NETWORK | 382 | #ifdef HAVE_NETWORK |
391 | "enabled" | 383 | "enabled" |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b38b5e0..94f970eb8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,9 +22,6 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include "../include/rundefs.h" | 24 | #include "../include/rundefs.h" |
25 | #ifdef HAVE_LANDLOCK | ||
26 | #include <linux/landlock.h> | ||
27 | #endif | ||
28 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) | 25 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) |
29 | #include <stdarg.h> | 26 | #include <stdarg.h> |
30 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
@@ -33,6 +30,7 @@ | |||
33 | //#define DEBUG_RESTRICTED_SHELL | 30 | //#define DEBUG_RESTRICTED_SHELL |
34 | 31 | ||
35 | 32 | ||
33 | |||
36 | // profiles | 34 | // profiles |
37 | #define DEFAULT_USER_PROFILE "default" | 35 | #define DEFAULT_USER_PROFILE "default" |
38 | #define DEFAULT_ROOT_PROFILE "server" | 36 | #define DEFAULT_ROOT_PROFILE "server" |
@@ -288,11 +286,6 @@ extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch | |||
288 | extern int arg_seccomp_postexec; // need postexec ld.preload library? | 286 | extern int arg_seccomp_postexec; // need postexec ld.preload library? |
289 | extern int arg_seccomp_block_secondary; // block any secondary architectures | 287 | extern int arg_seccomp_block_secondary; // block any secondary architectures |
290 | 288 | ||
291 | #ifdef HAVE_LANDLOCK | ||
292 | extern int arg_landlock; // Landlock ruleset file descriptor | ||
293 | extern int arg_landlock_proc; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write) | ||
294 | #endif | ||
295 | |||
296 | extern int arg_caps_default_filter; // enable default capabilities filter | 289 | extern int arg_caps_default_filter; // enable default capabilities filter |
297 | extern int arg_caps_drop; // drop list | 290 | extern int arg_caps_drop; // drop list |
298 | extern int arg_caps_drop_all; // drop all capabilities | 291 | extern int arg_caps_drop_all; // drop all capabilities |
@@ -945,16 +938,4 @@ void run_ids(int argc, char **argv); | |||
945 | // oom.c | 938 | // oom.c |
946 | void oom_set(const char *oom_string); | 939 | void oom_set(const char *oom_string); |
947 | 940 | ||
948 | // landlock.c | ||
949 | #ifdef HAVE_LANDLOCK | ||
950 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
951 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
952 | int landlock_restrict_self(int fd,__u32 flags); | ||
953 | int create_full_ruleset(); | ||
954 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
955 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path); | ||
956 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path); | ||
957 | int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
958 | #endif | ||
959 | |||
960 | #endif | 941 | #endif |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 96d891a49..01fd6c41d 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -545,7 +545,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
545 | dbus_set_system_bus_env(); | 545 | dbus_set_system_bus_env(); |
546 | #endif | 546 | #endif |
547 | 547 | ||
548 | start_application(0, shfd, NULL); | 548 | start_application(arg_join_network || arg_join_filesystem, shfd, NULL); |
549 | 549 | ||
550 | __builtin_unreachable(); | 550 | __builtin_unreachable(); |
551 | } | 551 | } |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c deleted file mode 100644 index e79d03280..000000000 --- a/src/firejail/landlock.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifdef HAVE_LANDLOCK | ||
22 | #define _GNU_SOURCE | ||
23 | #include <stdio.h> | ||
24 | #include <stddef.h> | ||
25 | #include <stdlib.h> | ||
26 | #include <unistd.h> | ||
27 | #include <fcntl.h> | ||
28 | #include <sys/syscall.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/prctl.h> | ||
31 | #include <linux/prctl.h> | ||
32 | #include <linux/landlock.h> | ||
33 | |||
34 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
35 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
36 | } | ||
37 | |||
38 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
39 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
40 | } | ||
41 | |||
42 | int landlock_restrict_self(int fd,__u32 flags) { | ||
43 | prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0); | ||
44 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
45 | if (result!=0) return result; | ||
46 | else { | ||
47 | close(fd); | ||
48 | return 0; | ||
49 | } | ||
50 | } | ||
51 | |||
52 | int create_full_ruleset() { | ||
53 | struct landlock_ruleset_attr attr; | ||
54 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
55 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
56 | } | ||
57 | |||
58 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
59 | int result; | ||
60 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
61 | struct landlock_path_beneath_attr target; | ||
62 | target.parent_fd = allowed_fd; | ||
63 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
64 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
65 | close(allowed_fd); | ||
66 | return result; | ||
67 | } | ||
68 | |||
69 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
70 | int result; | ||
71 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
72 | struct landlock_path_beneath_attr target; | ||
73 | target.parent_fd = allowed_fd; | ||
74 | target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
75 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
76 | close(allowed_fd); | ||
77 | return result; | ||
78 | } | ||
79 | |||
80 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path) { | ||
81 | int result; | ||
82 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
83 | struct landlock_path_beneath_attr target; | ||
84 | target.parent_fd = allowed_fd; | ||
85 | target.allowed_access = LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK; | ||
86 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
87 | close(allowed_fd); | ||
88 | return result; | ||
89 | } | ||
90 | |||
91 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
92 | int result; | ||
93 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
94 | struct landlock_path_beneath_attr target; | ||
95 | target.parent_fd = allowed_fd; | ||
96 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
97 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
98 | close(allowed_fd); | ||
99 | return result; | ||
100 | } | ||
101 | #endif | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1daf0da35..12c2cf02b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -81,11 +81,6 @@ int arg_seccomp_postexec = 0; // need postexec ld.preload library? | |||
81 | int arg_seccomp_block_secondary = 0; // block any secondary architectures | 81 | int arg_seccomp_block_secondary = 0; // block any secondary architectures |
82 | int arg_seccomp_error_action = 0; | 82 | int arg_seccomp_error_action = 0; |
83 | 83 | ||
84 | #ifdef HAVE_LANDLOCK | ||
85 | int arg_landlock = -1; // Landlock ruleset file descriptor (-1 if it doesn't exist) | ||
86 | int arg_landlock_proc = 0; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write) | ||
87 | #endif | ||
88 | |||
89 | int arg_caps_default_filter = 0; // enable default capabilities filter | 84 | int arg_caps_default_filter = 0; // enable default capabilities filter |
90 | int arg_caps_drop = 0; // drop list | 85 | int arg_caps_drop = 0; // drop list |
91 | int arg_caps_drop_all = 0; // drop all capabilities | 86 | int arg_caps_drop_all = 0; // drop all capabilities |
@@ -829,7 +824,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
829 | // try to join by name only | 824 | // try to join by name only |
830 | pid_t pid; | 825 | pid_t pid; |
831 | if (!read_pid(argv[i] + 16, &pid)) { | 826 | if (!read_pid(argv[i] + 16, &pid)) { |
832 | |||
833 | join(pid, argc, argv, i + 1); | 827 | join(pid, argc, argv, i + 1); |
834 | exit(0); | 828 | exit(0); |
835 | } | 829 | } |
@@ -848,6 +842,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
848 | exit(1); | 842 | exit(1); |
849 | } | 843 | } |
850 | 844 | ||
845 | if (argc <= (i+1)) | ||
846 | just_run_the_shell = 1; | ||
847 | cfg.original_program_index = i + 1; | ||
848 | |||
851 | // join sandbox by pid or by name | 849 | // join sandbox by pid or by name |
852 | pid_t pid = require_pid(argv[i] + 15); | 850 | pid_t pid = require_pid(argv[i] + 15); |
853 | join(pid, argc, argv, i + 1); | 851 | join(pid, argc, argv, i + 1); |
@@ -865,6 +863,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
865 | exit(1); | 863 | exit(1); |
866 | } | 864 | } |
867 | 865 | ||
866 | if (argc <= (i+1)) | ||
867 | just_run_the_shell = 1; | ||
868 | cfg.original_program_index = i + 1; | ||
869 | |||
868 | // join sandbox by pid or by name | 870 | // join sandbox by pid or by name |
869 | pid_t pid = require_pid(argv[i] + 18); | 871 | pid_t pid = require_pid(argv[i] + 18); |
870 | join(pid, argc, argv, i + 1); | 872 | join(pid, argc, argv, i + 1); |
@@ -1407,82 +1409,6 @@ int main(int argc, char **argv, char **envp) { | |||
1407 | else | 1409 | else |
1408 | exit_err_feature("seccomp"); | 1410 | exit_err_feature("seccomp"); |
1409 | } | 1411 | } |
1410 | #ifdef HAVE_LANDLOCK | ||
1411 | else if (strcmp(argv[i], "--landlock") == 0) { | ||
1412 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1413 | const char *home_dir = env_get("HOME"); | ||
1414 | int home_fd = open(home_dir,O_PATH | O_CLOEXEC); | ||
1415 | struct landlock_path_beneath_attr target; | ||
1416 | target.parent_fd = home_fd; | ||
1417 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
1418 | if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) { | ||
1419 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1420 | } | ||
1421 | close(home_fd); | ||
1422 | if (add_read_access_rule_by_path(arg_landlock, "/bin/")) { | ||
1423 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1424 | } | ||
1425 | if (add_execute_rule_by_path(arg_landlock, "/bin/")) { | ||
1426 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1427 | } | ||
1428 | if (add_read_access_rule_by_path(arg_landlock, "/dev/")) { | ||
1429 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1430 | } | ||
1431 | if (add_read_access_rule_by_path(arg_landlock, "/etc/")) { | ||
1432 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1433 | } | ||
1434 | if (add_read_access_rule_by_path(arg_landlock, "/lib/")) { | ||
1435 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1436 | } | ||
1437 | if (add_execute_rule_by_path(arg_landlock, "/lib/")) { | ||
1438 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1439 | } | ||
1440 | if (add_read_access_rule_by_path(arg_landlock, "/opt/")) { | ||
1441 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1442 | } | ||
1443 | if (add_execute_rule_by_path(arg_landlock, "/opt/")) { | ||
1444 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1445 | } | ||
1446 | if (add_read_access_rule_by_path(arg_landlock, "/usr/")) { | ||
1447 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1448 | } | ||
1449 | if (add_execute_rule_by_path(arg_landlock, "/usr/")) { | ||
1450 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1451 | } | ||
1452 | if (add_read_access_rule_by_path(arg_landlock, "/var/")) { | ||
