diff options
39 files changed, 383 insertions, 230 deletions
@@ -1,12 +1,12 @@ | |||
1 | GNU GENERAL PUBLIC LICENSE | 1 | GNU GENERAL PUBLIC LICENSE |
2 | Version 2, June 1991 | 2 | Version 2, June 1991 |
3 | 3 | ||
4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., |
5 | 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
6 | Everyone is permitted to copy and distribute verbatim copies | 6 | Everyone is permitted to copy and distribute verbatim copies |
7 | of this license document, but changing it is not allowed. | 7 | of this license document, but changing it is not allowed. |
8 | 8 | ||
9 | Preamble | 9 | Preamble |
10 | 10 | ||
11 | The licenses for most software are designed to take away your | 11 | The licenses for most software are designed to take away your |
12 | freedom to share and change it. By contrast, the GNU General Public | 12 | freedom to share and change it. By contrast, the GNU General Public |
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This | |||
15 | General Public License applies to most of the Free Software | 15 | General Public License applies to most of the Free Software |
16 | Foundation's software and to any other program whose authors commit to | 16 | Foundation's software and to any other program whose authors commit to |
17 | using it. (Some other Free Software Foundation software is covered by | 17 | using it. (Some other Free Software Foundation software is covered by |
18 | the GNU Library General Public License instead.) You can apply it to | 18 | the GNU Lesser General Public License instead.) You can apply it to |
19 | your programs, too. | 19 | your programs, too. |
20 | 20 | ||
21 | When we speak of free software, we are referring to freedom, not | 21 | When we speak of free software, we are referring to freedom, not |
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all. | |||
55 | 55 | ||
56 | The precise terms and conditions for copying, distribution and | 56 | The precise terms and conditions for copying, distribution and |
57 | modification follow. | 57 | modification follow. |
58 | 58 | ||
59 | GNU GENERAL PUBLIC LICENSE | 59 | GNU GENERAL PUBLIC LICENSE |
60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION | 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION |
61 | 61 | ||
62 | 0. This License applies to any program or other work which contains | 62 | 0. This License applies to any program or other work which contains |
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions: | |||
110 | License. (Exception: if the Program itself is interactive but | 110 | License. (Exception: if the Program itself is interactive but |
111 | does not normally print such an announcement, your work based on | 111 | does not normally print such an announcement, your work based on |
112 | the Program is not required to print an announcement.) | 112 | the Program is not required to print an announcement.) |
113 | 113 | ||
114 | These requirements apply to the modified work as a whole. If | 114 | These requirements apply to the modified work as a whole. If |
115 | identifiable sections of that work are not derived from the Program, | 115 | identifiable sections of that work are not derived from the Program, |
116 | and can be reasonably considered independent and separate works in | 116 | and can be reasonably considered independent and separate works in |
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent | |||
168 | access to copy the source code from the same place counts as | 168 | access to copy the source code from the same place counts as |
169 | distribution of the source code, even though third parties are not | 169 | distribution of the source code, even though third parties are not |
170 | compelled to copy the source along with the object code. | 170 | compelled to copy the source along with the object code. |
171 | 171 | ||
172 | 4. You may not copy, modify, sublicense, or distribute the Program | 172 | 4. You may not copy, modify, sublicense, or distribute the Program |
173 | except as expressly provided under this License. Any attempt | 173 | except as expressly provided under this License. Any attempt |
174 | otherwise to copy, modify, sublicense or distribute the Program is | 174 | otherwise to copy, modify, sublicense or distribute the Program is |
@@ -225,7 +225,7 @@ impose that choice. | |||
225 | 225 | ||
226 | This section is intended to make thoroughly clear what is believed to | 226 | This section is intended to make thoroughly clear what is believed to |
227 | be a consequence of the rest of this License. | 227 | be a consequence of the rest of this License. |
228 | 228 | ||
229 | 8. If the distribution and/or use of the Program is restricted in | 229 | 8. If the distribution and/or use of the Program is restricted in |
230 | certain countries either by patents or by copyrighted interfaces, the | 230 | certain countries either by patents or by copyrighted interfaces, the |
231 | original copyright holder who places the Program under this License | 231 | original copyright holder who places the Program under this License |
@@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals | |||
255 | of preserving the free status of all derivatives of our free software and | 255 | of preserving the free status of all derivatives of our free software and |
