diff options
43 files changed, 446 insertions, 269 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 9ba69e2a4..c812e4572 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -2,7 +2,6 @@ name: Build-extra CI | |||
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | ||
6 | paths-ignore: | 5 | paths-ignore: |
7 | - '.github/ISSUE_TEMPLATE/*' | 6 | - '.github/ISSUE_TEMPLATE/*' |
8 | - 'contrib/syntax/**' | 7 | - 'contrib/syntax/**' |
@@ -12,6 +11,7 @@ on: | |||
12 | - .git-blame-ignore-revs | 11 | - .git-blame-ignore-revs |
13 | - .github/dependabot.yml | 12 | - .github/dependabot.yml |
14 | - .github/pull_request_template.md | 13 | - .github/pull_request_template.md |
14 | - .github/workflows/build.yml | ||
15 | - .github/workflows/codeql-analysis.yml | 15 | - .github/workflows/codeql-analysis.yml |
16 | - .github/workflows/profile-checks.yml | 16 | - .github/workflows/profile-checks.yml |
17 | - .gitignore | 17 | - .gitignore |
@@ -24,7 +24,6 @@ on: | |||
24 | - SECURITY.md | 24 | - SECURITY.md |
25 | - src/firecfg/firecfg.config | 25 | - src/firecfg/firecfg.config |
26 | pull_request: | 26 | pull_request: |
27 | branches: [ master ] | ||
28 | paths-ignore: | 27 | paths-ignore: |
29 | - '.github/ISSUE_TEMPLATE/*' | 28 | - '.github/ISSUE_TEMPLATE/*' |
30 | - 'contrib/syntax/**' | 29 | - 'contrib/syntax/**' |
@@ -34,6 +33,7 @@ on: | |||
34 | - .git-blame-ignore-revs | 33 | - .git-blame-ignore-revs |
35 | - .github/dependabot.yml | 34 | - .github/dependabot.yml |
36 | - .github/pull_request_template.md | 35 | - .github/pull_request_template.md |
36 | - .github/workflows/build.yml | ||
37 | - .github/workflows/codeql-analysis.yml | 37 | - .github/workflows/codeql-analysis.yml |
38 | - .github/workflows/profile-checks.yml | 38 | - .github/workflows/profile-checks.yml |
39 | - .gitignore | 39 | - .gitignore |
@@ -54,7 +54,7 @@ jobs: | |||
54 | runs-on: ubuntu-22.04 | 54 | runs-on: ubuntu-22.04 |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 57 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -65,8 +65,12 @@ jobs: | |||
65 | run: sudo apt-get update | 65 | run: sudo apt-get update |
66 | - name: install dependencies | 66 | - name: install dependencies |
67 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 67 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
68 | - name: print env | ||
69 | run: ./ci/printenv.sh | ||
68 | - name: configure | 70 | - name: configure |
69 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux | 71 | run: > |
72 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
73 | --enable-selinux | ||
70 | - name: make | 74 | - name: make |
71 | run: make | 75 | run: make |
72 | - name: make install | 76 | - name: make install |
@@ -77,7 +81,7 @@ jobs: | |||
77 | runs-on: ubuntu-22.04 | 81 | runs-on: ubuntu-22.04 |
78 | steps: | 82 | steps: |
79 | - name: Harden Runner | 83 | - name: Harden Runner |
80 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 84 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
81 | with: | 85 | with: |
82 | egress-policy: block | 86 | egress-policy: block |
83 | allowed-endpoints: > | 87 | allowed-endpoints: > |
@@ -88,15 +92,19 @@ jobs: | |||
88 | run: sudo apt-get update | 92 | run: sudo apt-get update |
89 | - name: install clang-tools-14 and dependencies | 93 | - name: install clang-tools-14 and dependencies |
90 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 94 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
95 | - name: print env | ||
96 | run: ./ci/printenv.sh | ||
91 | - name: configure | 97 | - name: configure |
92 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux | 98 | run: > |
99 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
100 | --enable-selinux | ||
93 | - name: scan-build | 101 | - name: scan-build |
94 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make | 102 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make |
95 | cppcheck: | 103 | cppcheck: |
96 | runs-on: ubuntu-22.04 | 104 | runs-on: ubuntu-22.04 |
97 | steps: | 105 | steps: |
98 | - name: Harden Runner | 106 | - name: Harden Runner |
99 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 107 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
100 | with: | 108 | with: |
101 | egress-policy: block | 109 | egress-policy: block |
102 | allowed-endpoints: > | 110 | allowed-endpoints: > |
@@ -107,15 +115,18 @@ jobs: | |||
107 | run: sudo apt-get update | 115 | run: sudo apt-get update |
108 | - name: install cppcheck | 116 | - name: install cppcheck |
109 | run: sudo apt-get install cppcheck | 117 | run: sudo apt-get install cppcheck |
118 | - run: cppcheck --version | ||
110 | - name: cppcheck | 119 | - name: cppcheck |
111 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c . | 120 | run: > |
112 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also | 121 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance |
113 | # with older cppcheck version from ubuntu 20.04. | 122 | -i src/firejail/checkcfg.c -i src/firejail/main.c . |
123 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
124 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
114 | cppcheck_old: | 125 | cppcheck_old: |
115 | runs-on: ubuntu-20.04 | 126 | runs-on: ubuntu-20.04 |
116 | steps: | 127 | steps: |
117 | - name: Harden Runner | 128 | - name: Harden Runner |
118 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 129 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
119 | with: | 130 | with: |
120 | egress-policy: block | 131 | egress-policy: block |
121 | allowed-endpoints: > | 132 | allowed-endpoints: > |
@@ -126,13 +137,14 @@ jobs: | |||
126 | run: sudo apt-get update | 137 | run: sudo apt-get update |
127 | - name: install cppcheck | 138 | - name: install cppcheck |
128 | run: sudo apt-get install cppcheck | 139 | run: sudo apt-get install cppcheck |
140 | - run: cppcheck --version | ||
129 | - name: cppcheck | 141 | - name: cppcheck |
130 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 142 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
131 | codespell: | 143 | codespell: |
132 | runs-on: ubuntu-22.04 | 144 | runs-on: ubuntu-22.04 |
133 | steps: | 145 | steps: |
134 | - name: Harden Runner | 146 | - name: Harden Runner |
135 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 147 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
136 | with: | 148 | with: |
137 | egress-policy: block | 149 | egress-policy: block |
138 | allowed-endpoints: > | 150 | allowed-endpoints: > |
@@ -143,5 +155,6 @@ jobs: | |||
143 | run: sudo apt-get update | 155 | run: sudo apt-get update |
144 | - name: install dependencies | 156 | - name: install dependencies |
145 | run: sudo apt-get install codespell | 157 | run: sudo apt-get install codespell |
158 | - run: codespell --version | ||
146 | - name: codespell | 159 | - name: codespell |
147 | run: make codespell | 160 | run: make codespell |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 93ad0ebf1..e896ba8e0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -2,12 +2,12 @@ name: Build CI | |||
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | ||
6 | paths-ignore: | 5 | paths-ignore: |
7 | - '.github/ISSUE_TEMPLATE/*' | 6 | - '.github/ISSUE_TEMPLATE/*' |
8 | - .git-blame-ignore-revs | 7 | - .git-blame-ignore-revs |
9 | - .github/dependabot.yml | 8 | - .github/dependabot.yml |
10 | - .github/pull_request_template.md | 9 | - .github/pull_request_template.md |
10 | - .github/workflows/build-extra.yml | ||
11 | - .github/workflows/codeql-analysis.yml | 11 | - .github/workflows/codeql-analysis.yml |
12 | - .github/workflows/profile-checks.yml | 12 | - .github/workflows/profile-checks.yml |
13 | - .gitignore | 13 | - .gitignore |
@@ -19,12 +19,12 @@ on: | |||
19 | - RELNOTES | 19 | - RELNOTES |
20 | - SECURITY.md | 20 | - SECURITY.md |
21 | pull_request: | 21 | pull_request: |
22 | branches: [ master ] | ||
23 | paths-ignore: | 22 | paths-ignore: |
24 | - '.github/ISSUE_TEMPLATE/*' | 23 | - '.github/ISSUE_TEMPLATE/*' |
25 | - .git-blame-ignore-revs | 24 | - .git-blame-ignore-revs |
26 | - .github/dependabot.yml | 25 | - .github/dependabot.yml |
27 | - .github/pull_request_template.md | 26 | - .github/pull_request_template.md |
27 | - .github/workflows/build-extra.yml | ||
28 | - .github/workflows/codeql-analysis.yml | 28 | - .github/workflows/codeql-analysis.yml |
29 | - .github/workflows/profile-checks.yml | 29 | - .github/workflows/profile-checks.yml |
30 | - .gitignore | 30 | - .gitignore |
@@ -42,17 +42,22 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
42 | jobs: | 42 | jobs: |
43 | build_and_test: | 43 | build_and_test: |
44 | runs-on: ubuntu-22.04 | 44 | runs-on: ubuntu-22.04 |
45 | env: | ||
46 | SHELL: /bin/bash | ||
45 | steps: | 47 | steps: |
46 | - name: Harden Runner | 48 | - name: Harden Runner |
47 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 49 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
48 | with: | 50 | with: |
49 | egress-policy: block | 51 | egress-policy: block |
50 | allowed-endpoints: > | 52 | allowed-endpoints: > |
53 | 1.1.1.1:1025 | ||
51 | azure.archive.ubuntu.com:80 | 54 | azure.archive.ubuntu.com:80 |
52 | debian.org:80 | 55 | debian.org:80 |
56 | dns.quad9.net:53 | ||
53 | github.com:443 | 57 | github.com:443 |
54 | packages.microsoft.com:443 | 58 | packages.microsoft.com:443 |
55 | ppa.launchpadcontent.net:443 | 59 | ppa.launchpadcontent.net:443 |
60 | whois.pir.org:43 | ||
56 | www.debian.org:443 | 61 | www.debian.org:443 |
57 | www.debian.org:80 | 62 | www.debian.org:80 |
58 | yahoo.com:1025 | 63 | yahoo.com:1025 |