1453 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1454 | } | ||
1455 | } | ||
1456 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { | ||
1457 | if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0; | ||
1458 | else if (strncmp(argv[i]+16, "ro", 2) == 0) arg_landlock_proc = 1; | ||
1459 | else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2; | ||
1460 | } | ||
1461 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) { | ||
1462 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1463 | if (add_read_access_rule_by_path(arg_landlock, argv[i]+16)) { | ||
1464 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1465 | } | ||
1466 | } | ||
1467 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) { | ||
1468 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1469 | if (add_write_access_rule_by_path(arg_landlock, argv[i]+17)) { | ||
1470 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1471 | } | ||
1472 | } | ||
1473 | else if (strncmp(argv[i], "--landlock.special=", 17) == 0) { | ||
1474 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1475 | if (add_create_special_rule_by_path(arg_landlock, argv[i]+17)) { | ||
1476 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1477 | } | ||
1478 | } | ||
1479 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) { | ||
1480 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1481 | if (add_execute_rule_by_path(arg_landlock, argv[i]+19)) { | ||
1482 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1483 | } | ||
1484 | } | ||
1485 | #endif | ||
1486 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1412 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1487 | if (checkcfg(CFG_SECCOMP)) | 1413 | if (checkcfg(CFG_SECCOMP)) |
1488 | arg_memory_deny_write_execute = 1; | 1414 | arg_memory_deny_write_execute = 1; |
@@ -3301,7 +3227,7 @@ int main(int argc, char **argv, char **envp) { | |||
3301 | errExit("setresuid"); | 3227 | errExit("setresuid"); |
3302 | 3228 | ||
3303 | char arg[64]; | 3229 | char arg[64]; |
3304 | snprintf(arg, sizeof(arg), "--netlock=%d", getpid()); | 3230 | snprintf(arg, sizeof(arg), "--netlock=%d", sandbox_pid); |
3305 | 3231 | ||
3306 | char *cmd[3]; | 3232 | char *cmd[3]; |
3307 | cmd[0] = BINDIR "/firejail"; | 3233 | cmd[0] = BINDIR "/firejail"; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9f677c11d..641bb09b1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1047,90 +1047,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1047 | return 0; | 1047 | return 0; |
1048 | } | 1048 | } |
1049 | 1049 | ||
1050 | #ifdef HAVE_LANDLOCK | ||
1051 | // Landlock ruleset paths | ||
1052 | if (strcmp(ptr, "landlock") == 0) { | ||
1053 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1054 | const char *home_dir = env_get("HOME"); | ||
1055 | int home_fd = open(home_dir,O_PATH | O_CLOEXEC); | ||
1056 | struct landlock_path_beneath_attr target; | ||
1057 | target.parent_fd = home_fd; | ||
1058 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
1059 | if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) { | ||
1060 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1061 | } | ||
1062 | close(home_fd); | ||
1063 | if (add_read_access_rule_by_path(arg_landlock, "/bin/")) { | ||
1064 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1065 | } | ||
1066 | if (add_execute_rule_by_path(arg_landlock, "/bin/")) { | ||
1067 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1068 | } | ||
1069 | if (add_read_access_rule_by_path(arg_landlock, "/dev/")) { | ||
1070 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1071 | } | ||
1072 | if (add_read_access_rule_by_path(arg_landlock, "/etc/")) { | ||
1073 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1074 | } | ||
1075 | if (add_read_access_rule_by_path(arg_landlock, "/lib/")) { | ||
1076 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1077 | } | ||
1078 | if (add_execute_rule_by_path(arg_landlock, "/lib/")) { | ||
1079 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1080 | } | ||
1081 | if (add_read_access_rule_by_path(arg_landlock, "/opt/")) { | ||
1082 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1083 | } | ||
1084 | if (add_execute_rule_by_path(arg_landlock, "/opt/")) { | ||
1085 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1086 | } | ||
1087 | if (add_read_access_rule_by_path(arg_landlock, "/usr/")) { | ||
1088 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1089 | } | ||
1090 | if (add_execute_rule_by_path(arg_landlock, "/usr/")) { | ||
1091 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1092 | } | ||
1093 | if (add_read_access_rule_by_path(arg_landlock, "/var/")) { | ||
1094 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1095 | } | ||
1096 | return 0; | ||
1097 | } | ||
1098 | if (strncmp(ptr, "landlock.proc ", 14) == 0) { | ||
1099 | if (strncmp(ptr+14, "no", 2) == 0) arg_landlock_proc = 0; | ||
1100 | else if (strncmp(ptr+14, "ro", 2) == 0) arg_landlock_proc = 1; | ||
1101 | else if (strncmp(ptr+14, "rw", 2) == 0) arg_landlock_proc = 2; | ||
1102 | return 0; | ||
1103 | } | ||
1104 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | ||
1105 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1106 | if (add_read_access_rule_by_path(arg_landlock, ptr+14)) { | ||
1107 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1108 | } | ||
1109 | return 0; | ||
1110 | } | ||
1111 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | ||
1112 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1113 | if (add_write_access_rule_by_path(arg_landlock, ptr+15)) { | ||
1114 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1115 | } | ||
1116 | return 0; | ||
1117 | } | ||
1118 | if (strncmp(ptr, "landlock.special ", 26) == 0) { | ||
1119 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1120 | if (add_create_special_rule_by_path(arg_landlock, ptr+26)) { | ||
1121 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1122 | } | ||
1123 | return 0; | ||
1124 | } | ||
1125 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | ||
1126 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1127 | if (add_execute_rule_by_path(arg_landlock, ptr+17)) { | ||
1128 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1129 | } | ||
1130 | return 0; | ||
1131 | } | ||
1132 | #endif | ||
1133 | |||
1134 | // memory deny write&execute | 1050 | // memory deny write&execute |
1135 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 1051 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
1136 | if (checkcfg(CFG_SECCOMP)) | 1052 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5fcccbd92..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -488,7 +488,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
488 | #ifdef HAVE_APPARMOR | 488 | #ifdef HAVE_APPARMOR |
489 | set_apparmor(); | 489 | set_apparmor(); |
490 | #endif | 490 | #endif |
491 | |||
492 | close_file_descriptors(); | 491 | close_file_descriptors(); |
493 | 492 | ||
494 | // set nice and rlimits | 493 | // set nice and rlimits |
@@ -510,16 +509,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
510 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); | 509 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); |
511 | } | 510 | } |
512 | 511 | ||
513 | #ifdef HAVE_LANDLOCK | ||
514 | // set Landlock | ||
515 | if (arg_landlock >= 0) { | ||
516 | if (landlock_restrict_self(arg_landlock,0)) { | ||
517 | fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n"); | ||
518 | exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed | ||
519 | } | ||
520 | } | ||
521 | #endif | ||
522 | |||
523 | if (just_run_the_shell) { | 512 | if (just_run_the_shell) { |
524 | char *arg[2]; | 513 | char *arg[2]; |
525 | arg[0] = cfg.usershell; | 514 | arg[0] = cfg.usershell; |
@@ -1010,15 +999,6 @@ int sandbox(void* sandbox_arg) { | |||
1010 | fs_proc_sys_dev_boot(); | 999 | fs_proc_sys_dev_boot(); |
1011 | 1000 | ||
1012 | //**************************** | 1001 | //**************************** |
1013 | // Allow access to /proc | ||
1014 | //**************************** | ||
1015 | #ifdef HAVE_LANDLOCK | ||
1016 | if (arg_landlock>-1) { | ||
1017 | if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/"); | ||
1018 | if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/"); | ||
1019 | } | ||
1020 | #endif | ||
1021 | //**************************** | ||
1022 | // handle /mnt and /media | 1002 | // handle /mnt and /media |
1023 | //**************************** | 1003 | //**************************** |
1024 | if (checkcfg(CFG_DISABLE_MNT)) | 1004 | if (checkcfg(CFG_DISABLE_MNT)) |
@@ -1113,12 +1093,9 @@ int sandbox(void* sandbox_arg) { | |||
1113 | //**************************** | 1093 | //**************************** |
1114 | // rebuild etc directory, set dns | 1094 | // rebuild etc directory, set dns |
1115 | //**************************** | 1095 | //**************************** |
1116 | if (!arg_writable_etc){ | 1096 | if (!arg_writable_etc) |
1117 | fs_rebuild_etc(); | 1097 | fs_rebuild_etc(); |
1118 | #ifdef HAVE_LANDLOCK | 1098 | |
1119 | if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/"); | ||
1120 | #endif | ||
1121 | } | ||
1122 | //**************************** | 1099 | //**************************** |
1123 | // start dhcp client | 1100 | // start dhcp client |
1124 | //**************************** | 1101 | //**************************** |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index e0751ef5c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -122,12 +122,6 @@ static char *usage_str = | |||
122 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 122 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" |
123 | " --keep-fd - inherit open file descriptors to sandbox.\n" | 123 | " --keep-fd - inherit open file descriptors to sandbox.\n" |
124 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 124 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
125 | " --landlock - add basic rules to the Landlock ruleset.\n" | ||
126 | " --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n" | ||
127 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | ||
128 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | ||
129 | " --landlock.special=path - add an access rule for creating FIFO pipes, Unix domain sockets and block devices for the path to the Landlock ruleset.\n" | ||
130 | " --landlock.execute=path - add an execution-permitting rule for the path to the Landlock ruleset.\n" | ||
131 | " --list - list all sandboxes.\n" | 125 | " --list - list all sandboxes.\n" |
132 | #ifdef HAVE_FILE_TRANSFER | 126 | #ifdef HAVE_FILE_TRANSFER |
133 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" | 127 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b6a7ca08c..a01290cf2 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1338,10 +1338,6 @@ void close_all(int *keep_list, size_t sz) { | |||
1338 | if (keep) | 1338 | if (keep) |
1339 | continue; | 1339 | continue; |
1340 | 1340 | ||
1341 | // don't close the file descriptor of the Landlock ruleset -- it will be automatically closed by the landlock_restrict_self wrapper function | ||
1342 | #ifdef HAVE_LANDLOCK | ||
1343 | if (fd == arg_landlock) continue; | ||
1344 | #endif | ||
1345 | close(fd); | 1341 | close(fd); |
1346 | } | 1342 | } |