256 | of promoting the sharing and reuse of software generally. | 256 | of promoting the sharing and reuse of software generally. |
257 | 257 | ||
258 | NO WARRANTY | 258 | NO WARRANTY |
259 | 259 | ||
260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY |
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN | 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN |
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER | |||
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE | 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE |
278 | POSSIBILITY OF SUCH DAMAGES. | 278 | POSSIBILITY OF SUCH DAMAGES. |
279 | 279 | ||
280 | END OF TERMS AND CONDITIONS | 280 | END OF TERMS AND CONDITIONS |
281 | |||
282 | How to Apply These Terms to Your New Programs | ||
283 | |||
284 | If you develop a new program, and you want it to be of the greatest | ||
285 | possible use to the public, the best way to achieve this is to make it | ||
286 | free software which everyone can redistribute and change under these terms. | ||
287 | |||
288 | To do so, attach the following notices to the program. It is safest | ||
289 | to attach them to the start of each source file to most effectively | ||
290 | convey the exclusion of warranty; and each file should have at least | ||
291 | the "copyright" line and a pointer to where the full notice is found. | ||
292 | |||
293 | <one line to give the program's name and a brief idea of what it does.> | ||
294 | Copyright (C) <year> <name of author> | ||
295 | |||
296 | This program is free software; you can redistribute it and/or modify | ||
297 | it under the terms of the GNU General Public License as published by | ||
298 | the Free Software Foundation; either version 2 of the License, or | ||
299 | (at your option) any later version. | ||
300 | |||
301 | This program is distributed in the hope that it will be useful, | ||
302 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
304 | GNU General Public License for more details. | ||
305 | |||
306 | You should have received a copy of the GNU General Public License along | ||
307 | with this program; if not, write to the Free Software Foundation, Inc., | ||
308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
309 | |||
310 | Also add information on how to contact you by electronic and paper mail. | ||
311 | |||
312 | If the program is interactive, make it output a short notice like this | ||
313 | when it starts in an interactive mode: | ||
314 | |||
315 | Gnomovision version 69, Copyright (C) year name of author | ||
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | ||
317 | This is free software, and you are welcome to redistribute it | ||
318 | under certain conditions; type `show c' for details. | ||
319 | |||
320 | The hypothetical commands `show w' and `show c' should show the appropriate | ||
321 | parts of the General Public License. Of course, the commands you use may | ||
322 | be called something other than `show w' and `show c'; they could even be | ||
323 | mouse-clicks or menu items--whatever suits your program. | ||
324 | |||
325 | You should also get your employer (if you work as a programmer) or your | ||
326 | school, if any, to sign a "copyright disclaimer" for the program, if | ||
327 | necessary. Here is a sample; alter the names: | ||
328 | |||
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program | ||
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. | ||
331 | |||
332 | <signature of Ty Coon>, 1 April 1989 | ||
333 | Ty Coon, President of Vice | ||
334 | |||
335 | This General Public License does not permit incorporating your program into | ||
336 | proprietary programs. If your program is a subroutine library, you may | ||
337 | consider it more useful to permit linking proprietary applications with the | ||
338 | library. If this is what you want to do, use the GNU Lesser General | ||
339 | Public License instead of this License. | ||
diff --git a/SECURITY.md b/SECURITY.md index 7ec2940f6..ef9b9b5fb 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -2,24 +2,24 @@ | |||
2 | 2 | ||
3 | ## Supported Versions | 3 | ## Supported Versions |
4 | 4 | ||
5 | | Version | Supported by us | EOL | Supported by distribution | | 5 | | Version | Supported by us | EOL | Supported by distribution | |
6 | | ------- | ------------------ | ---- | ------------------------- | | 6 | | ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- | |
7 | | 0.9.66 | :heavy_check_mark: | | | | 7 | | 0.9.66 | :heavy_check_mark: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) | |
8 | | 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) | | 8 | | 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 | |
9 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | | 9 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | |
10 | | 0.9.60 | :x: | 29 Dec 2019 | | | 10 | | 0.9.60 | :x: | 29 Dec 2019 | | |
11 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | | 11 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | |
12 | | 0.9.56 | :x: | 27 Jan 2019 | | | 12 | | 0.9.56 | :x: | 27 Jan 2019 | | |
13 | | 0.9.54 | :x: | 18 Sep 2018 | | | 13 | | 0.9.54 | :x: | 18 Sep 2018 | | |