@@ -60,44 +65,35 @@ jobs: | |||
60 | - name: update package information | 65 | - name: update package information |
61 | run: sudo apt-get update | 66 | run: sudo apt-get update |
62 | - name: install dependencies | 67 | - name: install dependencies |
63 | run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois bridge-utils | 68 | run: > |
69 | sudo apt-get install | ||
70 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois | ||
71 | bridge-utils | ||
72 | - name: print env | ||
73 | run: ./ci/printenv.sh | ||
64 | - name: configure | 74 | - name: configure |
65 | run: CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux | 75 | run: > |
76 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
77 | --enable-analyzer --enable-apparmor --enable-selinux | ||
66 | - name: make | 78 | - name: make |
67 | run: make | 79 | run: make |
68 | - name: make install | 80 | - name: make install |
69 | run: sudo make install | 81 | run: sudo make install |
70 | - name: print firejail version | 82 | - name: print firejail version |
71 | run: command -V firejail && firejail --version | 83 | run: command -V firejail && firejail --version |
72 | - name: lab setup | 84 | - run: make lab-setup |
73 | run: SHELL=/bin/bash make lab-setup | 85 | - run: make test-seccomp-extra |
74 | - name: run seccomp extra tests | 86 | - run: make test-firecfg |
75 | run: SHELL=/bin/bash make test-seccomp-extra | 87 | - run: make test-capabilities |
76 | - name: run firecfg tests | 88 | - run: make test-apparmor |
77 | run: SHELL=/bin/bash make test-firecfg | 89 | - run: make test-appimage |
78 | - name: run capabilities tests | 90 | - run: make test-chroot |
79 | run: SHELL=/bin/bash make test-capabilities | 91 | - run: make test-sysutils |
80 | - name: run apparmor tests | 92 | - run: make test-private-etc |
81 | run: SHELL=/bin/bash make test-apparmor | 93 | - run: make test-profiles |
82 | - name: run appimage tests | 94 | - run: make test-fcopy |
83 | run: SHELL=/bin/bash make test-appimage | 95 | - run: make test-fnetfilter |
84 | - name: run chroot tests | 96 | - run: make test-fs |
85 | run: SHELL=/bin/bash make test-chroot | 97 | - run: make test-utils |
86 | - name: run sysutils tests | 98 | - run: make test-environment |
87 | run: SHELL=/bin/bash make test-sysutils | 99 | - run: make test-network |
88 | - name: run private-etc tests | ||
89 | run: SHELL=/bin/bash make test-private-etc | ||
90 | - name: run profile tests | ||
91 | run: SHELL=/bin/bash make test-profiles | ||
92 | - name: run fcopy tests | ||
93 | run: SHELL=/bin/bash make test-fcopy | ||
94 | - name: run fnetfilter tests | ||
95 | run: SHELL=/bin/bash make test-fnetfilter | ||
96 | - name: run fs tests | ||
97 | run: SHELL=/bin/bash make test-fs | ||
98 | - name: run utils tests | ||
99 | run: SHELL=/bin/bash make test-utils | ||
100 | - name: run environment tests | ||
101 | run: SHELL=/bin/bash make test-environment | ||
102 | - name: run network tests | ||
103 | run: SHELL=/bin/bash make test-network | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a3242ff90..68f14d729 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -7,7 +7,6 @@ name: "CodeQL" | |||
7 | 7 | ||
8 | on: | 8 | on: |
9 | push: | 9 | push: |
10 | branches: [ master ] | ||
11 | paths-ignore: | 10 | paths-ignore: |
12 | - '.github/ISSUE_TEMPLATE/*' | 11 | - '.github/ISSUE_TEMPLATE/*' |
13 | - 'contrib/syntax/**' | 12 | - 'contrib/syntax/**' |
@@ -17,6 +16,8 @@ on: | |||
17 | - .git-blame-ignore-revs | 16 | - .git-blame-ignore-revs |
18 | - .github/dependabot.yml | 17 | - .github/dependabot.yml |
19 | - .github/pull_request_template.md | 18 | - .github/pull_request_template.md |
19 | - .github/workflows/build-extra.yml | ||
20 | - .github/workflows/build.yml | ||
20 | - .github/workflows/profile-checks.yml | 21 | - .github/workflows/profile-checks.yml |
21 | - .gitignore | 22 | - .gitignore |
22 | - .gitlab-ci.yml | 23 | - .gitlab-ci.yml |
@@ -28,8 +29,6 @@ on: | |||
28 | - SECURITY.md | 29 | - SECURITY.md |
29 | - src/firecfg/firecfg.config | 30 | - src/firecfg/firecfg.config |
30 | pull_request: | 31 | pull_request: |
31 | # The branches below must be a subset of the branches above | ||
32 | branches: [ master ] | ||
33 | paths-ignore: | 32 | paths-ignore: |
34 | - '.github/ISSUE_TEMPLATE/*' | 33 | - '.github/ISSUE_TEMPLATE/*' |
35 | - 'contrib/syntax/**' | 34 | - 'contrib/syntax/**' |
@@ -39,6 +38,8 @@ on: | |||
39 | - .git-blame-ignore-revs | 38 | - .git-blame-ignore-revs |
40 | - .github/dependabot.yml | 39 | - .github/dependabot.yml |
41 | - .github/pull_request_template.md | 40 | - .github/pull_request_template.md |
41 | - .github/workflows/build-extra.yml | ||
42 | - .github/workflows/build.yml | ||
42 | - .github/workflows/profile-checks.yml | 43 | - .github/workflows/profile-checks.yml |
43 | - .gitignore | 44 | - .gitignore |
44 | - .gitlab-ci.yml | 45 | - .gitlab-ci.yml |
@@ -74,7 +75,7 @@ jobs: | |||
74 | 75 | ||
75 | steps: | 76 | steps: |
76 | - name: Harden Runner | 77 | - name: Harden Runner |
77 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 78 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
78 | with: | 79 | with: |
79 | disable-sudo: true | 80 | disable-sudo: true |
80 | egress-policy: block | 81 | egress-policy: block |
@@ -87,9 +88,12 @@ jobs: | |||
87 | - name: Checkout repository | 88 | - name: Checkout repository |
88 | uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 89 | uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
89 | 90 | ||
91 | - name: print env | ||
92 | run: ./ci/printenv.sh | ||
93 | |||
90 | # Initializes the CodeQL tools for scanning. | 94 | # Initializes the CodeQL tools for scanning. |
91 | - name: Initialize CodeQL | 95 | - name: Initialize CodeQL |
92 | uses: github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 | 96 | uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f |
93 | with: | 97 | with: |
94 | languages: ${{ matrix.language }} | 98 | languages: ${{ matrix.language }} |
95 | # If you wish to specify custom queries, you can do so here or in a config file. | 99 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -100,7 +104,7 @@ jobs: | |||
100 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 104 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
101 | # If this step fails, then you should remove it and run the build manually (see below) | 105 | # If this step fails, then you should remove it and run the build manually (see below) |
102 | - name: Autobuild | 106 | - name: Autobuild |
103 | uses: github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 | 107 | uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f |
104 | 108 | ||
105 | # ℹ️ Command-line programs to run using the OS shell. | 109 | # ℹ️ Command-line programs to run using the OS shell. |
106 | # 📚 https://git.io/JvXDl | 110 | # 📚 https://git.io/JvXDl |
@@ -114,4 +118,4 @@ jobs: | |||
114 | # make release | 118 | # make release |
115 | 119 | ||
116 | - name: Perform CodeQL Analysis | 120 | - name: Perform CodeQL Analysis |
117 | uses: github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 | 121 | uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 64069f917..8500481cd 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -2,7 +2,6 @@ name: Profile Checks | |||
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | ||
6 | paths: | 5 | paths: |
7 | - 'ci/check/profiles/**' | 6 | - 'ci/check/profiles/**' |
8 | - 'etc/**' | 7 | - 'etc/**' |
@@ -10,7 +9,6 @@ on: | |||
10 | - contrib/sort.py | 9 | - contrib/sort.py |
11 | - src/firecfg/firecfg.config | 10 | - src/firecfg/firecfg.config |
12 | pull_request: | 11 | pull_request: |
13 | branches: [ master ] | ||
14 | paths: | 12 | paths: |
15 | - 'ci/check/profiles/**' | 13 | - 'ci/check/profiles/**' |
16 | - 'etc/**' | 14 | - 'etc/**' |
@@ -26,7 +24,7 @@ jobs: | |||
26 | runs-on: ubuntu-latest | 24 | runs-on: ubuntu-latest |
27 | steps: | 25 | steps: |
28 | - name: Harden Runner | 26 | - name: Harden Runner |
29 | uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 | 27 | uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 |
30 | with: | 28 | with: |
31 | disable-sudo: true | 29 | disable-sudo: true |
32 | egress-policy: block | 30 | egress-policy: block |
@@ -34,12 +32,24 @@ jobs: | |||
34 | github.com:443 | 32 | github.com:443 |
35 | 33 | ||
36 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 34 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab |
35 | - name: print env | ||
36 | run: ./ci/printenv.sh | ||
37 | - run: python3 --version | ||
38 | |||
37 | # - name: sort.py | 39 | # - name: sort.py |
38 | # run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 40 | # run: > |
41 | # ./ci/check/profiles/sort.py | ||
42 | # etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
39 | # Currently broken (see #5610) | 43 | # Currently broken (see #5610) |
40 | # - name: private-etc-always-required.sh | 44 | # - name: private-etc-always-required.sh |
41 | # run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 45 | # run: > |
46 | # ./ci/check/profiles/private-etc-always-required.sh | ||
47 | # etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
42 | - name: sort-disable-programs.sh | 48 | - name: sort-disable-programs.sh |
43 | run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc | 49 | run: > |
50 | ./ci/check/profiles/sort-disable-programs.sh | ||
51 | etc/inc/disable-programs.inc | ||
44 | - name: sort-firecfg.config.sh | 52 | - name: sort-firecfg.config.sh |
45 | run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config | 53 | run: > |