1347 | closedir(dir); | 1343 | closedir(dir); |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index 97bed7a1f..d1ce29dac 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -33,6 +33,11 @@ | |||
33 | # | 33 | # |
34 | # | 34 | # |
35 | 35 | ||
36 | # | ||
37 | # The following list of addresses was compiled from various public sources. | ||
38 | # | ||
39 | |||
40 | |||
36 | # local network addresses | 41 | # local network addresses |
37 | 192.168.0.0/16 local network | 42 | 192.168.0.0/16 local network |
38 | 10.0.0.0/8 local network | 43 | 10.0.0.0/8 local network |
@@ -81,19 +86,89 @@ | |||
81 | 201.159.220.0/22 whois.lacnic.net Ecuador | 86 | 201.159.220.0/22 whois.lacnic.net Ecuador |
82 | 87 | ||
83 | # some popular websites | 88 | # some popular websites |
89 | 23.160.0.0/24 Twitch | ||
90 | 23.246.0.0/18, Netflix | ||
84 | 31.13.24.0/21 Facebook | 91 | 31.13.24.0/21 Facebook |
85 | 31.13.64.0/18 Facebook | 92 | 31.13.64.0/18 Facebook |
93 | 37.77.184.0/21 Netflix | ||
94 | 45.57.0.0/17 Netflix | ||
95 | 45.58.64.0/20 Dropbox | ||
96 | 45.113.128.0/22 Twitch | ||
97 | 52.223.192.0/18 Twitch | ||
98 | 63.245.208.0/23 Mozilla | ||
86 | 64.63.0.0/18 Twitter | 99 | 64.63.0.0/18 Twitter |
100 | 64.112.13.0/24 Dropbox | ||
101 | 64.120.128.0/17 Netflix | ||
102 | 66.197.128.0/17 Netflix | ||
103 | 69.53.224.0/19 Netflix | ||
87 | 69.171.224.0/19 Facebook | 104 | 69.171.224.0/19 Facebook |
105 | 91.105.192.0/23 Telegram | ||
106 | 91.108.4.0/22 Telegram | ||
107 | 91.108.8.0/21 Telegram | ||
108 | 91.108.16.0/21 Telegram | ||
109 | 91.108.56.0/22 Telegram | ||
110 | 91.189.88.0/24 Ubuntu One | ||
111 | 91.189.90.0/23 Ubuntu One | ||
112 | 91.189.92.0/23 Ubuntu One | ||
113 | 91.189.94.0/24 Ubuntu One | ||
114 | 95.161.64.0/20 Telegram | ||
115 | 99.181.64.0/18 Twitch | ||
116 | 103.53.48.0/23 Twitch | ||
88 | 104.244.40.0/21 Twitter | 117 | 104.244.40.0/21 Twitter |
89 | 129.134.0.0/16 Facebook | 118 | 129.134.0.0/16 Facebook |
90 | 140.82.112.0/20 GitHub | 119 | 140.82.112.0/20 GitHub |
120 | 103.10.124.0/23 Steam | ||
121 | 103.28.54.0/24 Steam | ||
122 | 108.160.160.0/20 Dropbox | ||
123 | 108.175.32.0/20 Netflix | ||
124 | 143.55.64.0/20 Github | ||
125 | 146.66.152.0/24 Steam | ||
126 | 146.66.155.0/24 Steam | ||
127 | 149.154.160.0/20 Telegram | ||
128 | 153.254.86.0/24 Steam | ||
129 | 155.133.224.0/22 Steam | ||
130 | 155.133.230.0/24 Steam | ||
131 | 155.133.232.0/23 Steam | ||
132 | 155.133.234.0/24 Steam | ||
133 | 155.133.236.0/22 Steam | ||
134 | 155.133.240.0/23 Steam | ||
135 | 155.133.245.0/24 Steam | ||
136 | 155.133.246.0/24 Steam | ||
137 | 155.133.248.0/21 Steam | ||
91 | 157.240.0.0/16 Facebook | 138 | 157.240.0.0/16 Facebook |
139 | 162.125.0.0/16 Dropbox | ||
140 | 162.213.32.0/22 Ubuntu One | ||
141 | 162.254.192.0/21 Steam | ||
142 | 185.2.220.0/22 Netflix | ||
143 | 185.9.188.0/22 Netflix | ||
144 | 185.25.182.0/23 Steam | ||
145 | 185.42.204.0/22 Twitch | ||
146 | 185.45.8.0/22 Dropbox | ||
147 | 185.76.151.0/24 Telegram | ||
148 | 185.105.164.0/24 Dropbox | ||
149 | 185.125.188.0/22 Ubuntu One | ||
92 | 185.199.108.0/22 GitHub | 150 | 185.199.108.0/22 GitHub |
93 | 188.64.224.0/21 Twitter | 151 | 188.64.224.0/21 Twitter |
152 | 190.217.33.0/24 Steam | ||
94 | 192.0.64.0/18 Wordpress | 153 | 192.0.64.0/18 Wordpress |
154 | 192.16.64.0/21 Twitch | ||
155 | 192.30.252.0/22 GitHub | ||
156 | 192.69.96.0/22 Steam | ||
157 | 192.108.239.0/24 Twitch | ||
158 | 192.173.64.0/18 Netflix | ||
159 | 192.189.200.0/23 Dropbox | ||
160 | 194.169.254.0/24 Ubuntu One | ||
161 | 198.38.96.0/19 Netflix | ||
162 | 198.45.48.0/20 Netflix | ||
163 | 199.9.248.0/21 Twitch | ||
95 | 199.16.156.0/22 Twitter | 164 | 199.16.156.0/22 Twitter |
96 | 199.59.148.0/22 Twitter | 165 | 199.59.148.0/22 Twitter |
166 | 205.185.194.0/24 Steam | ||
167 | 205.196.6.0/24 Steam | ||
168 | 207.45.72.0/22 Netflix | ||
169 | 208.64.200.0/22 Steam | ||
170 | 208.75.76.0/22 Netflix | ||
171 | 208.78.164.0/22 Steam | ||
97 | 208.80.152.0/22 Wikipedia | 172 | 208.80.152.0/22 Wikipedia |
98 | 173 | ||
99 | # StackPath | 174 | # StackPath |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1f543980e..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -497,35 +497,6 @@ Blacklist all Linux capabilities. | |||
497 | .TP | 497 | .TP |
498 | \fBcaps.keep capability,capability,capability | 498 | \fBcaps.keep capability,capability,capability |
499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
500 | #ifdef HAVE_LANDLOCK | ||
501 | .TP | ||
502 | \fBlandlock | ||
503 | Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. | ||
504 | .br | ||
505 | .TP | ||
506 | \fBlandlock.proc no|ro|rw | ||
507 | Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related profile options have no effect. | ||
508 | .br | ||
509 | .TP | ||
510 | \fBlandlock.read path | ||
511 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. | ||
512 | .br | ||
513 | |||
514 | .TP | ||
515 | \fBlandlock.write path | ||
516 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. | ||
517 | .br | ||
518 | |||
519 | .TP | ||
520 | \fBlandlock.special path | ||
521 | Create a Landlock ruleset (if it doesn't already exist) and add an access rule for creation of FIFO pipes, Unix-domain sockets and block devices beneath given path. | ||
522 | .br | ||
523 | |||
524 | .TP | ||
525 | \fBlandlock.execute path | ||
526 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. | ||
527 | .br | ||
528 | #endif | ||
529 | .TP | 500 | .TP |
530 | \fBmemory-deny-write-execute | 501 | \fBmemory-deny-write-execute |
531 | Install a seccomp filter to block attempts to create memory mappings | 502 | Install a seccomp filter to block attempts to create memory mappings |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0b78203d7..82eea3977 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -193,7 +193,7 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
193 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | 194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also |
195 | blacklist the path that it points to. | 195 | blacklist the path that it points to. |
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | 196 | For example, if ~/foo is blacklisted and it points to /bar, then /bar will also |
197 | be blacklisted. | 197 | be blacklisted. |
198 | .br | 198 | .br |
199 | 199 | ||
@@ -330,6 +330,11 @@ $ firejail \-\-chroot=/media/ubuntu warzone2100 | |||
330 | .br | 330 | .br |
331 | For automatic mounting of X11 and PulseAudio sockets set environment variables | 331 | For automatic mounting of X11 and PulseAudio sockets set environment variables |
332 | FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE. | 332 | FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE. |
333 | .br | ||
334 | |||
335 | .br | ||
336 | Note: Support for this command is controlled in firejail.config with the | ||
337 | \fBchroot\fR option. | ||
333 | #endif | 338 | #endif |
334 | .TP | 339 | .TP |
335 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | 340 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number |
@@ -1151,41 +1156,6 @@ Example: | |||
1151 | .br | 1156 | .br |
1152 | $ firejail --keep-var-tmp | 1157 | $ firejail --keep-var-tmp |
1153 | 1158 | ||
1154 | #ifdef HAVE_LANDLOCK | ||
1155 | .TP | ||
1156 | \fB\-\-landlock | ||
1157 | Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. See \fBLANDLOCK\fR section for more information. | ||
1158 | .br | ||
1159 | .TP | ||
1160 | \fB\-\-landlock.proc=no|ro|rw | ||
1161 | Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related command-line options have no effect. | ||
1162 | .br | ||
1163 | .TP | ||
1164 | \fB\-\-landlock.read=path | ||
1165 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. | ||
1166 | .br | ||
1167 | |||
1168 | .TP | ||
1169 | \fB\-\-landlock.write=path | ||
1170 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. | ||
1171 | .br | ||
1172 | |||
1173 | .TP | ||
1174 | \fB\-\-landlock.special=path | ||
1175 | Create a Landlock ruleset (if it doesn't already exist) and add a permission rule to create FIFO pipes, Unix domain sockets and block devices beneath given path. | ||
1176 | .br | ||
1177 | |||
1178 | .TP | ||
1179 | \fB\-\-landlock.execute=path | ||
1180 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. | ||
1181 | .br | ||
1182 | |||
1183 | .br | ||
1184 | Example: | ||
1185 | .br | ||
1186 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr | ||
1187 | #endif | ||
1188 | |||
1189 | .TP | 1159 | .TP |
1190 | \fB\-\-list | 1160 | \fB\-\-list |
1191 | List all sandboxes, see \fBMONITORING\fR section for more details. | 1161 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1303,7 +1273,6 @@ $ firejail --list | |||
1303 | .br | 1273 | .br |
1304 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote | 1274 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote |
1305 | .br | 1275 | .br |
1306 | |||
1307 | #ifdef HAVE_NETWORK | 1276 | #ifdef HAVE_NETWORK |
1308 | .TP | 1277 | .TP |
1309 | \fB\-\-net=bridge_interface | 1278 | \fB\-\-net=bridge_interface |
@@ -2166,6 +2135,9 @@ $ ps | |||
2166 | $ | 2135 | $ |
2167 | .br | 2136 | .br |
2168 | 2137 | ||
2138 | .br | ||
2139 | Note: Support for this command is controlled in firejail.config with the | ||
2140 | \fBprivate-lib\fR option. | ||
2169 | .TP | 2141 | .TP |
2170 | \fB\-\-private-opt=file,directory | 2142 | \fB\-\-private-opt=file,directory |
2171 | Build a new /opt in a temporary | 2143 | Build a new /opt in a temporary |
@@ -2873,6 +2845,11 @@ Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe fi | |||
2873 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot | 2845 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot |
2874 | .br | 2846 | .br |
2875 | [...] | 2847 | [...] |
2848 | .br | ||
2849 | |||
2850 | .br | ||
2851 | Note: Support for this command is controlled in firejail.config with the | ||
2852 | \fBtracelog\fR option. | ||
2876 | .TP | 2853 | .TP |
2877 | \fB\-\-tree | 2854 | \fB\-\-tree |
2878 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. | 2855 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. |
@@ -3237,34 +3214,7 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
3237 | .br | 3214 | .br |
3238 | $ firejail --apparmor firefox | 3215 | $ firejail --apparmor firefox |
3239 | #endif | 3216 | #endif |
3240 | #ifdef HAVE_LANDLOCK | ||
3241 | .SH LANDLOCK | ||
3242 | .TP | ||
3243 | Landlock is a Linux security module first introduced in the 5.13 version of Linux kernel. It allows unprivileged processes to restrict their access to the filesystem. Once imposed, these restrictions can never be removed, and all child processes created by a Landlock-restricted processes inherit these restrictions. Firejail supports Landlock as an additional sandboxing feature. It can be used to ensure that a sandboxed application can only access files and directories that it was explicitly allowed to access. Firejail supports populating the ruleset with both basic set of rules and with custom set of rules. Basic set of rules allows read-only access to /bin, /dev, /etc, /lib, /opt, /proc, /usr and /var, read-write access to the home directory, and allows execution of binaries located in /bin, /opt and /usr. | ||
3244 | .br | ||
