diff options
-rw-r--r-- | README.md | 5 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 1 | ||||
-rw-r--r-- | src/fnettrace/main.c | 40 | ||||
-rw-r--r-- | src/profstats/main.c | 8 | ||||
-rwxr-xr-x | test/fs/fs.sh | 4 |
6 files changed, 55 insertions, 7 deletions
@@ -205,6 +205,7 @@ Stats: | |||
205 | private-bin 689 | 205 | private-bin 689 |
206 | private-dev 1041 | 206 | private-dev 1041 |
207 | private-etc 539 | 207 | private-etc 539 |
208 | private-lib 70 | ||
208 | private-tmp 915 | 209 | private-tmp 915 |
209 | whitelist home directory 573 | 210 | whitelist home directory 573 |
210 | whitelist var 855 (include whitelist-var-common.inc) | 211 | whitelist var 855 (include whitelist-var-common.inc) |
@@ -213,8 +214,8 @@ Stats: | |||
213 | whitelist usr/share 628 (include whitelist-usr-share-common.inc | 214 | whitelist usr/share 628 (include whitelist-usr-share-common.inc |
214 | net none 403 | 215 | net none 403 |
215 | dbus-user none 673 | 216 | dbus-user none 673 |
216 | dbus-user filter 122 | 217 | dbus-user filter 123 |
217 | dbus-system none 832 | 218 | dbus-system none 833 |
218 | dbus-system filter 12 | 219 | dbus-system filter 12 |
219 | ``` | 220 | ``` |
220 | 221 | ||
diff --git a/etc/firejail.config b/etc/firejail.config index 7f40eb5ed..9d37b4d8a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -93,8 +93,8 @@ | |||
93 | # Enable or disable private-home feature, default enabled | 93 | # Enable or disable private-home feature, default enabled |
94 | # private-home yes | 94 | # private-home yes |
95 | 95 | ||
96 | # Enable or disable private-lib feature, default enabled | 96 | # Enable or disable private-lib feature, default disabled |
97 | # private-lib yes | 97 | # private-lib no |
98 | 98 | ||
99 | # Enable or disable private-opt feature, default enabled. | 99 | # Enable or disable private-opt feature, default enabled. |
100 | # private-opt yes | 100 | # private-opt yes |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 9548ecb5b..e2fab1265 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -61,6 +61,7 @@ int checkcfg(int val) { | |||
61 | cfg_val[CFG_ALLOW_TRAY] = 0; | 61 | cfg_val[CFG_ALLOW_TRAY] = 0; |
62 | cfg_val[CFG_CHROOT] = 0; | 62 | cfg_val[CFG_CHROOT] = 0; |
63 | cfg_val[CFG_SECCOMP_LOG] = 0; | 63 | cfg_val[CFG_SECCOMP_LOG] = 0; |
64 | cfg_val[CFG_PRIVATE_LIB] = 0; | ||
64 | 65 | ||
65 | // open configuration file | 66 | // open configuration file |
66 | const char *fname = SYSCONFDIR "/firejail.config"; | 67 | const char *fname = SYSCONFDIR "/firejail.config"; |
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index 634d408a3..f5e9bea65 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c | |||
@@ -222,8 +222,27 @@ static unsigned adjust_bandwidth(unsigned bw) { | |||
222 | } | 222 | } |
223 | 223 | ||
224 | static inline const char *common_port(uint16_t port) { | 224 | static inline const char *common_port(uint16_t port) { |
225 | if (port > 123) | 225 | if (port > 194) { |
226 | if (port >= 6660 && port <= 6669) | ||
227 | return "(IRC)"; | ||
228 | else if (port == 6679) | ||
229 | return "(IRC)"; | ||
230 | else if (port == 6771) | ||
231 | return "(BitTorrent)"; | ||
232 | else if (port >= 6881 && port <= 6999) | ||
233 | return "(BitTorrent)"; | ||
234 | else if (port == 9001) | ||
235 | return "(Tor)"; | ||
236 | else if (port == 9030) | ||
237 | return "(Tor)"; | ||
238 | else if (port == 9050) | ||
239 | return "(Tor)"; | ||
240 | else if (port == 9051) | ||
241 | return "(Tor)"; | ||
242 | else if (port == 9150) | ||
243 | return "(Tor)"; | ||