14 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | | 14 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | |
15 | | 0.9.50 | :x: | 12 Dec 2017 | | | 15 | | 0.9.50 | :x: | 12 Dec 2017 | | |
16 | | 0.9.48 | :x: | 09 Sep 2017 | | | 16 | | 0.9.48 | :x: | 09 Sep 2017 | | |
17 | | 0.9.46 | :x: | 12 Jun 2017 | | | 17 | | 0.9.46 | :x: | 12 Jun 2017 | | |
18 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | | 18 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | |
19 | | 0.9.42 | :x: | 22 Oct 2016 | | | 19 | | 0.9.42 | :x: | 22 Oct 2016 | | |
20 | | 0.9.40 | :x: | 09 Sep 2016 | | | 20 | | 0.9.40 | :x: | 09 Sep 2016 | | |
21 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | | 21 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | |
22 | | <0.9.38 | :x: | Before 05 Feb 2016 | | | 22 | | <0.9.38 | :x: | Before 05 Feb 2016 | | |
23 | 23 | ||
24 | ## Security vulnerabilities | 24 | ## Security vulnerabilities |
25 | 25 | ||
@@ -3549,7 +3549,7 @@ if test "x$enable_dbusproxy" != "xno"; then : | |||
3549 | 3549 | ||
3550 | fi | 3550 | fi |
3551 | 3551 | ||
3552 | # overlayfs features temporarely disabled pending fixes | 3552 | # overlayfs features temporarily disabled pending fixes |
3553 | HAVE_OVERLAYFS="" | 3553 | HAVE_OVERLAYFS="" |
3554 | 3554 | ||
3555 | # | 3555 | # |
diff --git a/configure.ac b/configure.ac index 7879a5239..5fde6d402 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -76,7 +76,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [ | |||
76 | AC_SUBST(HAVE_DBUSPROXY) | 76 | AC_SUBST(HAVE_DBUSPROXY) |
77 | ]) | 77 | ]) |
78 | 78 | ||
79 | # overlayfs features temporarely disabled pending fixes | 79 | # overlayfs features temporarily disabled pending fixes |
80 | HAVE_OVERLAYFS="" | 80 | HAVE_OVERLAYFS="" |
81 | AC_SUBST(HAVE_OVERLAYFS) | 81 | AC_SUBST(HAVE_OVERLAYFS) |
82 | # | 82 | # |
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py index 12b596749..961646aa4 100755 --- a/contrib/fix_private-bin.py +++ b/contrib/fix_private-bin.py | |||
@@ -164,7 +164,7 @@ def printHelp(): | |||
164 | 164 | ||
165 | 165 | ||
166 | def main() -> None: | 166 | def main() -> None: |
167 | """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" | 167 | """The main function. Parses the commandline args, shows messages and calls the function actually doing the work.""" |
168 | if len(sys.argv) > 2 or (len(sys.argv) == 2 and | 168 | if len(sys.argv) > 2 or (len(sys.argv) == 2 and |
169 | (sys.argv[1] == "-h" or sys.argv[1] == "--help")): | 169 | (sys.argv[1] == "-h" or sys.argv[1] == "--help")): |
170 | printHelp() | 170 | printHelp() |
diff --git a/contrib/sort.py b/contrib/sort.py index d7a2cd05d..4af9c674c 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items): | |||
34 | 34 | ||
35 | 35 | ||
36 | def sort_protocol(protocols): | 36 | def sort_protocol(protocols): |
37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 37 | """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" |
38 | 38 | ||
39 | # shortcut for common protocol lines | 39 | # shortcut for common protocol lines |
40 | if protocols in ("unix", "unix,inet,inet6"): | 40 | if protocols in ("unix", "unix,inet,inet6"): |
diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..aec152b85 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -63,7 +63,7 @@ | |||
63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | 63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This |
64 | # configuration entry allows the user to change the default by specifying | 64 | # configuration entry allows the user to change the default by specifying |
65 | # a file containing the filter configuration. The filter file format is the | 65 | # a file containing the filter configuration. The filter file format is the |
66 | # format of iptables-save and iptable-restore commands. Example: | 66 | # format of iptables-save and iptables-restore commands. Example: |
67 | # netfilter-default /etc/iptables.iptables.rules | 67 | # netfilter-default /etc/iptables.iptables.rules |
68 | 68 | ||
69 | # Enable or disable networking features, default enabled. | 69 | # Enable or disable networking features, default enabled. |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..e77ceb41c 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -77,6 +77,7 @@ blacklist ${HOME}/.config/Element | |||
77 | blacklist ${HOME}/.config/Element (Riot) | 77 | blacklist ${HOME}/.config/Element (Riot) |
78 | blacklist ${HOME}/.config/Enox | 78 | blacklist ${HOME}/.config/Enox |
79 | blacklist ${HOME}/.config/Epic | 79 | blacklist ${HOME}/.config/Epic |
80 | blacklist ${HOME}/.config/Exodus | ||
80 | blacklist ${HOME}/.config/Ferdi | 81 | blacklist ${HOME}/.config/Ferdi |
81 | blacklist ${HOME}/.config/Flavio Tordini | 82 | blacklist ${HOME}/.config/Flavio Tordini |
82 | blacklist ${HOME}/.config/Franz | 83 | blacklist ${HOME}/.config/Franz |
@@ -501,6 +502,7 @@ blacklist ${HOME}/.gitconfig | |||
501 | blacklist ${HOME}/.gl-117 | 502 | blacklist ${HOME}/.gl-117 |
502 | blacklist ${HOME}/.glaxiumrc | 503 | blacklist ${HOME}/.glaxiumrc |
503 | blacklist ${HOME}/.gnome/gnome-schedule | 504 | blacklist ${HOME}/.gnome/gnome-schedule |
505 | blacklist ${HOME}/.goldendict | ||
504 | blacklist ${HOME}/.googleearth | 506 | blacklist ${HOME}/.googleearth |