3245 | |||
3246 | .TP | ||
3247 | Important notes: | ||
3248 | .br | ||
3249 | 3217 | ||
3250 | .br | ||
3251 | - A process can install a Landlock ruleset only if it has either \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New Privileges" restriction enabled. Because of this, enabling the Landlock feature will also cause Firejail to enable the "No New Privileges" restriction, regardless of the profile or the \fB\-\-no\-new\-privs\fR command line option. | ||
3252 | .br | ||
3253 | |||
3254 | .br | ||
3255 | - Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR command line option. | ||
3256 | |||
3257 | .br | ||
3258 | - Access to the /etc directory is automatically allowed. To override this, use the \fB\-\-writable\-etc\fR command line option. You can also use the \fB\-\-private\-etc\fR option to restrict access to the /etc directory. | ||
3259 | .br | ||
3260 | |||
3261 | .TP | ||
3262 | To enable Landlock self-restriction on top of your current Firejail security features, pass \fB\-\-landlock\fR flag to Firejail command line. You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with \fB\-\-landlock\fR or instead of it. Example: | ||
3263 | .br | ||
3264 | |||
3265 | .br | ||
3266 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro mc | ||
3267 | #endif | ||
3268 | .SH DESKTOP INTEGRATION | 3218 | .SH DESKTOP INTEGRATION |
3269 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3219 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
3270 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 3220 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index ed7337762..2b67c2a00 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -105,12 +105,6 @@ _firejail_args=( | |||
105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
106 | '--keep-fd[inherit open file descriptors to sandbox]: :' | 106 | '--keep-fd[inherit open file descriptors to sandbox]: :' |
107 | '--keep-var-tmp[/var/tmp directory is untouched]' | 107 | '--keep-var-tmp[/var/tmp directory is untouched]' |
108 | '--landlock[Basic Landlock ruleset]' | ||
109 | '--landlock.proc=-[Access to the /proc directory]: :(no ro rw)' | ||
110 | '--landlock.read=-[Landlock read access rule]: :_files' | ||
111 | '--landlock.write=-[Landlock write access rule]: :_files' | ||
112 | "--landlock.special=-[Landlock access rule for creation of FIFO pipes, sockets and block devices]: :_files" | ||
113 | '--landlock.execute=-[Landlock execution-permitting rule]: :_files' | ||
114 | '--machine-id[spoof /etc/machine-id with a random id]' | 108 | '--machine-id[spoof /etc/machine-id with a random id]' |
115 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 109 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |
116 | '*--mkdir=-[create a directory]:' | 110 | '*--mkdir=-[create a directory]:' |
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index 9afacf5be..c2bdad012 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -13,7 +13,7 @@ echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)" | |||
13 | echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" | 13 | echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" |
14 | ./appimage-v2.exp | 14 | ./appimage-v2.exp |
15 | 15 | ||
16 | echo "TESTING: AppImage file name (test/appimage/filename.exp)"; | 16 | echo "TESTING: AppImage file name (test/appimage/filename.exp)" |
17 | ./filename.exp | 17 | ./filename.exp |
18 | 18 | ||
19 | echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" | 19 | echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" |
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh index 9ed123979..9dcee7aff 100755 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ b/test/apps-x11-xorg/apps-x11-xorg.sh | |||
@@ -7,8 +7,7 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | which firefox 2>/dev/null | 10 | if command -v firefox |
11 | if [ "$?" -eq 0 ]; | ||
12 | then | 11 | then |
13 | echo "TESTING: firefox x11 xorg" | 12 | echo "TESTING: firefox x11 xorg" |
14 | ./firefox.exp | 13 | ./firefox.exp |
@@ -16,8 +15,7 @@ else | |||
16 | echo "TESTING SKIP: firefox not found" | 15 | echo "TESTING SKIP: firefox not found" |
17 | fi | 16 | fi |
18 | 17 | ||
19 | which transmission-gtk 2>/dev/null | 18 | if command -v transmission-gtk |
20 | if [ "$?" -eq 0 ]; | ||
21 | then | 19 | then |
22 | echo "TESTING: transmission-gtk x11 xorg" | 20 | echo "TESTING: transmission-gtk x11 xorg" |
23 | ./transmission-gtk.exp | 21 | ./transmission-gtk.exp |
@@ -25,8 +23,7 @@ else | |||
25 | echo "TESTING SKIP: transmission-gtk not found" | 23 | echo "TESTING SKIP: transmission-gtk not found" |
26 | fi | 24 | fi |
27 | 25 | ||
28 | which transmission-qt 2>/dev/null | 26 | if command -v transmission-qt |
29 | if [ "$?" -eq 0 ]; | ||
30 | then | 27 | then |
31 | echo "TESTING: transmission-qt x11 xorg" | 28 | echo "TESTING: transmission-qt x11 xorg" |
32 | ./transmission-qt.exp | 29 | ./transmission-qt.exp |
@@ -34,8 +31,7 @@ else | |||
34 | echo "TESTING SKIP: transmission-qt not found" | 31 | echo "TESTING SKIP: transmission-qt not found" |
35 | fi | 32 | fi |
36 | 33 | ||
37 | which thunderbird 2>/dev/null | 34 | if command -v thunderbird |
38 | if [ "$?" -eq 0 ]; | ||
39 | then | 35 | then |
40 | echo "TESTING: thunderbird x11 xorg" | 36 | echo "TESTING: thunderbird x11 xorg" |
41 | ./thunderbird.exp | 37 | ./thunderbird.exp |
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index a3c946ca4..b2722eed3 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh | |||
@@ -10,49 +10,42 @@ export LC_ALL=C | |||
10 | echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" | 10 | echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" |
11 | ./x11-none.exp | 11 | ./x11-none.exp |
12 | 12 | ||
13 | 13 | if command -v xterm | |
14 | which xterm 2>/dev/null | ||
15 | if [ "$?" -eq 0 ]; | ||
16 | then | 14 | then |
17 | echo "TESTING: xterm x11 xorg" | 15 | echo "TESTING: xterm x11 xorg" |
18 | ./xterm-xorg.exp | 16 | ./xterm-xorg.exp |
19 | 17 | ||
20 | which xpra 2>/dev/null | 18 | if command -v xpra |
21 | if [ "$?" -eq 0 ]; | ||
22 | then | 19 | then |
23 | echo "TESTING: xterm x11 xpra" | 20 | echo "TESTING: xterm x11 xpra" |
24 | ./xterm-xpra.exp | 21 | ./xterm-xpra.exp |
25 | fi | 22 | fi |
26 | 23 | ||
27 | which Xephyr 2>/dev/null | 24 | if command -v Xephyr |
28 | if [ "$?" -eq 0 ]; | ||
29 | then | 25 | then |
30 | echo "TESTING: xterm x11 xephyr" | 26 | echo "TESTING: xterm x11 xephyr" |
31 | ./xterm-xephyr.exp | 27 | ./xterm-xephyr.exp |
32 | fi | 28 | fi |
33 | else | 29 | else |
34 | echo "TESTING SKIP: xterm not found" | 30 | echo "TESTING SKIP: xterm not found" |
35 | fi | 31 | fi |
36 | 32 | ||
37 | # check xpra/xephyr | 33 | # check xpra/xephyr |
38 | which xpra 2>/dev/null | 34 | if command -v xpra |
39 | if [ "$?" -eq 0 ]; | ||
40 | then | 35 | then |
41 | echo "xpra found" | 36 | echo "xpra found" |
42 | else | 37 | else |
43 | echo "xpra not found" | 38 | echo "xpra not found" |
44 | which Xephyr 2>/dev/null | 39 | if command -v Xephyr |
45 | if [ "$?" -eq 0 ]; | ||
46 | then | 40 | then |
47 | echo "Xephyr found" | 41 | echo "Xephyr found" |
48 | else | 42 | else |
49 | echo "TESTING SKIP: xpra and/or Xephyr not found" | 43 | echo "TESTING SKIP: xpra and/or Xephyr not found" |
50 | exit | 44 | exit |
51 | fi | 45 | fi |
52 | fi | 46 | fi |
53 | 47 | ||
54 | which firefox 2>/dev/null | 48 | if command -v firefox |
55 | if [ "$?" -eq 0 ]; | ||
56 | then | 49 | then |
57 | echo "TESTING: firefox x11" | 50 | echo "TESTING: firefox x11" |
58 | ./firefox.exp | 51 | ./firefox.exp |
@@ -60,8 +53,7 @@ else | |||
60 | echo "TESTING SKIP: firefox not found" | 53 | echo "TESTING SKIP: firefox not found" |
61 | fi | 54 | fi |
62 | 55 | ||
63 | which chromium 2>/dev/null | 56 | if command -v chromium |
64 | if [ "$?" -eq 0 ]; | ||
65 | then | 57 | then |
66 | echo "TESTING: chromium x11" | 58 | echo "TESTING: chromium x11" |
67 | ./chromium.exp | 59 | ./chromium.exp |
@@ -69,8 +61,7 @@ else | |||
69 | echo "TESTING SKIP: chromium not found" | 61 | echo "TESTING SKIP: chromium not found" |
70 | fi | 62 | fi |
71 | 63 | ||
72 | which transmission-gtk 2>/dev/null | 64 | if command -v transmission-gtk |
73 | if [ "$?" -eq 0 ]; | ||
74 | then | 65 | then |
75 | echo "TESTING: transmission-gtk x11" | 66 | echo "TESTING: transmission-gtk x11" |
76 | ./transmission-gtk.exp | 67 | ./transmission-gtk.exp |
@@ -78,8 +69,7 @@ else | |||
78 | echo "TESTING SKIP: transmission-gtk not found" | 69 | echo "TESTING SKIP: transmission-gtk not found" |
79 | fi | 70 | fi |
80 | 71 | ||
81 | which thunderbird 2>/dev/null | 72 | if command -v thunderbird |
82 | if [ "$?" -eq 0 ]; | ||
83 | then | 73 | then |
84 | echo "TESTING: thunderbird x11" | 74 | echo "TESTING: thunderbird x11" |
85 | ./thunderbird.exp | 75 | ./thunderbird.exp |
diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 83e977ba0..0ef01bf2e 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh | |||
@@ -7,12 +7,10 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird " | 10 | apps=(firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat) |
11 | LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat" | ||
12 | 11 | ||
13 | for app in $LIST; do | 12 | for app in "${apps[@]}"; do |
14 | which $app 2>/dev/null | 13 | if command -v "$app" |
15 | if [ "$?" -eq 0 ]; | ||
16 | then | 14 | then |
17 | echo "TESTING: $app" | 15 | echo "TESTING: $app" |
18 | ./$app.exp | 16 | ./$app.exp |
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 3c3e7311b..f5ccf3549 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh | |||
@@ -17,6 +17,4 @@ echo "TESTING: chroot (test/chroot/fs_chroot.exp)" | |||
17 | echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)" | 17 | echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)" |
18 | sudo ./unchroot-as-root.exp | 18 | sudo ./unchroot-as-root.exp |
19 | 19 | ||
20 | |||
21 | |||
22 | rm -f unchroot | 20 | rm -f unchroot |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 6b994ba70..0285c8935 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -31,7 +31,7 @@ arr[15]="TEST 15: compile private-home disabled" | |||
31 | arr[16]="TEST 16: compile disable manpages" | 31 | arr[16]="TEST 16: compile disable manpages" |
32 | arr[17]="TEST 17: disable tmpfs as regular user" | 32 | arr[17]="TEST 17: disable tmpfs as regular user" |
33 | arr[18]="TEST 18: disable private home" | 33 | arr[18]="TEST 18: disable private home" |
34 | arr[18]="TEST 19: enable ids" | 34 | arr[19]="TEST 19: enable ids" |
35 | 35 | ||
36 | # remove previous reports and output file | 36 | # remove previous reports and output file |
37 | cleanup() { | 37 | cleanup() { |
@@ -47,23 +47,23 @@ print_title() { | |||
47 | echo | 47 | echo |
48 | echo | 48 | echo |
49 | echo "**************************************************" | 49 | echo "**************************************************" |
50 | echo $1 | 50 | echo "$1" |
51 | echo "**************************************************" | 51 | echo "**************************************************" |
52 | } | 52 | } |
53 | 53 | ||
54 | DIST="$1" | 54 | DIST="$1" |
55 | while [ $# -gt 0 ]; do # Until you run out of parameters . . . | 55 | while [[ $# -gt 0 ]]; do # Until you run out of parameters . . . |