54 | ./ci/check/profiles/sort-firecfg.config.sh | ||
55 | src/firecfg/firecfg.config | ||
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a0241e994..38d121c49 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -5,22 +5,30 @@ | |||
5 | # and fedora:latest for new setups | 5 | # and fedora:latest for new setups |
6 | # 3. Alpine for installing directly from source | 6 | # 3. Alpine for installing directly from source |
7 | # Also builds apparmor package for Ubuntu LTS | 7 | # Also builds apparmor package for Ubuntu LTS |
8 | |||
8 | build_ubuntu_package: | 9 | build_ubuntu_package: |
9 | image: ubuntu:rolling | 10 | image: ubuntu:rolling |
10 | script: | 11 | script: |
11 | - apt-get update -qq | 12 | - apt-get update -qq |
12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk | 13 | - > |
14 | DEBIAN_FRONTEND=noninteractive apt-get install -y -qq | ||
15 | build-essential lintian libapparmor-dev pkg-config python3 gawk | ||
16 | - ./ci/printenv.sh | ||
13 | - ./configure | 17 | - ./configure |
14 | - make deb | 18 | - make deb |
15 | - dpkg -i firejail*.deb | 19 | - dpkg -i firejail*.deb |
16 | - command -V firejail && firejail --version | 20 | - command -V firejail && firejail --version |
21 | # - python3 --version | ||
17 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 22 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc |
18 | 23 | ||
19 | build_debian_package: | 24 | build_debian_package: |
20 | image: debian:stretch | 25 | image: debian:buster |
21 | script: | 26 | script: |
22 | - apt-get update -qq | 27 | - apt-get update -qq |
23 | - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk | 28 | - > |
29 | apt-get install -y -qq | ||
30 | build-essential lintian libapparmor-dev pkg-config gawk | ||
31 | - ./ci/printenv.sh | ||
24 | - ./configure | 32 | - ./configure |
25 | - make deb | 33 | - make deb |
26 | - dpkg -i firejail*.deb | 34 | - dpkg -i firejail*.deb |
@@ -31,6 +39,7 @@ build_redhat_package: | |||
31 | script: | 39 | script: |
32 | - dnf update -y | 40 | - dnf update -y |
33 | - dnf install -y rpm-build gcc make | 41 | - dnf install -y rpm-build gcc make |
42 | - ./ci/printenv.sh | ||
34 | - ./configure --prefix=/usr | 43 | - ./configure --prefix=/usr |
35 | - make rpms | 44 | - make rpms |
36 | - rpm -i firejail*.rpm | 45 | - rpm -i firejail*.rpm |
@@ -41,10 +50,12 @@ build_fedora_package: | |||
41 | script: | 50 | script: |
42 | - dnf update -y | 51 | - dnf update -y |
43 | - dnf install -y rpm-build gcc make | 52 | - dnf install -y rpm-build gcc make |
53 | - ./ci/printenv.sh | ||
44 | - ./configure --prefix=/usr | 54 | - ./configure --prefix=/usr |
45 | - make rpms | 55 | - make rpms |
46 | - rpm -i firejail*.rpm | 56 | - rpm -i firejail*.rpm |
47 | - command -V firejail && firejail --version | 57 | - command -V firejail && firejail --version |
58 | # - python3 --version | ||
48 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 59 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc |
49 | 60 | ||
50 | build_src_package: | 61 | build_src_package: |
@@ -53,17 +64,22 @@ build_src_package: | |||
53 | - apk update | 64 | - apk update |
54 | - apk upgrade | 65 | - apk upgrade |
55 | - apk add build-base linux-headers python3 gawk | 66 | - apk add build-base linux-headers python3 gawk |
67 | - ./ci/printenv.sh | ||
56 | - ./configure --prefix=/usr | 68 | - ./configure --prefix=/usr |
57 | - make | 69 | - make |
58 | - make install-strip | 70 | - make install-strip |
59 | - command -V firejail && firejail --version | 71 | - command -V firejail && firejail --version |
60 | # - python3 contrib/sort.py etc/*.{profile,inc} | 72 | # - python3 --version |
73 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
61 | 74 | ||
62 | build_no_apparmor: | 75 | build_no_apparmor: |
63 | image: ubuntu:latest | 76 | image: ubuntu:latest |
64 | script: | 77 | script: |
65 | - apt-get update -qq | 78 | - apt-get update -qq |
66 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config gawk | 79 | - > |
80 | DEBIAN_FRONTEND=noninteractive apt-get install -y -qq | ||
81 | build-essential lintian pkg-config gawk | ||
82 | - ./ci/printenv.sh | ||
67 | - ./configure | 83 | - ./configure |
68 | - make dist | 84 | - make dist |
69 | - ./mkdeb.sh --disable-apparmor | 85 | - ./mkdeb.sh --disable-apparmor |
@@ -77,21 +93,36 @@ debian_ci: | |||
77 | DEBFULLNAME: "$GITLAB_USER_NAME" | 93 | DEBFULLNAME: "$GITLAB_USER_NAME" |
78 | DEBEMAIL: "$GITLAB_USER_EMAIL" | 94 | DEBEMAIL: "$GITLAB_USER_EMAIL" |
79 | before_script: | 95 | before_script: |
80 | - git checkout -B ci_build $CI_COMMIT_SHA | 96 | - git checkout -B ci_build "$CI_COMMIT_SHA" |
81 | - gitlab-ci-enable-sid | 97 | - gitlab-ci-enable-sid |
82 | - gitlab-ci-enable-experimental | 98 | - gitlab-ci-enable-experimental |
83 | - echo "deb-src http://deb.debian.org/debian sid main" >> /etc/apt/sources.list | 99 | - | |
84 | - echo "deb-src http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list | 100 | cat >>/etc/apt/sources.list <<EOF |
101 | deb-src http://deb.debian.org/debian sid main | ||
102 | deb-src http://deb.debian.org/debian experimental main | ||
103 | EOF | ||
85 | - apt-get update | 104 | - apt-get update |
86 | - git config user.name "$DEBFULLNAME" | 105 | - git config user.name "$DEBFULLNAME" |
87 | - git config user.email "$DEBEMAIL" | 106 | - git config user.email "$DEBEMAIL" |
88 | - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) | 107 | - | |
89 | - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* | 108 | cd "$CI_PROJECT_DIR/.." |
109 | apt-get source --download-only -t experimental firejail || | ||
110 | apt-get source --download-only firejail | ||
111 | - | | ||
112 | cd "$CI_PROJECT_DIR" | ||
113 | tar xf ../firejail_*.debian.tar.* | ||
90 | - rm -rf debian/patches/ | 114 | - rm -rf debian/patches/ |
91 | - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar | 115 | - | |
92 | - git add debian && git commit -m "add debian/" | 116 | VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)" |
93 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) | 117 | dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.' |
118 | git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD | ||
119 | pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build | ||
120 | git branch -m pristine-tar origin/pristine-tar | ||
121 | - git add debian | ||
122 | - git commit -m 'add debian/' | ||
123 | - export CI_COMMIT_SHA="$(git rev-parse HEAD)" | ||
94 | script: | 124 | script: |
95 | - apt-get --no-install-recommends install -y -qq gawk | 125 | - apt-get --no-install-recommends install -y -qq gawk |
126 | - ./ci/printenv.sh | ||
96 | - gitlab-ci-git-buildpackage | 127 | - gitlab-ci-git-buildpackage |
97 | - gitlab-ci-lintian | 128 | - gitlab-ci-lintian |
@@ -364,6 +364,10 @@ scan-build: clean | |||
364 | codespell: clean | 364 | codespell: clean |
365 | codespell --ignore-regex "UE|creat|shotcut|ether" src test | 365 | codespell --ignore-regex "UE|creat|shotcut|ether" src test |
366 | 366 | ||
367 | .PHONY: print-env | ||
368 | print-env: | ||
369 | ./ci/printenv.sh | ||
370 | |||
367 | # | 371 | # |
368 | # make test | 372 | # make test |
369 | # | 373 | # |
@@ -235,6 +235,20 @@ You can also use this tool to get a list of syscalls needed by a program: | |||
235 | 235 | ||
236 | * [contrib/syscalls.sh](contrib/syscalls.sh) | 236 | * [contrib/syscalls.sh](contrib/syscalls.sh) |
237 | 237 | ||
238 | ## Uninstalling | ||
239 | |||
240 | firecfg creates symlinks in /usr/local/bin, so to fully remove firejail, run | ||
241 | the following before uninstalling: | ||
242 | |||
243 | ```sh | ||
244 | sudo firecfg --clean | ||
245 | ``` | ||
246 | |||
247 | See `man firecfg` for details. | ||
248 | |||
249 | Note: Broken symlinks are ignored when searching for an executable in `$PATH`, | ||
250 | so uninstalling without doing the above should not cause issues. | ||
251 | |||
238 | ## Latest released version: 0.9.72 | 252 | ## Latest released version: 0.9.72 |
239 | 253 | ||
240 | ## Current development version: 0.9.73 | 254 | ## Current development version: 0.9.73 |
@@ -15,6 +15,7 @@ firejail (0.9.73) baseline; urgency=low | |||
15 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 | 15 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 |
16 | #5618) | 16 | #5618) |
17 | * bugfix: fix --hostname and --hosts-file commands | 17 | * bugfix: fix --hostname and --hosts-file commands |
18 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | ||
18 | * build: auto-generate syntax files (#5627) | 19 | * build: auto-generate syntax files (#5627) |
19 | * build: mark most phony targets as such (#5637) | 20 | * build: mark most phony targets as such (#5637) |
20 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 21 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
@@ -23,12 +24,17 @@ firejail (0.9.73) baseline; urgency=low | |||
23 | * ci: always update the package db before installing packages (#5742) | 24 | * ci: always update the package db before installing packages (#5742) |
24 | * ci: fix codeql unable to download its own bundle (#5783) | 25 | * ci: fix codeql unable to download its own bundle (#5783) |
25 | * ci: split configure/build/install commands on gitlab (#5784) | 26 | * ci: split configure/build/install commands on gitlab (#5784) |
27 | * ci: fix swapped name/email arguments in debian_ci (#5795) | ||
28 | * ci: formatting and misc improvements (#5802) | ||
29 | * ci: run for every branch instead of just master (#5815) | ||
30 | * ci: upgrade debian:stretch to debian:buster (#5818) | ||