226 | return NULL; | 244 | return NULL; |
245 | } | ||
227 | 246 | ||
228 | if (port == 20 || port == 21) | 247 | if (port == 20 || port == 21) |
229 | return "(FTP)"; | 248 | return "(FTP)"; |
@@ -245,8 +264,16 @@ static inline const char *common_port(uint16_t port) { | |||
245 | return "(POP2)"; | 264 | return "(POP2)"; |
246 | else if (port == 110) | 265 | else if (port == 110) |
247 | return "(POP3)"; | 266 | return "(POP3)"; |
267 | else if (port == 113) | ||
268 | return "(IRC)"; | ||
248 | else if (port == 123) | 269 | else if (port == 123) |
249 | return "(NTP)"; | 270 | return "(NTP)"; |
271 | else if (port == 161) | ||
272 | return "(SNMP)"; | ||
273 | else if (port == 162) | ||
274 | return "(SNMP)"; | ||
275 | else if (port == 194) | ||
276 | return "(IRC)"; | ||
250 | 277 | ||
251 | return NULL; | 278 | return NULL; |
252 | } | 279 | } |
@@ -321,12 +348,19 @@ static void hnode_print(unsigned bw) { | |||
321 | protocol = "(TLS)"; | 348 | protocol = "(TLS)"; |
322 | else if (ptr->port_src == 53) | 349 | else if (ptr->port_src == 53) |
323 | protocol = "(DNS)"; | 350 | protocol = "(DNS)"; |
324 | else if (ptr->port_src == 853) | 351 | else if (ptr->port_src == 853) { |
325 | protocol = "(DoT)"; | 352 | if (ptr->protocol == 0x06) |
353 | protocol = "(DoT)"; | ||
354 | else if (ptr->protocol == 0x11) | ||
355 | protocol = "(DoQ)"; | ||
356 | else | ||
357 | protocol = NULL; | ||
358 | } | ||
326 | else if ((protocol = common_port(ptr->port_src)) != NULL) | 359 | else if ((protocol = common_port(ptr->port_src)) != NULL) |
327 | ; | 360 | ; |
328 | else if (ptr->protocol == 0x11) | 361 | else if (ptr->protocol == 0x11) |
329 | protocol = "(UDP)"; | 362 | protocol = "(UDP)"; |
363 | |||
330 | if (protocol == NULL) | 364 | if (protocol == NULL) |
331 | protocol = ""; | 365 | protocol = ""; |
332 | 366 | ||
diff --git a/src/profstats/main.c b/src/profstats/main.c index 595a94c11..9deb72f7e 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -38,6 +38,7 @@ static int cnt_privatebin = 0; | |||
38 | static int cnt_privatedev = 0; | 38 | static int cnt_privatedev = 0; |
39 | static int cnt_privatetmp = 0; | 39 | static int cnt_privatetmp = 0; |
40 | static int cnt_privateetc = 0; | 40 | static int cnt_privateetc = 0; |
41 | static int cnt_privatelib = 0; | ||
41 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | 42 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc |
42 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | 43 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc |
43 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | 44 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc |
@@ -56,6 +57,7 @@ static int arg_privatebin = 0; | |||
56 | static int arg_privatedev = 0; | 57 | static int arg_privatedev = 0; |
57 | static int arg_privatetmp = 0; | 58 | static int arg_privatetmp = 0; |
58 | static int arg_privateetc = 0; | 59 | static int arg_privateetc = 0; |
60 | static int arg_privatelib = 0; | ||
59 | static int arg_whitelistvar = 0; | 61 | static int arg_whitelistvar = 0; |
60 | static int arg_whitelistrunuser = 0; | 62 | static int arg_whitelistrunuser = 0; |
61 | static int arg_whitelistusrshare = 0; | 63 | static int arg_whitelistusrshare = 0; |
@@ -181,6 +183,8 @@ static void process_file(char *fname) { | |||
181 | cnt_privatetmp++; | 183 | cnt_privatetmp++; |
182 | else if (strncmp(ptr, "private-etc", 11) == 0) | 184 | else if (strncmp(ptr, "private-etc", 11) == 0) |
183 | cnt_privateetc++; | 185 | cnt_privateetc++; |
186 | else if (strncmp(ptr, "private-lib", 11) == 0) | ||
187 | cnt_privatelib++; | ||