56 | case "$1" in | 56 | case "$1" in |
57 | --clean) | 57 | --clean) |
58 | cleanup | 58 | cleanup |
59 | exit | 59 | exit |
60 | ;; | 60 | ;; |
61 | --help) | 61 | --help) |
62 | echo "./compile.sh [--clean|--help]" | 62 | echo "./compile.sh [--clean|--help]" |
63 | exit | 63 | exit |
64 | ;; | 64 | ;; |
65 | esac | 65 | esac |
66 | shift # Check next set of parameters. | 66 | shift # Check next set of parameters. |
67 | done | 67 | done |
68 | 68 | ||
69 | cleanup | 69 | cleanup |
@@ -76,8 +76,8 @@ cleanup | |||
76 | #***************************************************************** | 76 | #***************************************************************** |
77 | print_title "${arr[1]}" | 77 | print_title "${arr[1]}" |
78 | echo "$DIST" | 78 | echo "$DIST" |
79 | tar -xJvf ../../$DIST.tar.xz | 79 | tar -xJvf ../../"$DIST.tar.xz" |
80 | mv $DIST firejail | 80 | mv "$DIST" firejail |
81 | 81 | ||
82 | cd firejail | 82 | cd firejail |
83 | ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure | 83 | ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -89,7 +89,6 @@ cp output-configure oc1 | |||
89 | cp output-make om1 | 89 | cp output-make om1 |
90 | rm output-configure output-make | 90 | rm output-configure output-make |
91 | 91 | ||
92 | |||
93 | #***************************************************************** | 92 | #***************************************************************** |
94 | # TEST 2 | 93 | # TEST 2 |
95 | #***************************************************************** | 94 | #***************************************************************** |
@@ -98,7 +97,7 @@ rm output-configure output-make | |||
98 | print_title "${arr[2]}" | 97 | print_title "${arr[2]}" |
99 | cd firejail | 98 | cd firejail |
100 | make distclean | 99 | make distclean |
101 | ./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure | 100 | ./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure |
102 | make -j4 2>&1 | tee ../output-make | 101 | make -j4 2>&1 | tee ../output-make |
103 | cd .. | 102 | cd .. |
104 | grep Warning output-configure output-make > ./report-test2 | 103 | grep Warning output-configure output-make > ./report-test2 |
@@ -115,7 +114,7 @@ rm output-configure output-make | |||
115 | print_title "${arr[3]}" | 114 | print_title "${arr[3]}" |
116 | cd firejail | 115 | cd firejail |
117 | make distclean | 116 | make distclean |
118 | ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure | 117 | ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure |
119 | make -j4 2>&1 | tee ../output-make | 118 | make -j4 2>&1 | tee ../output-make |
120 | cd .. | 119 | cd .. |
121 | grep Warning output-configure output-make > ./report-test3 | 120 | grep Warning output-configure output-make > ./report-test3 |
@@ -132,7 +131,7 @@ rm output-configure output-make | |||
132 | print_title "${arr[4]}" | 131 | print_title "${arr[4]}" |
133 | cd firejail | 132 | cd firejail |
134 | make distclean | 133 | make distclean |
135 | ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure | 134 | ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure |
136 | make -j4 2>&1 | tee ../output-make | 135 | make -j4 2>&1 | tee ../output-make |
137 | cd .. | 136 | cd .. |
138 | grep Warning output-configure output-make > ./report-test4 | 137 | grep Warning output-configure output-make > ./report-test4 |
@@ -149,7 +148,7 @@ rm output-configure output-make | |||
149 | print_title "${arr[5]}" | 148 | print_title "${arr[5]}" |
150 | cd firejail | 149 | cd firejail |
151 | make distclean | 150 | make distclean |
152 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure | 151 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure |
153 | make -j4 2>&1 | tee ../output-make | 152 | make -j4 2>&1 | tee ../output-make |
154 | cd .. | 153 | cd .. |
155 | grep Warning output-configure output-make > ./report-test5 | 154 | grep Warning output-configure output-make > ./report-test5 |
@@ -167,7 +166,7 @@ rm output-configure output-make | |||
167 | print_title "${arr[6]}" | 166 | print_title "${arr[6]}" |
168 | cd firejail | 167 | cd firejail |
169 | make distclean | 168 | make distclean |
170 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure | 169 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure |
171 | make -j4 2>&1 | tee ../output-make | 170 | make -j4 2>&1 | tee ../output-make |
172 | cd .. | 171 | cd .. |
173 | grep Warning output-configure output-make > ./report-test6 | 172 | grep Warning output-configure output-make > ./report-test6 |
@@ -184,7 +183,7 @@ rm output-configure output-make | |||
184 | print_title "${arr[7]}" | 183 | print_title "${arr[7]}" |
185 | cd firejail | 184 | cd firejail |
186 | make distclean | 185 | make distclean |
187 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure | 186 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure |
188 | make -j4 2>&1 | tee ../output-make | 187 | make -j4 2>&1 | tee ../output-make |
189 | cd .. | 188 | cd .. |
190 | grep Warning output-configure output-make > ./report-test7 | 189 | grep Warning output-configure output-make > ./report-test7 |
@@ -218,7 +217,7 @@ rm output-configure output-make | |||
218 | print_title "${arr[9]}" | 217 | print_title "${arr[9]}" |
219 | cd firejail | 218 | cd firejail |
220 | make distclean | 219 | make distclean |
221 | ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure | 220 | ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure |
222 | make -j4 2>&1 | tee ../output-make | 221 | make -j4 2>&1 | tee ../output-make |
223 | cd .. | 222 | cd .. |
224 | grep Warning output-configure output-make > ./report-test9 | 223 | grep Warning output-configure output-make > ./report-test9 |
@@ -235,7 +234,7 @@ rm output-configure output-make | |||
235 | print_title "${arr[10]}" | 234 | print_title "${arr[10]}" |
236 | cd firejail | 235 | cd firejail |
237 | make distclean | 236 | make distclean |
238 | ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure | 237 | ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure |
239 | make -j4 2>&1 | tee ../output-make | 238 | make -j4 2>&1 | tee ../output-make |
240 | cd .. | 239 | cd .. |
241 | grep Warning output-configure output-make > ./report-test10 | 240 | grep Warning output-configure output-make > ./report-test10 |
@@ -252,7 +251,7 @@ rm output-configure output-make | |||
252 | print_title "${arr[11]}" | 251 | print_title "${arr[11]}" |
253 | cd firejail | 252 | cd firejail |
254 | make distclean | 253 | make distclean |
255 | ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure | 254 | ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure |
256 | make -j4 2>&1 | tee ../output-make | 255 | make -j4 2>&1 | tee ../output-make |
257 | cd .. | 256 | cd .. |
258 | grep Warning output-configure output-make > ./report-test11 | 257 | grep Warning output-configure output-make > ./report-test11 |
@@ -269,7 +268,7 @@ rm output-configure output-make | |||
269 | print_title "${arr[12]}" | 268 | print_title "${arr[12]}" |
270 | cd firejail | 269 | cd firejail |
271 | make distclean | 270 | make distclean |
272 | ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure | 271 | ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure |
273 | make -j4 2>&1 | tee ../output-make | 272 | make -j4 2>&1 | tee ../output-make |
274 | cd .. | 273 | cd .. |
275 | grep Warning output-configure output-make > ./report-test12 | 274 | grep Warning output-configure output-make > ./report-test12 |
@@ -354,7 +353,7 @@ rm output-configure output-make | |||
354 | print_title "${arr[17]}" | 353 | print_title "${arr[17]}" |
355 | cd firejail | 354 | cd firejail |
356 | make distclean | 355 | make distclean |
357 | ./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure | 356 | ./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure |
358 | make -j4 2>&1 | tee ../output-make | 357 | make -j4 2>&1 | tee ../output-make |
359 | cd .. | 358 | cd .. |
360 | grep Warning output-configure output-make > ./report-test17 | 359 | grep Warning output-configure output-make > ./report-test17 |
@@ -410,23 +409,23 @@ echo "**********************************************************" | |||
410 | 409 | ||
411 | wc -l report-test* | 410 | wc -l report-test* |
412 | echo | 411 | echo |
413 | echo "Legend:" | 412 | echo "Legend:" |
414 | echo ${arr[1]} | 413 | echo "${arr[1]}" |
415 | echo ${arr[2]} | 414 | echo "${arr[2]}" |
416 | echo ${arr[3]} | 415 | echo "${arr[3]}" |
417 | echo ${arr[4]} | 416 | echo "${arr[4]}" |
418 | echo ${arr[5]} | 417 | echo "${arr[5]}" |
419 | echo ${arr[6]} | 418 | echo "${arr[6]}" |
420 | echo ${arr[7]} | 419 | echo "${arr[7]}" |
421 | echo ${arr[8]} | 420 | echo "${arr[8]}" |
422 | echo ${arr[9]} | 421 | echo "${arr[9]}" |
423 | echo ${arr[10]} | 422 | echo "${arr[10]}" |
424 | echo ${arr[11]} | 423 | echo "${arr[11]}" |
425 | echo ${arr[12]} | 424 | echo "${arr[12]}" |
426 | echo ${arr[13]} | 425 | echo "${arr[13]}" |
427 | echo ${arr[14]} | 426 | echo "${arr[14]}" |
428 | echo ${arr[15]} | 427 | echo "${arr[15]}" |
429 | echo ${arr[16]} | 428 | echo "${arr[16]}" |
430 | echo ${arr[17]} | 429 | echo "${arr[17]}" |
431 | echo ${arr[18]} | 430 | echo "${arr[18]}" |
432 | echo ${arr[19]} | 431 | echo "${arr[19]}" |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index da9c170b9..c88c91741 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -7,7 +7,6 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | |||
11 | echo "TESTING: timeout (test/environment/timeout.exp)" | 10 | echo "TESTING: timeout (test/environment/timeout.exp)" |
12 | ./timeout.exp | 11 | ./timeout.exp |
13 | 12 | ||
@@ -39,13 +38,12 @@ echo "TESTING: environment variables (test/environment/env.exp)" | |||
39 | echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" | 38 | echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" |
40 | ./firejail-in-firejail.exp | 39 | ./firejail-in-firejail.exp |
41 | 40 | ||
42 | which aplay 2>/dev/null | 41 | if command -v aplay && [[ $(aplay -l | grep -c "List of PLAYBACK") -gt 0 ]] |
43 | if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ]; | ||
44 | then | 42 | then |
45 | echo "TESTING: sound (test/environment/sound.exp)" | 43 | echo "TESTING: sound (test/environment/sound.exp)" |
46 | ./sound.exp | 44 | ./sound.exp |
47 | else | 45 | else |
48 | echo "TESTING SKIP: no aplay or sound card found" | 46 | echo "TESTING SKIP: no aplay or sound card found" |
49 | fi | 47 | fi |
50 | 48 | ||
51 | echo "TESTING: nice (test/environment/nice.exp)" | 49 | echo "TESTING: nice (test/environment/nice.exp)" |
@@ -54,26 +52,24 @@ echo "TESTING: nice (test/environment/nice.exp)" | |||
54 | echo "TESTING: quiet (test/environment/quiet.exp)" | 52 | echo "TESTING: quiet (test/environment/quiet.exp)" |
55 | ./quiet.exp | 53 | ./quiet.exp |
56 | 54 | ||
57 | which strace 2>/dev/null | 55 | if command -v strace |
58 | if [ "$?" -eq 0 ]; | ||
59 | then | 56 | then |
60 | echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" | 57 | echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" |
61 | ./allow-debuggers.exp | 58 | ./allow-debuggers.exp |
62 | else | 59 | else |
63 | echo "TESTING SKIP: strace not found" | 60 | echo "TESTING SKIP: strace not found" |
64 | fi | 61 | fi |
65 | 62 | ||
66 | # to install ibus: | 63 | # to install ibus: |