26 | * test: split individual test groups in github workflows | 31 | * test: split individual test groups in github workflows |
27 | * test: add chroot, appimage and network tests in github workflows | 32 | * test: add chroot, appimage and network tests in github workflows |
28 | * docs: remove apparmor options in --help when building without apparmor | 33 | * docs: remove apparmor options in --help when building without apparmor |
29 | support (#5589) | 34 | support (#5589) |
30 | * docs: fix typos (#5693) | 35 | * docs: fix typos (#5693) |
31 | * docs: markdown formatting and misc improvements (#5757) | 36 | * docs: markdown formatting and misc improvements (#5757) |
37 | * docs: add uninstall instructions to README.md (#5812) | ||
32 | * legal: selinux.c: Split Copyright notice & use same license as upstream | 38 | * legal: selinux.c: Split Copyright notice & use same license as upstream |
33 | (#5667) | 39 | (#5667) |
34 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater | 40 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
diff --git a/ci/printenv.sh b/ci/printenv.sh new file mode 100755 index 000000000..4b7e03fa7 --- /dev/null +++ b/ci/printenv.sh | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/bin/sh | ||
2 | # Print information that may be useful for debugging CI. | ||
3 | |||
4 | test -f /etc/os-release && . /etc/os-release | ||
5 | |||
6 | cat <<EOF | ||
7 | nproc: $(nproc) | ||
8 | kernel: $(uname -srvm) | ||
9 | distro: $PRETTY_NAME | ||
10 | sh: $(ls -l /bin/sh | sed 's|.* /bin|/bin|') | ||
11 | user: $(id | cut -f -2 -d ' ') | ||
12 | |||
13 | [/etc/os-release] | ||
14 | $(cat /etc/os-release) | ||
15 | EOF | ||
16 | |||
17 | if test -z "$CI_VERBOSE"; then | ||
18 | exit | ||
19 | fi | ||
20 | |||
21 | cat <<EOF | ||
22 | |||
23 | [env] | ||
24 | $(env | LC_ALL=C sort) | ||
25 | EOF | ||
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc index b0525e2e1..0d4ab8c35 100644 --- a/etc/inc/allow-python2.inc +++ b/etc/inc/allow-python2.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-python2.local | 3 | include allow-python2.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.local/lib/python2* | ||
5 | noblacklist ${PATH}/python2* | 6 | noblacklist ${PATH}/python2* |
6 | noblacklist /usr/include/python2* | 7 | noblacklist /usr/include/python2* |
7 | noblacklist /usr/lib/python2* | 8 | noblacklist /usr/lib/python2* |
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc index d968886b0..0693fb7e7 100644 --- a/etc/inc/allow-python3.inc +++ b/etc/inc/allow-python3.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-python3.local | 3 | include allow-python3.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.local/lib/python3* | ||
5 | noblacklist ${PATH}/python3* | 6 | noblacklist ${PATH}/python3* |
6 | noblacklist /usr/include/python3* | 7 | noblacklist /usr/include/python3* |
7 | noblacklist /usr/lib/python3* | 8 | noblacklist /usr/lib/python3* |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index ca43e5ed9..4e3590fed 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -61,6 +61,7 @@ blacklist /usr/lib64/ruby | |||
61 | 61 | ||
62 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus | 62 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus |
63 | # Python 2 | 63 | # Python 2 |
64 | blacklist ${HOME}/.local/lib/python2* | ||
64 | blacklist ${PATH}/python2* | 65 | blacklist ${PATH}/python2* |
65 | blacklist /usr/include/python2* | 66 | blacklist /usr/include/python2* |
66 | blacklist /usr/lib/python2* | 67 | blacklist /usr/lib/python2* |
@@ -70,6 +71,7 @@ blacklist /usr/share/python2* | |||
70 | # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) | 71 | # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) |
71 | 72 | ||
72 | # Python 3 | 73 | # Python 3 |
74 | blacklist ${HOME}/.local/lib/python3* | ||
73 | blacklist ${PATH}/python3* | 75 | blacklist ${PATH}/python3* |
74 | blacklist /usr/include/python3* | 76 | blacklist /usr/include/python3* |
75 | blacklist /usr/lib/python3* | 77 | blacklist /usr/lib/python3* |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 7d5c859e9..2f595f274 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -20,6 +20,9 @@ noblacklist /var/spool/mail | |||
20 | 20 | ||
21 | noblacklist ${DOCUMENTS} | 21 | noblacklist ${DOCUMENTS} |
22 | 22 | ||
23 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
24 | include allow-perl.inc | ||
25 | |||
23 | include disable-common.inc | 26 | include disable-common.inc |
24 | include disable-devel.inc | 27 | include disable-devel.inc |
25 | include disable-exec.inc | 28 | include disable-exec.inc |
@@ -30,15 +33,18 @@ include disable-xdg.inc | |||
30 | mkdir ${HOME}/.gnupg | 33 | mkdir ${HOME}/.gnupg |
31 | mkfile ${HOME}/.config/mimeapps.list | 34 | mkfile ${HOME}/.config/mimeapps.list |
32 | mkfile ${HOME}/.signature | 35 | mkfile ${HOME}/.signature |
36 | whitelist ${HOME}/.bogofilter | ||
37 | whitelist ${HOME}/.bsfilter | ||
33 | whitelist ${HOME}/.config/mimeapps.list | 38 | whitelist ${HOME}/.config/mimeapps.list |
34 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
35 | whitelist ${HOME}/.gnupg | 39 | whitelist ${HOME}/.gnupg |
40 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
36 | whitelist ${HOME}/.signature | 41 | whitelist ${HOME}/.signature |
37 | whitelist ${DOCUMENTS} | 42 | whitelist ${DOCUMENTS} |
38 | whitelist ${DOWNLOADS} | 43 | whitelist ${DOWNLOADS} |
39 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | 44 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local |
40 | whitelist ${HOME}/Mail | 45 | whitelist ${HOME}/Mail |
41 | whitelist ${RUNUSER}/gnupg | 46 | whitelist ${RUNUSER}/gnupg |
47 | whitelist /usr/share/bogofilter | ||
42 | whitelist /usr/share/gnupg | 48 | whitelist /usr/share/gnupg |
43 | whitelist /usr/share/gnupg2 | 49 | whitelist /usr/share/gnupg2 |
44 | whitelist /var/mail | 50 | whitelist /var/mail |
@@ -70,7 +76,7 @@ tracelog | |||
70 | # disable-mnt | 76 | # disable-mnt |
71 | private-cache | 77 | private-cache |
72 | private-dev | 78 | private-dev |
73 | private-etc @tls-ca,@x11,gnupg,hosts.conf,mailname,timezone | 79 | private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone |
74 | private-tmp | 80 | private-tmp |
75 | # encrypting and signing email | 81 | # encrypting and signing email |
76 | writable-run-user | 82 | writable-run-user |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 9dcc9dec3..85f414562 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -75,7 +75,7 @@ nonewprivs | |||
75 | noroot | 75 | noroot |
76 | nou2f | 76 | nou2f |
77 | protocol unix,inet,inet6,netlink | 77 | protocol unix,inet,inet6,netlink |
78 | seccomp | 78 | seccomp !set_mempolicy |
79 | seccomp.block-secondary | 79 | seccomp.block-secondary |
80 | tracelog | 80 | tracelog |
81 | 81 | ||
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile index 349da8821..10c28cd76 100644 --- a/src/etc-cleanup/Makefile +++ b/src/etc-cleanup/Makefile | |||
@@ -4,6 +4,6 @@ ROOT = ../.. | |||
4 | PROG = etc-cleanup | 4 | PROG = etc-cleanup |
5 | TARGET = $(PROG) | 5 | TARGET = $(PROG) |
6 | 6 | ||
7 | MOD_HDRS = ../include/etc-groups.h | 7 | MOD_HDRS = ../include/etc_groups.h |
8 | 8 | ||
9 | include $(ROOT)/src/prog.mk | 9 | include $(ROOT)/src/prog.mk |
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index 6c7bea6d6..f15ba53cd 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c | |||
@@ -212,13 +212,16 @@ static void process_file(const char *fname) { | |||
212 | } | 212 | } |
213 | } | 213 | } |
214 | 214 | ||
215 | static const char *const usage_str = | ||
216 | "usage: cleanup-etc [options] file.profile [file.profile]\n" | ||
217 | "Group and clean private-etc entries in one or more profile files.\n" | ||
218 | "Options:\n" | ||
219 | " --debug - print debug messages\n" | ||
220 | " -h, -?, --help - this help screen\n" | ||
221 | " --replace - replace profile file\n"; | ||
222 | |||
215 | static void usage(void) { | 223 | static void usage(void) { |
216 | printf("usage: cleanup-etc [options] file.profile [file.profile]\n"); | 224 | puts(usage_str); |
217 | printf("Group and clean private-etc entries in one or more profile files.\n"); | ||
218 | printf("Options:\n"); | ||
219 | printf(" --debug - print debug messages\n"); | ||
220 | printf(" -h, -?, --help - this help screen\n"); | ||
221 | printf(" --replace - replace profile file\n"); | ||
222 | } | 225 | } |
223 | 226 | ||
224 | int main(int argc, char **argv) { | 227 | int main(int argc, char **argv) { |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index 7fdf9af68..a85d4a931 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -21,9 +21,12 @@ | |||
21 | int arg_debug = 0; | 21 | int arg_debug = 0; |
22 | int arg_appimage = 0; | 22 | int arg_appimage = 0; |
23 | 23 | ||
24 | static const char *const usage_str = | ||
25 | "Firejail profile builder\n" | ||
26 | "Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n"; | ||
27 | |||
24 | static void usage(void) { | 28 | static void usage(void) { |
25 | printf("Firejail profile builder\n"); | 29 | puts(usage_str); |
26 | printf("Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n"); | ||
27 | } | 30 | } |
28 | 31 | ||
29 | int main(int argc, char **argv) { | 32 | int main(int argc, char **argv) { |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index ce2efb295..a56e8a91b 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -416,18 +416,19 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { | |||
416 | free(rdest); | 416 | free(rdest); |
417 | } | 417 | } |
418 | 418 | ||
419 | static const char *const usage_str = | ||