184 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | 188 | else if (strncmp(ptr, "dbus-system none", 16) == 0) |
185 | cnt_dbus_system_none++; | 189 | cnt_dbus_system_none++; |
186 | else if (strncmp(ptr, "dbus-system", 11) == 0) | 190 | else if (strncmp(ptr, "dbus-system", 11) == 0) |
@@ -297,6 +301,7 @@ int main(int argc, char **argv) { | |||
297 | int privatetmp = cnt_privatetmp; | 301 | int privatetmp = cnt_privatetmp; |
298 | int privatedev = cnt_privatedev; | 302 | int privatedev = cnt_privatedev; |
299 | int privateetc = cnt_privateetc; | 303 | int privateetc = cnt_privateetc; |
304 | int privatelib = cnt_privatelib; | ||
300 | int dotlocal = cnt_dotlocal; | 305 | int dotlocal = cnt_dotlocal; |
301 | int globalsdotlocal = cnt_globalsdotlocal; | 306 | int globalsdotlocal = cnt_globalsdotlocal; |
302 | int whitelisthome = cnt_whitelisthome; | 307 | int whitelisthome = cnt_whitelisthome; |
@@ -360,6 +365,8 @@ int main(int argc, char **argv) { | |||
360 | printf("No private-tmp found in %s\n", argv[i]); | 365 | printf("No private-tmp found in %s\n", argv[i]); |
361 | if (arg_privateetc && privateetc == cnt_privateetc) | 366 | if (arg_privateetc && privateetc == cnt_privateetc) |
362 | printf("No private-etc found in %s\n", argv[i]); | 367 | printf("No private-etc found in %s\n", argv[i]); |
368 | if (arg_privatelib && privatelib == cnt_privatelib) | ||
369 | printf("No private-lib found in %s\n", argv[i]); | ||
363 | if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) | 370 | if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) |
364 | printf("Home directory not whitelisted in %s\n", argv[i]); | 371 | printf("Home directory not whitelisted in %s\n", argv[i]); |
365 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | 372 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) |
@@ -394,6 +401,7 @@ int main(int argc, char **argv) { | |||
394 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 401 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
395 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 402 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
396 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); | 403 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); |
404 | printf(" private-lib\t\t\t%d\n", cnt_privatelib); | ||
397 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 405 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |
398 | printf(" whitelist home directory\t%d\n", cnt_whitelisthome); | 406 | printf(" whitelist home directory\t%d\n", cnt_whitelisthome); |
399 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | 407 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index b49e447b7..36ff30934 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -46,8 +46,12 @@ echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" | |||
46 | rm -f /var/tmp/_firejail_test_file | 46 | rm -f /var/tmp/_firejail_test_file |
47 | 47 | ||
48 | if [ "$(uname -m)" = "x86_64" ]; then | 48 | if [ "$(uname -m)" = "x86_64" ]; then |
49 | fjconfig=/etc/firejail/firejail.config | ||
50 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null | ||
49 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | 51 | echo "TESTING: private-lib (test/fs/private-lib.exp)" |
50 | ./private-lib.exp | 52 | ./private-lib.exp |
53 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | | ||
54 | sudo tee "$fjconfig" >/dev/null | ||
51 | else | 55 | else |
52 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | 56 | echo "TESTING SKIP: private-lib test implemented only for x86_64." |
53 | fi | 57 | fi |