67 | # $ sudo apt-get install ibus-table-array30 | 64 | # $ sudo apt-get install ibus-table-array30 |
68 | # $ ibus-setup | 65 | # $ ibus-setup |
69 | 66 | ||
70 | find ~/.config/ibus/bus | grep unix-0 | 67 | if find ~/.config/ibus/bus | grep unix-0 |
71 | if [ "$?" -eq 0 ]; | ||
72 | then | 68 | then |
73 | echo "TESTING: ibus (test/environment/ibus.exp)" | 69 | echo "TESTING: ibus (test/environment/ibus.exp)" |
74 | ./ibus.exp | 70 | ./ibus.exp |
75 | else | 71 | else |
76 | echo "TESTING SKIP: ibus not configured" | 72 | echo "TESTING SKIP: ibus not configured" |
77 | fi | 73 | fi |
78 | 74 | ||
79 | echo "TESTING: rlimit (test/environment/rlimit.exp)" | 75 | echo "TESTING: rlimit (test/environment/rlimit.exp)" |
diff --git a/test/environment/output.sh b/test/environment/output.sh index 329cb40c7..ba06f9184 100755 --- a/test/environment/output.sh +++ b/test/environment/output.sh | |||
@@ -5,8 +5,8 @@ | |||
5 | 5 | ||
6 | i="0" | 6 | i="0" |
7 | 7 | ||
8 | while [ $i -lt 150000 ] | 8 | while [[ $i -lt 150000 ]] |
9 | do | 9 | do |
10 | echo message number $i | 10 | echo "message number $i" |
11 | i=$[$i+1] | 11 | i=$((i+1)) |
12 | done | 12 | done |
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index fca599889..72b87d14c 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh | |||
@@ -7,7 +7,7 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | if [ -f /etc/debian_version ]; then | 10 | if [[ -f /etc/debian_version ]]; then |
11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") | 11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") |
12 | export PATH="$PATH:$libdir" | 12 | export PATH="$PATH:$libdir" |
13 | fi | 13 | fi |
@@ -29,4 +29,4 @@ echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)" | |||
29 | ./dircopy.exp | 29 | ./dircopy.exp |
30 | 30 | ||
31 | rm -fr dest/* | 31 | rm -fr dest/* |
32 | rm -f src/dircopy.exp \ No newline at end of file | 32 | rm -f src/dircopy.exp |
diff --git a/test/features/test.sh b/test/features/test.sh index b507c6d37..44677aaa7 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -8,28 +8,25 @@ OVERLAY="overlay" | |||
8 | CHROOT="chroot" | 8 | CHROOT="chroot" |
9 | NETWORK="network" | 9 | NETWORK="network" |
10 | 10 | ||
11 | while [ $# -gt 0 ]; do # Until you run out of parameters . . . | 11 | while [[ $# -gt 0 ]]; do # Until you run out of parameters . . . |
12 | case "$1" in | 12 | case "$1" in |
13 | --nooverlay) | 13 | --nooverlay) |
14 | OVERLAY="none" | 14 | OVERLAY="none" |
15 | ;; | 15 | ;; |
16 | --nochroot) | 16 | --nochroot) |
17 | CHROOT="none" | 17 | CHROOT="none" |
18 | ;; | 18 | ;; |
19 | --nonetwork) | 19 | --nonetwork) |
20 | NETWORK="none" | 20 | NETWORK="none" |
21 | ;; | 21 | ;; |
22 | --help) | 22 | --help) |
23 | echo "./test.sh [--nooverlay|--nochroot|--nonetwork|--help] | grep TESTING" | 23 | echo "./test.sh [--nooverlay|--nochroot|--nonetwork|--help] | grep TESTING" |
24 | exit | 24 | exit |
25 | ;; | 25 | ;; |
26 | esac | 26 | esac |
27 | shift # Check next set of parameters. | 27 | shift # Check next set of parameters. |
28 | done | 28 | done |
29 | 29 | ||
30 | |||
31 | |||
32 | |||
33 | # | 30 | # |
34 | # Feature testing | 31 | # Feature testing |
35 | # | 32 | # |
@@ -38,85 +35,85 @@ done | |||
38 | # Default features | 35 | # Default features |
39 | #################### | 36 | #################### |
40 | echo "TESTING: 1.1 disable /boot" | 37 | echo "TESTING: 1.1 disable /boot" |
41 | ./1.1.exp $OVERLAY $CHROOT | 38 | ./1.1.exp "$OVERLAY" "$CHROOT" |
42 | 39 | ||
43 | echo "TESTING: 1.2 new /proc" | 40 | echo "TESTING: 1.2 new /proc" |
44 | ./1.2.exp $OVERLAY $CHROOT | 41 | ./1.2.exp "$OVERLAY" "$CHROOT" |
45 | 42 | ||
46 | echo "TESTING: 1.4 mask other users" | 43 | echo "TESTING: 1.4 mask other users" |
47 | ./1.4.exp $OVERLAY $CHROOT | 44 | ./1.4.exp "$OVERLAY" "$CHROOT" |
48 | 45 | ||
49 | echo "TESTING: 1.5 PID namespace" | 46 | echo "TESTING: 1.5 PID namespace" |
50 | ./1.5.exp $OVERLAY $CHROOT | 47 | ./1.5.exp "$OVERLAY" "$CHROOT" |
51 | 48 | ||
52 | echo "TESTING: 1.6 new /var/log" | 49 | echo "TESTING: 1.6 new /var/log" |
53 | ./1.6.exp $OVERLAY $CHROOT | 50 | ./1.6.exp "$OVERLAY" "$CHROOT" |
54 | 51 | ||
55 | echo "TESTING: 1.7 new /var/tmp" | 52 | echo "TESTING: 1.7 new /var/tmp" |
56 | ./1.7.exp $OVERLAY $CHROOT | 53 | ./1.7.exp "$OVERLAY" "$CHROOT" |
57 | 54 | ||
58 | echo "TESTING: 1.8 disable firejail config and run time information" | 55 | echo "TESTING: 1.8 disable firejail config and run time information" |
59 | ./1.8.exp $OVERLAY $CHROOT | 56 | ./1.8.exp "$OVERLAY" "$CHROOT" |
60 | 57 | ||
61 | echo "TESTING: 1.10 disable /selinux" | 58 | echo "TESTING: 1.10 disable /selinux" |
62 | ./1.10.exp $OVERLAY $CHROOT | 59 | ./1.10.exp "$OVERLAY" "$CHROOT" |
63 | 60 | ||
64 | #################### | 61 | #################### |
65 | # networking features | 62 | # networking features |
66 | #################### | 63 | #################### |
67 | if [ $NETWORK == "network" ] | 64 | if [[ $NETWORK == "network" ]] |
68 | then | 65 | then |
69 | echo "TESTING: 2.1 hostname" | 66 | echo "TESTING: 2.1 hostname" |
70 | ./2.1.exp $OVERLAY $CHROOT | 67 | ./2.1.exp "$OVERLAY" "$CHROOT" |
71 | 68 | ||
72 | echo "TESTING: 2.2 DNS" | 69 | echo "TESTING: 2.2 DNS" |
73 | ./2.2.exp $OVERLAY $CHROOT | 70 | ./2.2.exp "$OVERLAY" "$CHROOT" |
74 | 71 | ||
75 | echo "TESTING: 2.3 mac-vlan" | 72 | echo "TESTING: 2.3 mac-vlan" |
76 | ./2.3.exp $OVERLAY $CHROOT | 73 | ./2.3.exp "$OVERLAY" "$CHROOT" |
77 | 74 | ||
78 | echo "TESTING: 2.4 bridge" | 75 | echo "TESTING: 2.4 bridge" |
79 | ./2.4.exp $OVERLAY $CHROOT | 76 | ./2.4.exp "$OVERLAY" "$CHROOT" |
80 | 77 | ||
81 | echo "TESTING: 2.5 interface" | 78 | echo "TESTING: 2.5 interface" |
82 | ./2.5.exp $OVERLAY $CHROOT | 79 | ./2.5.exp "$OVERLAY" "$CHROOT" |
83 | 80 | ||
84 | echo "TESTING: 2.6 Default gateway" | 81 | echo "TESTING: 2.6 Default gateway" |
85 | ./2.6.exp $OVERLAY $CHROOT | 82 | ./2.6.exp "$OVERLAY" "$CHROOT" |
86 | fi | 83 | fi |
87 | 84 | ||
88 | #################### | 85 | #################### |
89 | # filesystem features | 86 | # filesystem features |
90 | #################### | 87 | #################### |
91 | echo "TESTING: 3.1 private (fails on OpenSUSE)" | 88 | echo "TESTING: 3.1 private (fails on OpenSUSE)" |
92 | ./3.1.exp $OVERLAY $CHROOT | 89 | ./3.1.exp "$OVERLAY" "$CHROOT" |
93 | 90 | ||
94 | echo "TESTING: 3.2 read-only" | 91 | echo "TESTING: 3.2 read-only" |
95 | ./3.2.exp $OVERLAY $CHROOT | 92 | ./3.2.exp "$OVERLAY" "$CHROOT" |
96 | 93 | ||
97 | echo "TESTING: 3.3 blacklist" | 94 | echo "TESTING: 3.3 blacklist" |
98 | ./3.3.exp $OVERLAY $CHROOT | 95 | ./3.3.exp "$OVERLAY" "$CHROOT" |
99 | 96 | ||
100 | echo "TESTING: 3.4 whitelist home (fails on OpenSUSE)" | 97 | echo "TESTING: 3.4 whitelist home (fails on OpenSUSE)" |
101 | ./3.4.exp $OVERLAY $CHROOT | 98 | ./3.4.exp "$OVERLAY" "$CHROOT" |
102 | 99 | ||
103 | echo "TESTING: 3.5 private-dev" | 100 | echo "TESTING: 3.5 private-dev" |
104 | ./3.5.exp $OVERLAY $CHROOT | 101 | ./3.5.exp "$OVERLAY" "$CHROOT" |
105 | 102 | ||
106 | echo "TESTING: 3.6 private-etc" | 103 | echo "TESTING: 3.6 private-etc" |
107 | ./3.6.exp notworking $CHROOT | 104 | ./3.6.exp notworking "$CHROOT" |
108 | 105 | ||
109 | echo "TESTING: 3.7 private-tmp" | 106 | echo "TESTING: 3.7 private-tmp" |
110 | ./3.7.exp $OVERLAY $CHROOT | 107 | ./3.7.exp "$OVERLAY" "$CHROOT" |
111 | 108 | ||
112 | echo "TESTING: 3.8 private-bin" | 109 | echo "TESTING: 3.8 private-bin" |
113 | ./3.8.exp notworking notworking | 110 | ./3.8.exp notworking notworking |
114 | 111 | ||
115 | echo "TESTING: 3.9 whitelist dev" | 112 | echo "TESTING: 3.9 whitelist dev" |
116 | ./3.9.exp $OVERLAY $CHROOT | 113 | ./3.9.exp "$OVERLAY" "$CHROOT" |
117 | 114 | ||
118 | echo "TESTING: 3.10 whitelist tmp" | 115 | echo "TESTING: 3.10 whitelist tmp" |
119 | ./3.10.exp $OVERLAY $CHROOT | 116 | ./3.10.exp "$OVERLAY" "$CHROOT" |
120 | 117 | ||
121 | echo "TESTING: 3.11 mkdir" | 118 | echo "TESTING: 3.11 mkdir" |
122 | ./3.11.exp $OVERLAY $CHROOT | 119 | ./3.11.exp "$OVERLAY" "$CHROOT" |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 04d7080d6..3b4a6b492 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -7,37 +7,37 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | if [ -f /etc/debian_version ]; then | 10 | if [[ -f /etc/debian_version ]]; then |
11 | libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)") | 11 | libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)") |
12 | export PATH="$PATH:$libdir" | 12 | export PATH="$PATH:$libdir" |
13 | fi | 13 | fi |
14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
15 | 15 | ||
16 | if [ -f /sys/kernel/security/apparmor/profiles ]; then | 16 | if [[ -f /sys/kernel/security/apparmor/profiles ]]; then |
17 | echo "TESTING: apparmor (test/filters/apparmor.exp)" | 17 | echo "TESTING: apparmor (test/filters/apparmor.exp)" |
18 | ./apparmor.exp | 18 | ./apparmor.exp |
19 | else | 19 | else |
20 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" | 20 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" |
21 | fi | 21 | fi |
22 | 22 | ||
23 | if [ "$(uname -m)" = "x86_64" ]; then | 23 | if [[ $(uname -m) == "x86_64" ]]; then |
24 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" | 24 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" |
25 | ./memwrexe.exp | 25 | ./memwrexe.exp |
26 | elif [ "$(uname -m)" = "i686" ]; then | 26 | elif [[ $(uname -m) == "i686" ]]; then |
27 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe-32.exp)" | 27 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe-32.exp)" |
28 | ./memwrexe-32.exp | 28 | ./memwrexe-32.exp |
29 | else | 29 | else |
30 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." | 30 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." |
31 | fi | 31 | fi |
32 | 32 | ||
33 | echo "TESTING: debug options (test/filters/debug.exp)" | 33 | echo "TESTING: debug options (test/filters/debug.exp)" |
34 | ./debug.exp | 34 | ./debug.exp |
35 | 35 | ||
36 | if [ "$(uname -m)" = "x86_64" ]; then | 36 | if [[ $(uname -m) == "x86_64" ]]; then |
37 | echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)" | 37 | echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)" |
38 | ./seccomp-run-files.exp | 38 | ./seccomp-run-files.exp |
39 | else | 39 | else |
40 | echo "TESTING SKIP: seccomp-run-files test implemented only for x86_64." | 40 | echo "TESTING SKIP: seccomp-run-files test implemented only for x86_64." |
41 | fi | 41 | fi |
42 | 42 | ||
43 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" | 43 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" |
@@ -61,33 +61,33 @@ echo "TESTING: capabilities join (test/filters/caps-join.exp)" | |||
61 | ./caps-join.exp | 61 | ./caps-join.exp |
62 | 62 | ||
63 | rm -f seccomp-test-file | 63 | rm -f seccomp-test-file |
64 | if [ "$(uname -m)" = "x86_64" ]; then | 64 | if [[ $(uname -m) == "x86_64" ]]; then |
65 | echo "TESTING: fseccomp (test/filters/fseccomp.exp)" | 65 | echo "TESTING: fseccomp (test/filters/fseccomp.exp)" |
66 | ./fseccomp.exp | 66 | ./fseccomp.exp |
67 | else | 67 | else |
68 | echo "TESTING SKIP: fseccomp test implemented only for x86_64" | 68 | echo "TESTING SKIP: fseccomp test implemented only for x86_64" |
69 | fi | 69 | fi |