420 | "Usage: fcopy [--follow-link] src dest\n" | ||
421 | "\n" | ||
422 | "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n" | ||
423 | "If SRC is a directory it is copied recursively. If it is a symlink,\n" | ||
424 | "the link itself is duplicated, unless --follow-link is given,\n" | ||
425 | "in which case the destination of the link is copied.\n" | ||
426 | "DEST must already exist and must be a directory.\n"; | ||
419 | 427 | ||
420 | static void usage(void) { | 428 | static void usage(void) { |
421 | fputs("Usage: fcopy [--follow-link] src dest\n" | 429 | fputs(usage_str, stderr); |
422 | "\n" | ||
423 | "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n" | ||
424 | "If SRC is a directory it is copied recursively. If it is a symlink,\n" | ||
425 | "the link itself is duplicated, unless --follow-link is given,\n" | ||
426 | "in which case the destination of the link is copied.\n" | ||
427 | "DEST must already exist and must be a directory.\n", stderr); | ||
428 | } | 430 | } |
429 | 431 | ||
430 | |||
431 | int main(int argc, char **argv) { | 432 | int main(int argc, char **argv) { |
432 | #if 0 | 433 | #if 0 |
433 | { | 434 | { |
diff --git a/src/fids/main.c b/src/fids/main.c index f1dfdac8e..915edb6ca 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -318,10 +318,11 @@ static void process_config(const char *fname) { | |||
318 | include_level--; | 318 | include_level--; |
319 | } | 319 | } |
320 | 320 | ||
321 | 321 | static const char *const usage_str = | |
322 | "Usage: fids [--help|-h|-?] --init|--check homedir\n"; | ||
322 | 323 | ||
323 | void usage(void) { | 324 | void usage(void) { |
324 | printf("Usage: fids [--help|-h|-?] --init|--check homedir\n"); | 325 | puts(usage_str); |
325 | } | 326 | } |
326 | 327 | ||
327 | int main(int argc, char **argv) { | 328 | int main(int argc, char **argv) { |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index e1ff7e17a..da962c35d 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -24,7 +24,7 @@ int arg_debug = 0; | |||
24 | char *arg_bindir = "/usr/local/bin"; | 24 | char *arg_bindir = "/usr/local/bin"; |
25 | int arg_guide = 0; | 25 | int arg_guide = 0; |
26 | 26 | ||
27 | static char *usage_str = | 27 | static const char *const usage_str = |
28 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" | 28 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" |
29 | "creates several symbolic links to firejail executable. This allows the user to\n" | 29 | "creates several symbolic links to firejail executable. This allows the user to\n" |
30 | "sandbox applications automatically, just by clicking on a regular desktop\n" | 30 | "sandbox applications automatically, just by clicking on a regular desktop\n" |
@@ -57,14 +57,17 @@ static char *usage_str = | |||
57 | " [...]\n" | 57 | " [...]\n" |
58 | "\n" | 58 | "\n" |
59 | "License GPL version 2 or later\n" | 59 | "License GPL version 2 or later\n" |
60 | "Homepage: https://firejail.wordpress.com\n\n"; | 60 | "Homepage: https://firejail.wordpress.com\n"; |
61 | |||
62 | static void print_version(void) { | ||
63 | printf("firecfg version %s\n\n", VERSION); | ||
64 | } | ||
61 | 65 | ||
62 | static void usage(void) { | 66 | static void usage(void) { |
63 | printf("firecfg - version %s\n\n", VERSION); | 67 | print_version(); |
64 | puts(usage_str); | 68 | puts(usage_str); |
65 | } | 69 | } |
66 | 70 | ||
67 | |||
68 | static void list(void) { | 71 | static void list(void) { |
69 | DIR *dir = opendir(arg_bindir); | 72 | DIR *dir = opendir(arg_bindir); |
70 | if (!dir) { | 73 | if (!dir) { |
@@ -364,7 +367,7 @@ int main(int argc, char **argv) { | |||
364 | else if (strcmp(argv[i], "--debug") == 0) | 367 | else if (strcmp(argv[i], "--debug") == 0) |
365 | arg_debug = 1; | 368 | arg_debug = 1; |
366 | else if (strcmp(argv[i], "--version") == 0) { | 369 | else if (strcmp(argv[i], "--version") == 0) { |
367 | printf("firecfg version %s\n\n", VERSION); | 370 | print_version(); |
368 | return 0; | 371 | return 0; |
369 | } | 372 | } |
370 | else if (strcmp(argv[i], "--clean") == 0) { | 373 | else if (strcmp(argv[i], "--clean") == 0) { |
@@ -410,6 +413,7 @@ int main(int argc, char **argv) { | |||
410 | } | 413 | } |
411 | } | 414 | } |
412 | 415 | ||
416 | print_version(); | ||
413 | if (arg_debug) | 417 | if (arg_debug) |
414 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); | 418 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); |
415 | 419 | ||
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index d4288b29e..ed14eb171 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -197,7 +197,11 @@ int arp_check(const char *dev, uint32_t destaddr) { | |||
197 | double timeout = timerend - now; | 197 | double timeout = timerend - now; |
198 | ts.tv_sec = timeout; | 198 | ts.tv_sec = timeout; |
199 | ts.tv_usec = (timeout - ts.tv_sec) * 1000000; | 199 | ts.tv_usec = (timeout - ts.tv_sec) * 1000000; |
200 | int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts); | 200 | if (ts.tv_sec < 0) |
201 | ts.tv_sec = 0; | ||
202 | if (ts.tv_usec < 0) | ||
203 | ts.tv_usec = 0; | ||
204 | int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts); | ||
201 | if (nready < 0) | 205 | if (nready < 0) |
202 | errExit("select"); | 206 | errExit("select"); |
203 | else if (nready == 0) { // timeout | 207 | else if (nready == 0) { // timeout |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index a39e8c667..d2289bb40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -305,147 +305,128 @@ errout: | |||
305 | exit(1); | 305 | exit(1); |
306 | } | 306 | } |
307 | 307 | ||
308 | void print_version(void) { | 308 | static const char *const compiletime_support = |
309 | printf("firejail version %s\n", VERSION); | 309 | "Compile time support:" |
310 | printf("\n"); | 310 | "\n\t- always force nonewprivs support is " |
311 | print_compiletime_support(); | ||
312 | printf("\n"); | ||
313 | } | ||
314 | |||
315 | void print_compiletime_support(void) { | ||
316 | printf("Compile time support:\n"); | ||
317 | printf("\t- always force nonewprivs support is %s\n", | ||
318 | #ifdef HAVE_FORCE_NONEWPRIVS | 311 | #ifdef HAVE_FORCE_NONEWPRIVS |
319 | "enabled" | 312 | "enabled" |
320 | #else | 313 | #else |
321 | "disabled" | 314 | "disabled" |
322 | #endif | 315 | #endif |
323 | ); | ||
324 | 316 | ||
325 | printf("\t- AppArmor support is %s\n", | 317 | "\n\t- AppArmor support is " |
326 | #ifdef HAVE_APPARMOR | 318 | #ifdef HAVE_APPARMOR |
327 | "enabled" | 319 | "enabled" |
328 | #else | 320 | #else |
329 | "disabled" | 321 | "disabled" |
330 | #endif | 322 | #endif |
331 | ); | ||
332 | 323 | ||
333 | printf("\t- AppImage support is %s\n", | 324 | "\n\t- AppImage support is " |
334 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 325 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h |
335 | "enabled" | 326 | "enabled" |
336 | #else | 327 | #else |
337 | "disabled" | 328 | "disabled" |
338 | #endif | 329 | #endif |
339 | ); | ||
340 | 330 | ||
341 | printf("\t- chroot support is %s\n", | 331 | "\n\t- chroot support is " |
342 | #ifdef HAVE_CHROOT | 332 | #ifdef HAVE_CHROOT |
343 | "enabled" | 333 | "enabled" |
344 | #else | 334 | #else |
345 | "disabled" | 335 | "disabled" |
346 | #endif | 336 | #endif |
347 | ); | ||
348 | 337 | ||
349 | printf("\t- D-BUS proxy support is %s\n", | 338 | "\n\t- D-BUS proxy support is " |
350 | #ifdef HAVE_DBUSPROXY | 339 | #ifdef HAVE_DBUSPROXY |
351 | "enabled" | 340 | "enabled" |
352 | #else | 341 | #else |
353 | "disabled" | 342 | "disabled" |
354 | #endif | 343 | #endif |
355 | ); | ||
356 | 344 | ||
357 | printf("\t- file transfer support is %s\n", | 345 | "\n\t- file transfer support is " |
358 | #ifdef HAVE_FILE_TRANSFER | 346 | #ifdef HAVE_FILE_TRANSFER |
359 | "enabled" | 347 | "enabled" |
360 | #else | 348 | #else |
361 | "disabled" | 349 | "disabled" |
362 | #endif | 350 | #endif |
363 | ); | ||
364 | 351 | ||
365 | printf("\t- firetunnel support is %s\n", | 352 | "\n\t- firetunnel support is " |
366 | #ifdef HAVE_FIRETUNNEL | 353 | #ifdef HAVE_FIRETUNNEL |
367 | "enabled" | 354 | "enabled" |
368 | #else | 355 | #else |
369 | "disabled" | 356 | "disabled" |
370 | #endif | 357 | #endif |
371 | ); | ||
372 | 358 | ||
373 | printf("\t- IDS support is %s\n", | 359 | "\n\t- IDS support is " |
374 | #ifdef HAVE_IDS | 360 | #ifdef HAVE_IDS |
375 | "enabled" | 361 | "enabled" |
376 | #else | 362 | #else |
377 | "disabled" | 363 | "disabled" |
378 | #endif | 364 | #endif |
379 | ); | ||
380 | 365 | ||
381 | printf("\t- networking support is %s\n", | 366 | "\n\t- networking support is " |
382 | #ifdef HAVE_NETWORK | 367 | #ifdef HAVE_NETWORK |
383 | "enabled" | 368 | "enabled" |
384 | #else | 369 | #else |
385 | "disabled" | 370 | "disabled" |
386 | #endif | 371 | #endif |
387 | ); | ||
388 | 372 | ||
389 | printf("\t- output logging is %s\n", | 373 | "\n\t- output logging is " |
390 | #ifdef HAVE_OUTPUT | 374 | #ifdef HAVE_OUTPUT |
391 | "enabled" | 375 | "enabled" |
392 | #else | 376 | #else |
393 | "disabled" | 377 | "disabled" |
394 | #endif | 378 | #endif |
395 | ); | 379 | |
396 | printf("\t- overlayfs support is %s\n", | 380 | "\n\t- overlayfs support is " |
397 | #ifdef HAVE_OVERLAYFS | 381 | #ifdef HAVE_OVERLAYFS |
398 | "enabled" | 382 | "enabled" |
399 | #else | 383 | #else |
400 | "disabled" | 384 | "disabled" |
401 | #endif | 385 | #endif |
402 | ); | ||
403 | 386 | ||
404 | printf("\t- private-home support is %s\n", | 387 | "\n\t- private-home support is " |
405 | #ifdef HAVE_PRIVATE_HOME | 388 | #ifdef HAVE_PRIVATE_HOME |
406 | "enabled" | 389 | "enabled" |
407 | #else | 390 | #else |
408 | "disabled" | 391 | "disabled" |
409 | #endif | 392 | #endif |
410 | ); | ||
411 | 393 | ||
412 | printf("\t- private-lib support is %s\n", | 394 | "\n\t- private-lib support is " |
413 | #ifdef HAVE_PRIVATE_LIB | 395 | #ifdef HAVE_PRIVATE_LIB |
414 | "enabled" | 396 | "enabled" |
415 | #else | 397 | #else |
416 | "disabled" | 398 | "disabled" |
417 | #endif | 399 | #endif |
418 | ); | ||
419 | 400 | ||
420 | printf("\t- private-cache and tmpfs as user %s\n", | 401 | "\n\t- private-cache and tmpfs as user " |
421 | #ifdef HAVE_USERTMPFS | 402 | #ifdef HAVE_USERTMPFS |
422 | "enabled" | 403 | "enabled" |
423 | #else | 404 | #else |
424 | "disabled" | 405 | "disabled" |
425 | #endif | 406 | #endif |
426 | ); | ||
427 | 407 | ||
428 | printf("\t- SELinux support is %s\n", | 408 | "\n\t- SELinux support is " |
429 | #ifdef HAVE_SELINUX | 409 | #ifdef HAVE_SELINUX |
430 | "enabled" | 410 | "enabled" |
431 | #else | 411 | #else |
432 | "disabled" | 412 | "disabled" |
433 | #endif | 413 | #endif |
434 | ); | ||
435 | 414 | ||
436 | printf("\t- user namespace support is %s\n", | 415 | "\n\t- user namespace support is " |
437 | #ifdef HAVE_USERNS | 416 | #ifdef HAVE_USERNS |
438 | "enabled" | 417 | "enabled" |
439 | #else | 418 | #else |
440 | "disabled" | 419 | "disabled" |
441 | #endif | 420 | #endif |
442 | ); | ||
443 | 421 | ||
444 | printf("\t- X11 sandboxing support is %s\n", | 422 | "\n\t- X11 sandboxing support is " |
445 | #ifdef HAVE_X11 | 423 | #ifdef HAVE_X11 |
446 | "enabled" | 424 | "enabled" |
447 | #else | 425 | #else |
448 | "disabled" | 426 | "disabled" |
449 | #endif | 427 | #endif |
450 | ); | 428 | "\n"; |
429 | |||
430 | void print_compiletime_support(void) { | ||
431 | puts(compiletime_support); | ||
451 | } | 432 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2cde75463..d85b470e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -477,6 +477,8 @@ void tree(void); | |||
477 | void top(void); | 477 | void top(void); |
478 | 478 | ||
479 | // usage.c | 479 | // usage.c |
480 | void print_version(void); | ||
481 | void print_version_full(void); | ||
480 | void usage(void); | 482 | void usage(void); |
481 | 483 | ||
482 | // process.c | 484 | // process.c |
@@ -856,7 +858,6 @@ extern char *config_seccomp_filter_add; | |||
856 | extern char **whitelist_reject_topdirs; | 858 | extern char **whitelist_reject_topdirs; |
857 | 859 | ||
858 | int checkcfg(int val); | 860 | int checkcfg(int val); |
859 | void print_version(void); | ||
860 | void print_compiletime_support(void); | 861 | void print_compiletime_support(void); |
861 | 862 | ||
862 | // appimage.c | 863 | // appimage.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7e23cdc63..1835d8de2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -369,7 +369,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
369 | exit(0); | 369 | exit(0); |
370 | } | 370 | } |
371 | else if (strcmp(argv[i], "--version") == 0) { | 371 | else if (strcmp(argv[i], "--version") == 0) { |
372 | print_version(); | 372 | print_version_full(); |
373 | exit(0); | 373 | exit(0); |
374 | } | 374 | } |
375 | #ifdef HAVE_OVERLAYFS | 375 | #ifdef HAVE_OVERLAYFS |
@@ -1128,7 +1128,7 @@ int main(int argc, char **argv, char **envp) { | |||
1128 | EUID_USER(); | 1128 | EUID_USER(); |
1129 | if (rv == 0) { | 1129 | if (rv == 0) { |
1130 | if (check_arg(argc, argv, "--version", 1)) { | 1130 | if (check_arg(argc, argv, "--version", 1)) { |
1131 | print_version(); | 1131 | print_version_full(); |
1132 | exit(0); | 1132 | exit(0); |
1133 | } | 1133 | } |
1134 | 1134 | ||
@@ -3010,6 +3010,11 @@ int main(int argc, char **argv, char **envp) { | |||
3010 | } | 3010 | } |
3011 | EUID_ASSERT(); | 3011 | EUID_ASSERT(); |
3012 | 3012 | ||
3013 | // Note: Only attempt to print non-debug information to stdout after | ||
3014 | // all profiles have been loaded (because a profile may set arg_quiet) | ||
3015 | if (!arg_quiet) | ||
3016 | print_version(); | ||
3017 | |||
3013 | // block X11 sockets | 3018 | // block X11 sockets |
3014 | if (arg_x11_block) | 3019 | if (arg_x11_block) |
3015 | x11_block(); | 3020 | x11_block(); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index ce43b4832..59b74ec5c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -132,6 +132,24 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
132 | #ifdef SYS_umount2 | 132 | #ifdef SYS_umount2 |
133 | BLACKLIST(SYS_umount2), | 133 | BLACKLIST(SYS_umount2), |
134 | #endif | 134 | #endif |
135 | #ifdef SYS_fsopen | ||
136 | BLACKLIST(SYS_fsopen), // mount syscalls introduced 2019 | ||
137 | #endif | ||
138 | #ifdef SYS_fsconfig | ||
139 | BLACKLIST(SYS_fsconfig), | ||
140 | #endif | ||
141 | #ifdef SYS_fsmount | ||
142 | BLACKLIST(SYS_fsmount), | ||
143 | #endif | ||
144 | #ifdef SYS_move_mount | ||
145 | BLACKLIST(SYS_move_mount), | ||
146 | #endif | ||
147 | #ifdef SYS_fspick | ||
148 | BLACKLIST(SYS_fspick), | ||
149 | #endif | ||
150 | #ifdef SYS_open_tree | ||
151 | BLACKLIST(SYS_open_tree), | ||
152 | #endif | ||
135 | #ifdef SYS_ptrace | 153 | #ifdef SYS_ptrace |
136 | BLACKLIST(SYS_ptrace), // trace processes | 154 | BLACKLIST(SYS_ptrace), // trace processes |
137 | #endif | 155 | #endif |
@@ -186,6 +204,9 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
186 | #ifdef SYS_syslog | 204 | #ifdef SYS_syslog |
187 | BLACKLIST(SYS_syslog), // kernel printk control | 205 | BLACKLIST(SYS_syslog), // kernel printk control |
188 | #endif | 206 | #endif |
207 | #ifdef SYS_personality | ||
208 | BLACKLIST(SYS_personality), // execution domain | ||
209 | #endif | ||
189 | RETURN_ALLOW | 210 | RETURN_ALLOW |
190 | }; | 211 | }; |
191 | 212 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b6b60d85c..e8758c807 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | static char *usage_str = | 22 | static const char *const usage_str = |
23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" | 23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" |
24 | "restricting the running environment of untrusted applications using Linux\n" | 24 | "restricting the running environment of untrusted applications using Linux\n" |
25 | "namespaces.\n" | 25 | "namespaces.\n" |
@@ -311,11 +311,18 @@ static char *usage_str = | |||
311 | "\tlist all running sandboxes\n" | 311 | "\tlist all running sandboxes\n" |
312 | "\n" | 312 | "\n" |
313 | "License GPL version 2 or later\n" | 313 | "License GPL version 2 or later\n" |
314 | "Homepage: https://firejail.wordpress.com\n" | 314 | "Homepage: https://firejail.wordpress.com\n"; |
315 | "\n"; | ||
316 | 315 | ||
316 | void print_version(void) { | ||
317 | printf("firejail version %s\n\n", VERSION); | ||
318 | } | ||
319 | |||
320 | void print_version_full(void) { | ||
321 | print_version(); | ||
322 | print_compiletime_support(); | ||
323 | } | ||
317 | 324 | ||
318 | void usage(void) { | 325 | void usage(void) { |
319 | printf("firejail - version %s\n\n", VERSION); | 326 | print_version(); |
320 | puts(usage_str); | 327 | puts(usage_str); |
321 | } | 328 | } |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index d82f387ff..958fa1b03 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -145,7 +145,7 @@ int main(int argc, char **argv) { | |||
145 | return 0; | 145 | return 0; |
146 | } | 146 | } |
147 | else if (strcmp(argv[i], "--version") == 0) { | 147 | else if (strcmp(argv[i], "--version") == 0) { |
148 | printf("firemon version %s\n\n", VERSION); | 148 | print_version(); |
149 | return 0; | 149 | return 0; |
150 | } | 150 | } |
151 | else if (strcmp(argv[i], "--debug") == 0) | 151 | else if (strcmp(argv[i], "--debug") == 0) |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 8b6e75fc3..be83352bb 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -49,6 +49,7 @@ void firemon_sleep(int st); | |||
49 | void procevent(pid_t pid) __attribute__((noreturn)); | 49 | void procevent(pid_t pid) __attribute__((noreturn)); |
50 | 50 | ||
51 | // usage.c | 51 | // usage.c |
52 | void print_version(void); | ||
52 | void usage(void); | 53 | void usage(void); |
53 | 54 | ||
54 | // top.c | 55 | // top.c |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 169ec9163..afd2b552a 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | 21 | ||
22 | static char *help_str = | 22 | static const char *const usage_str = |
23 | "Usage: firemon [OPTIONS] [PID]\n\n" | 23 | "Usage: firemon [OPTIONS] [PID]\n\n" |
24 | "Monitor processes started in a Firejail sandbox. Without any PID specified,\n" | 24 | "Monitor processes started in a Firejail sandbox. Without any PID specified,\n" |
25 | "all processes started by Firejail are monitored. Descendants of these processes\n" | 25 | "all processes started by Firejail are monitored. Descendants of these processes\n" |
@@ -75,10 +75,13 @@ static char *help_str = | |||
75 | "\tUser - The owner of the sandbox.\n" | 75 | "\tUser - The owner of the sandbox.\n" |
76 | "\n" | 76 | "\n" |
77 | "License GPL version 2 or later\n" | 77 | "License GPL version 2 or later\n" |
78 | "Homepage: https://firejail.wordpress.com\n" | 78 | "Homepage: https://firejail.wordpress.com\n"; |
79 | "\n"; | 79 | |
80 | void print_version(void) { | ||
81 | printf("firemon version %s\n\n", VERSION); | ||
82 | } | ||
80 | 83 | ||
81 | void usage(void) { | 84 | void usage(void) { |
82 | printf("firemon - version %s\n", VERSION); | 85 | print_version(); |
83 | puts(help_str); | 86 | puts(usage_str); |
84 | } | 87 | } |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 63398ce2e..c28cad72e 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -282,12 +282,13 @@ static void walk_directory(const char *dirname) { | |||