70 | rm -f seccomp-test-file | 70 | rm -f seccomp-test-file |
71 | 71 | ||
72 | 72 | ||
73 | if [ "$(uname -m)" = "x86_64" ]; then | 73 | if [[ $(uname -m) == "x86_64" ]]; then |
74 | echo "TESTING: protocol (test/filters/protocol.exp)" | 74 | echo "TESTING: protocol (test/filters/protocol.exp)" |
75 | ./protocol.exp | 75 | ./protocol.exp |
76 | else | 76 | else |
77 | echo "TESTING SKIP: protocol, running only on x86_64" | 77 | echo "TESTING SKIP: protocol, running only on x86_64" |
78 | fi | 78 | fi |
79 | 79 | ||
80 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" | 80 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" |
81 | ./seccomp-bad-empty.exp | 81 | ./seccomp-bad-empty.exp |
82 | 82 | ||
83 | if [ "$(uname -m)" = "x86_64" ]; then | 83 | if [[ $(uname -m) == "x86_64" ]]; then |
84 | echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" | 84 | echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" |
85 | ./seccomp-debug.exp | 85 | ./seccomp-debug.exp |
86 | elif [ "$(uname -m)" = "i686" ]; then | 86 | elif [[ $(uname -m) == "i686" ]]; then |
87 | echo "TESTING: seccomp debug (test/filters/seccomp-debug-32.exp)" | 87 | echo "TESTING: seccomp debug (test/filters/seccomp-debug-32.exp)" |
88 | ./seccomp-debug-32.exp | 88 | ./seccomp-debug-32.exp |
89 | else | 89 | else |
90 | echo "TESTING SKIP: protocol, running only on x86_64 and i686" | 90 | echo "TESTING SKIP: protocol, running only on x86_64 and i686" |
91 | fi | 91 | fi |
92 | 92 | ||
93 | echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" | 93 | echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" |
@@ -96,12 +96,11 @@ echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" | |||
96 | echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" | 96 | echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" |
97 | ./seccomp-su.exp | 97 | ./seccomp-su.exp |
98 | 98 | ||
99 | which strace 2>/dev/null | 99 | if command -v strace; then |
100 | if [ $? -eq 0 ]; then | 100 | echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" |
101 | echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" | 101 | ./seccomp-ptrace.exp |
102 | ./seccomp-ptrace.exp | ||
103 | else | 102 | else |
104 | echo "TESTING SKIP: ptrace, strace not found" | 103 | echo "TESTING SKIP: ptrace, strace not found" |
105 | fi | 104 | fi |
106 | 105 | ||
107 | echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" | 106 | echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" |
@@ -115,16 +114,16 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod | |||
115 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" | 114 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" |
116 | ./seccomp-empty.exp | 115 | ./seccomp-empty.exp |
117 | 116 | ||
118 | if [ "$(uname -m)" = "x86_64" ]; then | 117 | if [[ $(uname -m) == "x86_64" ]]; then |
119 | echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" | 118 | echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" |
120 | ./seccomp-numeric.exp | 119 | ./seccomp-numeric.exp |
121 | else | 120 | else |
122 | echo "TESTING SKIP: seccomp numeric test implemented only for x86_64" | 121 | echo "TESTING SKIP: seccomp numeric test implemented only for x86_64" |
123 | fi | 122 | fi |
124 | 123 | ||
125 | if [ "$(uname -m)" = "x86_64" ]; then | 124 | if [[ $(uname -m) == "x86_64" ]]; then |
126 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" | 125 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" |
127 | ./seccomp-join.exp | 126 | ./seccomp-join.exp |
128 | else | 127 | else |
129 | echo "TESTING SKIP: seccomp join test implemented only for x86_64" | 128 | echo "TESTING SKIP: seccomp join test implemented only for x86_64" |
130 | fi | 129 | fi |
diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh index 9ad822753..52f921232 100755 --- a/test/fnetfilter/fnetfilter.sh +++ b/test/fnetfilter/fnetfilter.sh | |||
@@ -7,7 +7,7 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | if [ -f /etc/debian_version ]; then | 10 | if [[ -f /etc/debian_version ]]; then |
11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") | 11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") |
12 | export PATH="$PATH:$libdir" | 12 | export PATH="$PATH:$libdir" |
13 | fi | 13 | fi |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 36ff30934..697c86d3d 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -34,7 +34,7 @@ rm -f ~/_firejail_test_dir | |||
34 | echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" | 34 | echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" |
35 | ./sys_fs.exp | 35 | ./sys_fs.exp |
36 | 36 | ||
37 | if [ -c /dev/kmsg ]; then | 37 | if [[ -c /dev/kmsg ]]; then |
38 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" | 38 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" |
39 | ./kmsg.exp | 39 | ./kmsg.exp |
40 | else | 40 | else |
@@ -45,27 +45,27 @@ echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" | |||
45 | ./fs_var_tmp.exp | 45 | ./fs_var_tmp.exp |
46 | rm -f /var/tmp/_firejail_test_file | 46 | rm -f /var/tmp/_firejail_test_file |
47 | 47 | ||
48 | if [ "$(uname -m)" = "x86_64" ]; then | 48 | if [[ $(uname -m) == "x86_64" ]]; then |
49 | fjconfig=/etc/firejail/firejail.config | 49 | fjconfig=/etc/firejail/firejail.config |
50 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null | 50 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null |
51 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | 51 | echo "TESTING: private-lib (test/fs/private-lib.exp)" |
52 | ./private-lib.exp | 52 | ./private-lib.exp |
53 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | | 53 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | |
54 | sudo tee "$fjconfig" >/dev/null | 54 | sudo tee "$fjconfig" >/dev/null |
55 | else | 55 | else |
56 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | 56 | echo "TESTING SKIP: private-lib test implemented only for x86_64." |
57 | fi | 57 | fi |
58 | 58 | ||
59 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" | 59 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" |
60 | ./fs_var_lock.exp | 60 | ./fs_var_lock.exp |
61 | rm -f /var/lock/_firejail_test_file | 61 | rm -f /var/lock/_firejail_test_file |
62 | 62 | ||
63 | if [ -w /dev/shm ]; then | 63 | if [[ -w /dev/shm ]]; then |
64 | echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" | 64 | echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" |
65 | ./fs_dev_shm.exp | 65 | ./fs_dev_shm.exp |
66 | rm -f /dev/shm/_firejail_test_file | 66 | rm -f /dev/shm/_firejail_test_file |
67 | else | 67 | else |
68 | echo "TESTING SKIP: /dev/shm not writable" | 68 | echo "TESTING SKIP: /dev/shm not writable" |
69 | fi | 69 | fi |
70 | 70 | ||
71 | echo "TESTING: private (test/fs/private.exp)" | 71 | echo "TESTING: private (test/fs/private.exp)" |
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh index 490b180e1..a0519d1ad 100755 --- a/test/overlay/overlay.sh +++ b/test/overlay/overlay.sh | |||
@@ -22,8 +22,7 @@ rm -fr ~/_firejail_test_* | |||
22 | ./fs-tmpfs.exp | 22 | ./fs-tmpfs.exp |
23 | rm -fr ~/_firejail_test_* | 23 | rm -fr ~/_firejail_test_* |
24 | 24 | ||
25 | which firefox 2>/dev/null | 25 | if command -v firefox |
26 | if [ "$?" -eq 0 ]; | ||
27 | then | 26 | then |
28 | echo "TESTING: overlay firefox" | 27 | echo "TESTING: overlay firefox" |
29 | ./firefox.exp | 28 | ./firefox.exp |
@@ -31,8 +30,7 @@ else | |||
31 | echo "TESTING SKIP: firefox not found" | 30 | echo "TESTING SKIP: firefox not found" |
32 | fi | 31 | fi |
33 | 32 | ||
34 | which firefox 2>/dev/null | 33 | if command -v firefox |
35 | if [ "$?" -eq 0 ]; | ||
36 | then | 34 | then |
37 | echo "TESTING: overlay firefox x11 xorg" | 35 | echo "TESTING: overlay firefox x11 xorg" |
38 | ./firefox.exp | 36 | ./firefox.exp |
@@ -40,26 +38,22 @@ else | |||
40 | echo "TESTING SKIP: firefox not found" | 38 | echo "TESTING SKIP: firefox not found" |
41 | fi | 39 | fi |
42 | 40 | ||
43 | |||
44 | # check xpra/xephyr | 41 | # check xpra/xephyr |
45 | which xpra 2>/dev/null | 42 | if command -v xpra |
46 | if [ "$?" -eq 0 ]; | ||
47 | then | 43 | then |
48 | echo "xpra found" | 44 | echo "xpra found" |
49 | else | 45 | else |
50 | echo "xpra not found" | 46 | echo "xpra not found" |
51 | which Xephyr 2>/dev/null | 47 | if command -v Xephyr |
52 | if [ "$?" -eq 0 ]; | ||
53 | then | 48 | then |
54 | echo "Xephyr found" | 49 | echo "Xephyr found" |
55 | else | 50 | else |
56 | echo "TESTING SKIP: xpra and/or Xephyr not found" | 51 | echo "TESTING SKIP: xpra and/or Xephyr not found" |
57 | exit | 52 | exit |
58 | fi | 53 | fi |
59 | fi | 54 | fi |
60 | 55 | ||
61 | which firefox 2>/dev/null | 56 | if command -v firefox |
62 | if [ "$?" -eq 0 ]; | ||
63 | then | 57 | then |
64 | echo "TESTING: overlay firefox x11" | 58 | echo "TESTING: overlay firefox x11" |
65 | ./firefox-x11.exp | 59 | ./firefox-x11.exp |
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index d168c2b1b..6b7d433c8 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -7,12 +7,10 @@ export MALLOC_CHECK_=3g | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" | 10 | apps=(gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog) |
11 | 11 | ||
12 | 12 | for app in "${apps[@]}"; do | |
13 | for app in $LIST; do | 13 | if command -v "$app" |
14 | which $app 2>/dev/null | ||
15 | if [ "$?" -eq 0 ]; | ||
16 | then | 14 | then |
17 | echo "TESTING: private-lib $app" | 15 | echo "TESTING: private-lib $app" |
18 | ./$app.exp | 16 | ./$app.exp |
diff --git a/test/profiles/all-profiles.sh b/test/profiles/all-profiles.sh index cc17b6b00..a550afe23 100755 --- a/test/profiles/all-profiles.sh +++ b/test/profiles/all-profiles.sh | |||
@@ -37,11 +37,11 @@ echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" | |||
37 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" | 37 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" |
38 | ./profile_noperm.exp | 38 | ./profile_noperm.exp |
39 | 39 | ||
40 | PROFILES=`ls /etc/firejail/*.profile` | 40 | profiles=( /etc/firejail/*.profile ) |
41 | echo "TESTING: default profiles installed in /etc" | 41 | echo "TESTING: default profiles installed in /etc" |
42 | 42 | ||
43 | for PROFILE in $PROFILES | 43 | for profile in "${profiles[@]}" |
44 | do | 44 | do |
45 | echo "TESTING: $PROFILE" | 45 | echo "TESTING: $profile" |
46 | ./test-profile.exp $PROFILE | 46 | ./test-profile.exp "$profile" |
47 | done | 47 | done |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 8808bc9d2..90c88aaf5 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -37,11 +37,11 @@ echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" | |||
37 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" | 37 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" |
38 | ./profile_noperm.exp | 38 | ./profile_noperm.exp |
39 | 39 | ||
40 | PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile` | 40 | profiles=( /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile ) |
41 | echo "TESTING: small number of default profiles installed in /etc" | 41 | echo "TESTING: small number of default profiles installed in /etc" |
42 | 42 | ||
43 | for PROFILE in $PROFILES | 43 | for profile in "${profiles[@]}" |
44 | do | 44 | do |
45 | echo "TESTING: $PROFILE" | 45 | echo "TESTING: $profile" |