282 | } | 282 | } |
283 | } | 283 | } |
284 | 284 | ||
285 | 285 | static const char *const usage_str = | |
286 | "Usage: fldd program_or_directory [file]\n" | ||
287 | "Print a list of libraries used by program or store it in the file.\n" | ||
288 | "Print a list of libraries used by all .so files in a directory or store it in the file.\n"; | ||
286 | 289 | ||
287 | static void usage(void) { | 290 | static void usage(void) { |
288 | printf("Usage: fldd program_or_directory [file]\n"); | 291 | puts(usage_str); |
289 | printf("Print a list of libraries used by program or store it in the file.\n"); | ||
290 | printf("Print a list of libraries used by all .so files in a directory or store it in the file.\n"); | ||
291 | } | 292 | } |
292 | 293 | ||
293 | int main(int argc, char **argv) { | 294 | int main(int argc, char **argv) { |
@@ -363,4 +364,4 @@ int main(void) { | |||
363 | printf("Sorry, private lib is disabled in this build\n"); | 364 | printf("Sorry, private lib is disabled in this build\n"); |
364 | return 0; | 365 | return 0; |
365 | } | 366 | } |
366 | #endif \ No newline at end of file | 367 | #endif |
diff --git a/src/fnet/main.c b/src/fnet/main.c index fc36ae977..d1c8170ca 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -35,19 +35,21 @@ void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/fire | |||
35 | fflush(0); | 35 | fflush(0); |
36 | } | 36 | } |
37 | 37 | ||
38 | static const char *const usage_str = | ||
39 | "Usage:\n" | ||
40 | "\tfnet create veth dev1 dev2 bridge child\n" | ||
41 | "\tfnet create macvlan dev parent child\n" | ||
42 | "\tfnet moveif dev proc\n" | ||
43 | "\tfnet printif\n" | ||
44 | "\tfnet printif scan\n" | ||
45 | "\tfnet config interface dev ip mask mtu\n" | ||
46 | "\tfnet config mac addr\n" | ||
47 | "\tfnet config ipv6 dev ip\n" | ||
48 | "\tfnet ifup dev\n" | ||
49 | "\tfnet waitll dev\n"; | ||
38 | 50 | ||
39 | static void usage(void) { | 51 | static void usage(void) { |
40 | printf("Usage:\n"); | 52 | puts(usage_str); |
41 | printf("\tfnet create veth dev1 dev2 bridge child\n"); | ||
42 | printf("\tfnet create macvlan dev parent child\n"); | ||
43 | printf("\tfnet moveif dev proc\n"); | ||
44 | printf("\tfnet printif\n"); | ||
45 | printf("\tfnet printif scan\n"); | ||
46 | printf("\tfnet config interface dev ip mask mtu\n"); | ||
47 | printf("\tfnet config mac addr\n"); | ||
48 | printf("\tfnet config ipv6 dev ip\n"); | ||
49 | printf("\tfnet ifup dev\n"); | ||
50 | printf("\tfnet waitll dev\n"); | ||
51 | } | 53 | } |
52 | 54 | ||
53 | int main(int argc, char **argv) { | 55 | int main(int argc, char **argv) { |
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 8c0f6c297..1b0335d68 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -45,9 +45,12 @@ static char *default_filter = | |||
45 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" | 45 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" |
46 | "COMMIT\n"; | 46 | "COMMIT\n"; |
47 | 47 | ||
48 | static const char *const usage_str = | ||
49 | "Usage:\n" | ||
50 | "\tfnetfilter netfilter-command destination-file\n"; | ||
51 | |||
48 | static void usage(void) { | 52 | static void usage(void) { |
49 | printf("Usage:\n"); | 53 | puts(usage_str); |
50 | printf("\tfnetfilter netfilter-command destination-file\n"); | ||
51 | } | 54 | } |
52 | 55 | ||
53 | static void err_exit_cannot_open_file(const char *fname) { | 56 | static void err_exit_cannot_open_file(const char *fname) { |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 64feec5fe..1cde1942c 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -167,13 +167,13 @@ static void run_trace(void) { | |||
167 | 167 | ||
168 | close(s); | 168 | close(s); |
169 | } | 169 | } |
170 | 170 | static const char *const usage_str = | |
171 | "Usage: fnettrace-dns [OPTIONS]\n" | ||
172 | "Options:\n" | ||
173 | " --help, -? - this help screen\n"; | ||
171 | 174 | ||
172 | static void usage(void) { | 175 | static void usage(void) { |
173 | printf("Usage: fnettrace-dns [OPTIONS]\n"); | 176 | puts(usage_str); |
174 | printf("Options:\n"); | ||
175 | printf(" --help, -? - this help screen\n"); | ||
176 | printf("\n"); | ||
177 | } | 177 | } |
178 | 178 | ||
179 | int main(int argc, char **argv) { | 179 | int main(int argc, char **argv) { |
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c index 714917547..516a9fc5b 100644 --- a/src/fnettrace-icmp/main.c +++ b/src/fnettrace-icmp/main.c | |||
@@ -201,11 +201,13 @@ static void run_trace(void) { | |||
201 | close(s); | 201 | close(s); |
202 | } | 202 | } |
203 | 203 | ||
204 | static const char *const usage_str = | ||
205 | "Usage: fnettrace-icmp [OPTIONS]\n" | ||
206 | "Options:\n" | ||
207 | " --help, -? - this help screen\n"; | ||
208 | |||
204 | static void usage(void) { | 209 | static void usage(void) { |
205 | printf("Usage: fnettrace-icmp [OPTIONS]\n"); | 210 | puts(usage_str); |
206 | printf("Options:\n"); | ||
207 | printf(" --help, -? - this help screen\n"); | ||
208 | printf("\n"); | ||
209 | } | 211 | } |
210 | 212 | ||
211 | int main(int argc, char **argv) { | 213 | int main(int argc, char **argv) { |
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index b8490b4f7..e7782d656 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c | |||
@@ -204,12 +204,13 @@ static void run_trace(void) { | |||
204 | close(s); | 204 | close(s); |
205 | } | 205 | } |
206 | 206 | ||
207 | static const char *const usage_str = | ||
208 | "Usage: fnettrace-sni [OPTIONS]\n" | ||
209 | "Options:\n" | ||
210 | " --help, -? - this help screen\n"; | ||
207 | 211 | ||
208 | static void usage(void) { | 212 | static void usage(void) { |
209 | printf("Usage: fnettrace-sni [OPTIONS]\n"); | 213 | puts(usage_str); |
210 | printf("Options:\n"); | ||
211 | printf(" --help, -? - this help screen\n"); | ||
212 | printf("\n"); | ||
213 | } | 214 | } |
214 | 215 | ||
215 | int main(int argc, char **argv) { | 216 | int main(int argc, char **argv) { |
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index 2f421562e..178ac3631 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c | |||
@@ -668,18 +668,20 @@ void logprintf(char *fmt, ...) { | |||
668 | va_end(args); | 668 | va_end(args); |
669 | } | 669 | } |
670 | 670 | ||
671 | static const char *const usage_str = | ||
672 | "Usage: fnettrace [OPTIONS]\n" | ||
673 | "Options:\n" | ||
674 | " --help, -? - this help screen\n" | ||
675 | " --log=filename - netlocker logfile\n" | ||
676 | " --netfilter - build the firewall rules and commit them.\n" | ||
677 | " --tail - \"tail -f\" functionality\n" | ||
678 | "Examples:\n" | ||
679 | " # fnettrace - traffic trace\n" | ||
680 | " # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n" | ||
681 | " # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n"; | ||
682 | |||
671 | static void usage(void) { | 683 | static void usage(void) { |
672 | printf("Usage: fnettrace [OPTIONS]\n"); | 684 | puts(usage_str); |
673 | printf("Options:\n"); | ||
674 | printf(" --help, -? - this help screen\n"); | ||
675 | printf(" --log=filename - netlocker logfile\n"); | ||
676 | printf(" --netfilter - build the firewall rules and commit them.\n"); | ||
677 | printf(" --tail - \"tail -f\" functionality\n"); | ||
678 | printf("Examples:\n"); | ||
679 | printf(" # fnettrace - traffic trace\n"); | ||
680 | printf(" # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n"); | ||
681 | printf(" # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n"); | ||
682 | printf("\n"); | ||
683 | } | 685 | } |
684 | 686 | ||
685 | int main(int argc, char **argv) { | 687 | int main(int argc, char **argv) { |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 0bc521c0d..38ba7c697 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -22,9 +22,12 @@ | |||
22 | 22 | ||
23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill | 23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill |
24 | 24 | ||
25 | static const char *const usage_str = | ||
26 | "Usage:\n" | ||
27 | "\tfsec-optimize file - optimize seccomp filter\n"; | ||
28 | |||
25 | static void usage(void) { | 29 | static void usage(void) { |
26 | printf("Usage:\n"); | 30 | puts(usage_str); |
27 | printf("\tfsec-optimize file - optimize seccomp filter\n"); | ||
28 | } | 31 | } |
29 | 32 | ||
30 | int main(int argc, char **argv) { | 33 | int main(int argc, char **argv) { |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 696c6bc0c..4d3e38648 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -19,9 +19,12 @@ | |||
19 | */ | 19 | */ |
20 | #include "fsec_print.h" | 20 | #include "fsec_print.h" |
21 | 21 | ||
22 | static const char *const usage_str = | ||
23 | "Usage:\n" | ||
24 | "\tfsec-print file - disassemble seccomp filter\n"; | ||
25 | |||
22 | static void usage(void) { | 26 | static void usage(void) { |
23 | printf("Usage:\n"); | 27 | puts(usage_str); |
24 | printf("\tfsec-print file - disassemble seccomp filter\n"); | ||
25 | } | 28 | } |
26 | 29 | ||
27 | int arg_quiet = 0; | 30 | int arg_quiet = 0; |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 0b46daf65..e7823d3c5 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -22,34 +22,37 @@ | |||
22 | int arg_quiet = 0; | 22 | int arg_quiet = 0; |
23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill | 23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill |
24 | 24 | ||
25 | static const char *const usage_str = | ||
26 | "Usage:\n" | ||
27 | "\tfseccomp debug-syscalls\n" | ||
28 | "\tfseccomp debug-syscalls32\n" | ||
29 | "\tfseccomp debug-errnos\n" | ||