46 | ./test-profile.exp $PROFILE | 46 | ./test-profile.exp "$profile" |
47 | done | 47 | done |
diff --git a/test/root/root.sh b/test/root/root.sh index e8c0ec1ac..a39525b6e 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -11,8 +11,7 @@ export LC_ALL=C | |||
11 | #******************************** | 11 | #******************************** |
12 | # firecfg | 12 | # firecfg |
13 | #******************************** | 13 | #******************************** |
14 | which less 2>/dev/null | 14 | if command -v less |
15 | if [ "$?" -eq 0 ]; | ||
16 | then | 15 | then |
17 | echo "TESTING: firecfg (test/root/firecfg.exp)" | 16 | echo "TESTING: firecfg (test/root/firecfg.exp)" |
18 | mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store | 17 | mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store |
@@ -25,24 +24,24 @@ fi | |||
25 | #******************************** | 24 | #******************************** |
26 | # servers | 25 | # servers |
27 | #******************************** | 26 | #******************************** |
28 | if [ -f /etc/init.d/snmpd ] | 27 | if [[ -f /etc/init.d/snmpd ]] |
29 | then | 28 | then |
30 | echo "TESTING: snmpd (test/root/snmpd.exp)" | 29 | echo "TESTING: snmpd (test/root/snmpd.exp)" |
31 | ./snmpd.exp | 30 | ./snmpd.exp |
32 | else | 31 | else |
33 | echo "TESTING SKIP: snmpd not found" | 32 | echo "TESTING SKIP: snmpd not found" |
34 | fi | 33 | fi |
35 | 34 | ||
36 | 35 | ||
37 | if [ -f /etc/init.d/apache2 ] | 36 | if [[ -f /etc/init.d/apache2 ]] |
38 | then | 37 | then |
39 | echo "TESTING: apache2 (test/root/apache2.exp)" | 38 | echo "TESTING: apache2 (test/root/apache2.exp)" |
40 | ./apache2.exp | 39 | ./apache2.exp |
41 | else | 40 | else |
42 | echo "TESTING SKIP: apache2 not found" | 41 | echo "TESTING SKIP: apache2 not found" |
43 | fi | 42 | fi |
44 | 43 | ||
45 | if [ -f /etc/init.d/isc-dhcp-server ] | 44 | if [[ -f /etc/init.d/isc-dhcp-server ]] |
46 | then | 45 | then |
47 | echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)" | 46 | echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)" |
48 | ./isc-dhcp.exp | 47 | ./isc-dhcp.exp |
@@ -50,20 +49,20 @@ else | |||
50 | echo "TESTING SKIP: isc dhcp server not found" | 49 | echo "TESTING SKIP: isc dhcp server not found" |
51 | fi | 50 | fi |
52 | 51 | ||
53 | if [ -f /etc/init.d/unbound ] | 52 | if [[ -f /etc/init.d/unbound ]] |
54 | then | 53 | then |
55 | echo "TESTING: unbound (test/root/unbound.exp)" | 54 | echo "TESTING: unbound (test/root/unbound.exp)" |
56 | ./unbound.exp | 55 | ./unbound.exp |
57 | else | 56 | else |
58 | echo "TESTING SKIP: unbound not found" | 57 | echo "TESTING SKIP: unbound not found" |
59 | fi | 58 | fi |
60 | 59 | ||
61 | if [ -f /etc/init.d/nginx ] | 60 | if [[ -f /etc/init.d/nginx ]] |
62 | then | 61 | then |
63 | echo "TESTING: nginx (test/root/nginx.exp)" | 62 | echo "TESTING: nginx (test/root/nginx.exp)" |
64 | ./nginx.exp | 63 | ./nginx.exp |
65 | else | 64 | else |
66 | echo "TESTING SKIP: nginx not found" | 65 | echo "TESTING SKIP: nginx not found" |
67 | fi | 66 | fi |
68 | 67 | ||
69 | #******************************** | 68 | #******************************** |
diff --git a/test/stress/stress.sh b/test/stress/stress.sh index 675cb0614..2b4d8147d 100755 --- a/test/stress/stress.sh +++ b/test/stress/stress.sh | |||
@@ -14,7 +14,7 @@ mkdir ~/fj-stress-test | |||
14 | rm blacklist.profile | 14 | rm blacklist.profile |
15 | rm noblacklist.profile | 15 | rm noblacklist.profile |
16 | rm env.profile | 16 | rm env.profile |
17 | for i in `seq 1 100`; | 17 | for i in {1..100} |
18 | do | 18 | do |
19 | echo "hello" > ~/fj-stress-test/testfile$i | 19 | echo "hello" > ~/fj-stress-test/testfile$i |
20 | echo "blacklist ~/fj-stress-test/testfile$i" >> blacklist.profile | 20 | echo "blacklist ~/fj-stress-test/testfile$i" >> blacklist.profile |
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index a903c7c6b..bfe723047 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -7,8 +7,7 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | which cpio 2>/dev/null | 10 | if command -v cpio |
11 | if [ "$?" -eq 0 ]; | ||
12 | then | 11 | then |
13 | echo "TESTING: cpio" | 12 | echo "TESTING: cpio" |
14 | ./cpio.exp | 13 | ./cpio.exp |
@@ -16,8 +15,7 @@ else | |||
16 | echo "TESTING SKIP: cpio not found" | 15 | echo "TESTING SKIP: cpio not found" |
17 | fi | 16 | fi |
18 | 17 | ||
19 | #which strings | 18 | #if command -v strings |
20 | #if [ "$?" -eq 0 ]; | ||
21 | #then | 19 | #then |
22 | # echo "TESTING: strings" | 20 | # echo "TESTING: strings" |
23 | # ./strings.exp | 21 | # ./strings.exp |
@@ -25,8 +23,7 @@ fi | |||
25 | # echo "TESTING SKIP: strings not found" | 23 | # echo "TESTING SKIP: strings not found" |
26 | #fi | 24 | #fi |
27 | 25 | ||
28 | which gzip 2>/dev/null | 26 | if command -v gzip |
29 | if [ "$?" -eq 0 ]; | ||
30 | then | 27 | then |
31 | echo "TESTING: gzip" | 28 | echo "TESTING: gzip" |
32 | ./gzip.exp | 29 | ./gzip.exp |
@@ -34,8 +31,7 @@ else | |||
34 | echo "TESTING SKIP: gzip not found" | 31 | echo "TESTING SKIP: gzip not found" |
35 | fi | 32 | fi |
36 | 33 | ||
37 | which xzdec 2>/dev/null | 34 | if command -v xzdec |
38 | if [ "$?" -eq 0 ]; | ||
39 | then | 35 | then |
40 | echo "TESTING: xzdec" | 36 | echo "TESTING: xzdec" |
41 | ./xzdec.exp | 37 | ./xzdec.exp |
@@ -43,8 +39,7 @@ else | |||
43 | echo "TESTING SKIP: xzdec not found" | 39 | echo "TESTING SKIP: xzdec not found" |
44 | fi | 40 | fi |
45 | 41 | ||
46 | which xz 2>/dev/null | 42 | if command -v xz |
47 | if [ "$?" -eq 0 ]; | ||
48 | then | 43 | then |
49 | echo "TESTING: xz" | 44 | echo "TESTING: xz" |
50 | ./xz.exp | 45 | ./xz.exp |
@@ -52,8 +47,7 @@ else | |||
52 | echo "TESTING SKIP: xz not found" | 47 | echo "TESTING SKIP: xz not found" |
53 | fi | 48 | fi |
54 | 49 | ||
55 | which less 2>/dev/null | 50 | if command -v less |
56 | if [ "$?" -eq 0 ]; | ||
57 | then | 51 | then |
58 | echo "TESTING: less" | 52 | echo "TESTING: less" |
59 | ./less.exp | 53 | ./less.exp |
@@ -61,8 +55,7 @@ else | |||
61 | echo "TESTING SKIP: less not found" | 55 | echo "TESTING SKIP: less not found" |
62 | fi | 56 | fi |
63 | 57 | ||
64 | which file 2>/dev/null | 58 | if command -v file |
65 | if [ "$?" -eq 0 ]; | ||
66 | then | 59 | then |
67 | echo "TESTING: file" | 60 | echo "TESTING: file" |
68 | ./file.exp | 61 | ./file.exp |
@@ -70,8 +63,7 @@ else | |||
70 | echo "TESTING SKIP: file not found" | 63 | echo "TESTING SKIP: file not found" |
71 | fi | 64 | fi |
72 | 65 | ||
73 | which tar 2>/dev/null | 66 | if command -v tar |
74 | if [ "$?" -eq 0 ]; | ||
75 | then | 67 | then |
76 | echo "TESTING: tar" | 68 | echo "TESTING: tar" |
77 | ./tar.exp | 69 | ./tar.exp |
@@ -79,8 +71,7 @@ else | |||
79 | echo "TESTING SKIP: tar not found" | 71 | echo "TESTING SKIP: tar not found" |
80 | fi | 72 | fi |
81 | 73 | ||
82 | which ping 2>/dev/null | 74 | if command -v ping |
83 | if [ "$?" -eq 0 ]; | ||
84 | then | 75 | then |
85 | echo "TESTING: ping" | 76 | echo "TESTING: ping" |
86 | ./ping.exp | 77 | ./ping.exp |
diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh index 117179143..cef00b2a5 100755 --- a/test/utils/catchsignal.sh +++ b/test/utils/catchsignal.sh | |||
@@ -4,20 +4,20 @@ | |||
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | _term() { | 6 | _term() { |
7 | echo "Caught Signal" | 7 | echo "Caught Signal" |
8 | echo 1 | 8 | echo 1 |
9 | sleep 1 | 9 | sleep 1 |
10 | echo 2 | 10 | echo 2 |
11 | sleep 1 | 11 | sleep 1 |
12 | echo 3 | 12 | echo 3 |
13 | sleep 1 | 13 | sleep 1 |
14 | echo 4 | 14 | echo 4 |
15 | sleep 1 | 15 | sleep 1 |
16 | echo 5 | 16 | echo 5 |
17 | sleep 1 | 17 | sleep 1 |
18 | 18 | ||
19 | kill $pid | 19 | kill $pid |
20 | exit | 20 | exit |
21 | } | 21 | } |
22 | 22 | ||
23 | trap _term SIGTERM | 23 | trap _term SIGTERM |
diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh index 1bd7852cd..21f299430 100755 --- a/test/utils/catchsignal2.sh +++ b/test/utils/catchsignal2.sh | |||
@@ -4,42 +4,42 @@ | |||
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | _term() { | 6 | _term() { |
7 | echo "Caught Signal" | 7 | echo "Caught Signal" |
8 | echo 1 | 8 | echo 1 |
9 | sleep 1 | 9 | sleep 1 |
10 | echo 2 | 10 | echo 2 |
11 | sleep 1 | 11 | sleep 1 |
12 | echo 3 | 12 | echo 3 |
13 | sleep 1 | 13 | sleep 1 |
14 | echo 4 | 14 | echo 4 |
15 | sleep 1 | 15 | sleep 1 |
16 | echo 5 | 16 | echo 5 |
17 | sleep 1 | 17 | sleep 1 |
18 | 18 | ||
19 | echo 10 | 19 | echo 10 |
20 | sleep 1 | 20 | sleep 1 |
21 | echo 20 | 21 | echo 20 |
22 | sleep 1 | 22 | sleep 1 |
23 | echo 30 | 23 | echo 30 |
24 | sleep 1 | 24 | sleep 1 |
25 | echo 40 | 25 | echo 40 |
26 | sleep 1 | 26 | sleep 1 |
27 | echo 50 | 27 | echo 50 |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | echo 100 | 30 | echo 100 |
31 | sleep 1 | 31 | sleep 1 |
32 | echo 200 | 32 | echo 200 |
33 | sleep 1 | 33 | sleep 1 |
34 | echo 300 | 34 | echo 300 |
35 | sleep 1 | 35 | sleep 1 |
36 | echo 400 | 36 | echo 400 |
37 | sleep 1 | 37 | sleep 1 |
38 | echo 500 | 38 | echo 500 |
39 | sleep 1 | 39 | sleep 1 |
40 | 40 | ||
41 | kill $pid | 41 | kill $pid |
42 | exit | 42 | exit |
43 | } | 43 | } |
44 | 44 | ||
45 | trap _term SIGTERM | 45 | trap _term SIGTERM |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 102c8df17..647cbfb34 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -7,7 +7,7 @@ export MALLOC_CHECK_=3 | |||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | if [ -f /etc/debian_version ]; then | 10 | if [[ -f /etc/debian_version ]]; then |
11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") | 11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") |
12 | export PATH="$PATH:$libdir" | 12 | export PATH="$PATH:$libdir" |
13 | fi | 13 | fi |
@@ -33,13 +33,12 @@ echo "TESTING: version (test/utils/version.exp)" | |||
33 | echo "TESTING: help (test/utils/help.exp)" | 33 | echo "TESTING: help (test/utils/help.exp)" |
34 | ./help.exp | 34 | ./help.exp |
35 | 35 | ||
36 | which man 2>/dev/null | 36 | if command -v man |
37 | if [ "$?" -eq 0 ]; | ||
38 | then | 37 | then |
39 | echo "TESTING: man (test/utils/man.exp)" | 38 | echo "TESTING: man (test/utils/man.exp)" |
40 | ./man.exp | 39 | ./man.exp |
41 | else | 40 | else |
42 | echo "TESTING SKIP: man not found" | 41 | echo "TESTING SKIP: man not found" |
43 | fi | 42 | fi |
44 | 43 | ||
45 | echo "TESTING: list (test/utils/list.exp)" | 44 | echo "TESTING: list (test/utils/list.exp)" |
@@ -48,12 +47,12 @@ echo "TESTING: list (test/utils/list.exp)" | |||
48 | echo "TESTING: tree (test/utils/tree.exp)" | 47 | echo "TESTING: tree (test/utils/tree.exp)" |
49 | ./tree.exp | 48 | ./tree.exp |
50 | 49 | ||
51 | if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]; | 50 | if [[ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]] |
52 | then | 51 | then |
53 | echo "TESTING: cpu.print (test/utils/cpu-print.exp)" | 52 | echo "TESTING: cpu.print (test/utils/cpu-print.exp)" |
54 | ./cpu-print.exp | 53 | ./cpu-print.exp |
55 | else | 54 | else |
56 | echo "TESTING SKIP: cpu.print, not enough CPUs" | 55 | echo "TESTING SKIP: cpu.print, not enough CPUs" |
57 | fi | 56 | fi |
58 | 57 | ||
59 | echo "TESTING: fs.print (test/utils/fs-print.exp)" | 58 | echo "TESTING: fs.print (test/utils/fs-print.exp)" |