30 | "\tfseccomp debug-protocols\n" | ||
31 | "\tfseccomp protocol build list file\n" | ||
32 | "\tfseccomp secondary 64 file\n" | ||
33 | "\tfseccomp secondary 32 file\n" | ||
34 | "\tfseccomp secondary block file\n" | ||
35 | "\tfseccomp default file\n" | ||
36 | "\tfseccomp default file allow-debuggers\n" | ||
37 | "\tfseccomp default32 file\n" | ||
38 | "\tfseccomp default32 file allow-debuggers\n" | ||
39 | "\tfseccomp drop file1 file2 list\n" | ||
40 | "\tfseccomp drop file1 file2 list allow-debuggers\n" | ||
41 | "\tfseccomp drop32 file1 file2 list\n" | ||
42 | "\tfseccomp drop32 file1 file2 list allow-debuggers\n" | ||
43 | "\tfseccomp default drop file1 file2 list\n" | ||
44 | "\tfseccomp default drop file1 file2 list allow-debuggers\n" | ||
45 | "\tfseccomp default32 drop file1 file2 list\n" | ||
46 | "\tfseccomp default32 drop file1 file2 list allow-debuggers\n" | ||
47 | "\tfseccomp keep file1 file2 list\n" | ||
48 | "\tfseccomp keep32 file1 file2 list\n" | ||
49 | "\tfseccomp memory-deny-write-execute file\n" | ||
50 | "\tfseccomp memory-deny-write-execute.32 file\n" | ||
51 | "\tfseccomp restrict-namespaces file list\n" | ||
52 | "\tfseccomp restrict-namespaces.32 file list\n"; | ||
53 | |||
25 | static void usage(void) { | 54 | static void usage(void) { |
26 | printf("Usage:\n" | 55 | puts(usage_str); |
27 | "\tfseccomp debug-syscalls\n" | ||
28 | "\tfseccomp debug-syscalls32\n" | ||
29 | "\tfseccomp debug-errnos\n" | ||
30 | "\tfseccomp debug-protocols\n" | ||
31 | "\tfseccomp protocol build list file\n" | ||
32 | "\tfseccomp secondary 64 file\n" | ||
33 | "\tfseccomp secondary 32 file\n" | ||
34 | "\tfseccomp secondary block file\n" | ||
35 | "\tfseccomp default file\n" | ||
36 | "\tfseccomp default file allow-debuggers\n" | ||
37 | "\tfseccomp default32 file\n" | ||
38 | "\tfseccomp default32 file allow-debuggers\n" | ||
39 | "\tfseccomp drop file1 file2 list\n" | ||
40 | "\tfseccomp drop file1 file2 list allow-debuggers\n" | ||
41 | "\tfseccomp drop32 file1 file2 list\n" | ||
42 | "\tfseccomp drop32 file1 file2 list allow-debuggers\n" | ||
43 | "\tfseccomp default drop file1 file2 list\n" | ||
44 | "\tfseccomp default drop file1 file2 list allow-debuggers\n" | ||
45 | "\tfseccomp default32 drop file1 file2 list\n" | ||
46 | "\tfseccomp default32 drop file1 file2 list allow-debuggers\n" | ||
47 | "\tfseccomp keep file1 file2 list\n" | ||
48 | "\tfseccomp keep32 file1 file2 list\n" | ||
49 | "\tfseccomp memory-deny-write-execute file\n" | ||
50 | "\tfseccomp memory-deny-write-execute.32 file\n" | ||
51 | "\tfseccomp restrict-namespaces file list\n" | ||
52 | "\tfseccomp restrict-namespaces.32 file list\n"); | ||
53 | } | 56 | } |
54 | 57 | ||
55 | int main(int argc, char **argv) { | 58 | int main(int argc, char **argv) { |
diff --git a/src/ftee/main.c b/src/ftee/main.c index 0a492b41e..a34a76b26 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -180,8 +180,11 @@ static int is_link(const char *fname) { | |||
180 | return 0; | 180 | return 0; |
181 | } | 181 | } |
182 | 182 | ||
183 | static const char *const usage_str = | ||
184 | "Usage: ftee filename\n"; | ||
185 | |||
183 | static void usage(void) { | 186 | static void usage(void) { |
184 | printf("Usage: ftee filename\n"); | 187 | puts(usage_str); |
185 | } | 188 | } |
186 | 189 | ||
187 | int main(int argc, char **argv) { | 190 | int main(int argc, char **argv) { |
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 8e0aaa860..27da309ea 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c | |||
@@ -29,16 +29,19 @@ char *user_home_dir = NULL; | |||
29 | char *user_run_dir = NULL; | 29 | char *user_run_dir = NULL; |
30 | int arg_debug = 0; | 30 | int arg_debug = 0; |
31 | 31 | ||
32 | static char *usage_str = | 32 | static const char *const usage_str = |
33 | "Usage: jailcheck [options] directory [directory]\n\n" | 33 | "Usage: jailcheck [options] directory [directory]\n\n" |
34 | "Options:\n" | 34 | "Options:\n" |
35 | " --debug - print debug messages.\n" | 35 | " --debug - print debug messages.\n" |
36 | " --help, -? - this help screen.\n" | 36 | " --help, -? - this help screen.\n" |
37 | " --version - print program version and exit.\n"; | 37 | " --version - print program version and exit.\n"; |
38 | 38 | ||
39 | static void print_version(void) { | ||
40 | printf("jailcheck version %s\n\n", VERSION); | ||
41 | } | ||
39 | 42 | ||
40 | static void usage(void) { | 43 | static void usage(void) { |
41 | printf("firetest - version %s\n\n", VERSION); | 44 | print_version(); |
42 | puts(usage_str); | 45 | puts(usage_str); |
43 | } | 46 | } |
44 | 47 | ||
@@ -62,7 +65,7 @@ int main(int argc, char **argv) { | |||
62 | return 0; | 65 | return 0; |
63 | } | 66 | } |
64 | else if (strcmp(argv[i], "--version") == 0) { | 67 | else if (strcmp(argv[i], "--version") == 0) { |
65 | printf("firetest version %s\n\n", VERSION); | 68 | print_version(); |
66 | return 0; | 69 | return 0; |
67 | } | 70 | } |
68 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test | 71 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test |
diff --git a/src/profstats/main.c b/src/profstats/main.c index d5e57e7cc..49ed1637a 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -74,32 +74,34 @@ static int arg_restrict_namespaces = 0; | |||
74 | 74 | ||
75 | static char *profile = NULL; | 75 | static char *profile = NULL; |
76 | 76 | ||
77 | static const char *const usage_str = | ||
78 | "profstats - print profile statistics\n" | ||
79 | "Usage: profstats [options] file[s]\n" | ||
80 | "Options:\n" | ||
81 | " --apparmor - print profiles without apparmor\n" | ||
82 | " --caps - print profiles without caps\n" | ||
83 | " --dbus-system-none - print profiles without \"dbus-system none\"\n" | ||
84 | " --dbus-user-none - print profiles without \"dbus-user none\"\n" | ||
85 | " --ssh - print profiles without \"include disable-common.inc\"\n" | ||
86 | " --noexec - print profiles without \"include disable-exec.inc\"\n" | ||
87 | " --noroot - print profiles without \"noroot\"\n" | ||
88 | " --private-bin - print profiles without private-bin\n" | ||
89 | " --private-dev - print profiles without private-dev\n" | ||
90 | " --private-etc - print profiles without private-etc\n" | ||
91 | " --private-tmp - print profiles without private-tmp\n" | ||
92 | " --print-blacklist - print all --blacklist for a profile\n" | ||
93 | " --print-whitelist - print all --private and --whitelist for a profile\n" | ||
94 | " --seccomp - print profiles without seccomp\n" | ||
95 | " --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n" | ||
96 | " --restrict-namespaces - print profiles without \"restrict-namespaces\"\n" | ||
97 | " --whitelist-home - print profiles whitelisting home directory\n" | ||
98 | " --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n" | ||
99 | " --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n" | ||
100 | " --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n" | ||
101 | " --debug\n"; | ||
102 | |||
77 | static void usage(void) { | 103 | static void usage(void) { |
78 | printf("profstats - print profile statistics\n"); | 104 | puts(usage_str); |
79 | printf("Usage: profstats [options] file[s]\n"); | ||
80 | printf("Options:\n"); | ||
81 | printf(" --apparmor - print profiles without apparmor\n"); | ||
82 | printf(" --caps - print profiles without caps\n"); | ||
83 | printf(" --dbus-system-none - print profiles without \"dbus-system none\"\n"); | ||
84 | printf(" --dbus-user-none - print profiles without \"dbus-user none\"\n"); | ||
85 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | ||
86 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | ||
87 | printf(" --noroot - print profiles without \"noroot\"\n"); | ||
88 | printf(" --private-bin - print profiles without private-bin\n"); | ||
89 | printf(" --private-dev - print profiles without private-dev\n"); | ||
90 | printf(" --private-etc - print profiles without private-etc\n"); | ||
91 | printf(" --private-tmp - print profiles without private-tmp\n"); | ||
92 | printf(" --print-blacklist - print all --blacklist for a profile\n"); | ||
93 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); | ||
94 | printf(" --seccomp - print profiles without seccomp\n"); | ||
95 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); | ||
96 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | ||
97 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | ||
98 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | ||
99 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | ||
100 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | ||
101 | printf(" --debug\n"); | ||
102 | printf("\n"); | ||
103 | } | 105 | } |
104 | 106 | ||
105 | static void process_file(char *fname) { | 107 | static void process_file(char *fname) { |
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index eb1349112..8bdaa507c 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp | |||
@@ -60,11 +60,12 @@ expect { | |||
60 | timeout {puts "TESTING ERROR 8\n";exit} | 60 | timeout {puts "TESTING ERROR 8\n";exit} |
61 | "No such file or directory" | 61 | "No such file or directory" |
62 | } | 62 | } |
63 | after 100 | 63 | # FIXME: Sometimes ping works normally |
64 | send -- "/bin/ping 1.1.1.1\r" | 64 | #after 100 |
65 | expect { | 65 | #send -- "/bin/ping 1.1.1.1\r" |
66 | timeout {puts "TESTING ERROR 9\n";exit} | 66 | #expect { |
67 | "Operation not permitted" | 67 | # timeout {puts "TESTING ERROR 9\n";exit} |
68 | } | 68 | # "Operation not permitted" |
69 | #} | ||
69 | 70 | ||
70 | puts "all done\n" | 71 | puts "all done\n" |