505 | blacklist ${HOME}/.gradle | 507 | blacklist ${HOME}/.gradle |
506 | blacklist ${HOME}/.gramps | 508 | blacklist ${HOME}/.gramps |
@@ -966,6 +968,7 @@ blacklist ${HOME}/.cache/Enpass | |||
966 | blacklist ${HOME}/.cache/Ferdi | 968 | blacklist ${HOME}/.cache/Ferdi |
967 | blacklist ${HOME}/.cache/Flavio Tordini | 969 | blacklist ${HOME}/.cache/Flavio Tordini |
968 | blacklist ${HOME}/.cache/Franz | 970 | blacklist ${HOME}/.cache/Franz |
971 | blacklist ${HOME}/.cache/GoldenDict | ||
969 | blacklist ${HOME}/.cache/INRIA | 972 | blacklist ${HOME}/.cache/INRIA |
970 | blacklist ${HOME}/.cache/INRIA/Natron | 973 | blacklist ${HOME}/.cache/INRIA/Natron |
971 | blacklist ${HOME}/.cache/KDE/neochat | 974 | blacklist ${HOME}/.cache/KDE/neochat |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 595f1dd50..2080aad62 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets | |||
79 | dbus-user.talk org.gnome.keyring.SystemPrompter | 79 | dbus-user.talk org.gnome.keyring.SystemPrompter |
80 | dbus-system none | 80 | dbus-system none |
81 | 81 | ||
82 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile index e5debfd82..97bf6d394 100644 --- a/etc/profile-a-l/cola.profile +++ b/etc/profile-a-l/cola.profile | |||
@@ -7,4 +7,4 @@ include cola.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include git-cola.profile \ No newline at end of file | 10 | include git-cola.profile |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 5892374bd..65e5c6e69 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -18,7 +18,7 @@ whitelist /usr/share/eog | |||
18 | 18 | ||
19 | private-bin eog | 19 | private-bin eog |
20 | 20 | ||
21 | # broken on Debian 10 (buster) running LXDE got the folowing error: | 21 | # broken on Debian 10 (buster) running LXDE got the following error: |
22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown | 22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
23 | #dbus-user filter | 23 | #dbus-user filter |
24 | #dbus-user.own org.gnome.eog | 24 | #dbus-user.own org.gnome.eog |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index abb6f6692..63e456488 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -56,7 +56,7 @@ private-cache | |||
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd | 57 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd |
58 | # private-lib might break two-page-view on some systems | 58 | # private-lib might break two-page-view on some systems |
59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | # dbus-user filtering might break two-page-view on some systems | 62 | # dbus-user filtering might break two-page-view on some systems |
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile new file mode 100644 index 000000000..59a572319 --- /dev/null +++ b/etc/profile-a-l/goldendict.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for goldendict | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include goldendict.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.goldendict | ||
9 | noblacklist ${HOME}/.cache/GoldenDict | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.goldendict | ||
20 | mkdir ${HOME}/.cache/GoldenDict | ||
21 | whitelist ${HOME}/.goldendict | ||
22 | whitelist ${HOME}/.cache/GoldenDict | ||
23 | # The default path of dictionaries | ||
24 | whitelist /usr/share/stardict/dic | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | # no3d leads to the libGL MESA-LOADER errors | ||
34 | #no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin goldendict | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index c9f5221f7..ebffbbabf 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc | |||
36 | #private-etc librewolf | 36 | #private-etc librewolf |
37 | 37 | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | dbus-user.own org.mozilla.librewolf.* | ||
39 | # Add the next line to your librewolf.local to enable native notifications. | 40 | # Add the next line to your librewolf.local to enable native notifications. |
40 | #dbus-user.talk org.freedesktop.Notifications | 41 | #dbus-user.talk org.freedesktop.Notifications |
41 | # Add the next line to your librewolf.local to allow inhibiting screensavers. | 42 | # Add the next line to your librewolf.local to allow inhibiting screensavers. |
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 34d9f470a..095038f08 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta | |||
17 | private-opt microsoft | 17 | private-opt microsoft |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile \ No newline at end of file | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index fa433b672..74402a8de 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,7 +11,7 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerfull lua-API, some off these lua-scripts interact | 14 | # Mpv has a powerful lua-API, some off these lua-scripts interact |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # with external resources which are blocked by firejail. In such cases |
16 | # you need to allow these resources by | 16 | # you need to allow these resources by |
17 | # - adding additional binaries to private-bin | 17 | # - adding additional binaries to private-bin |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index ebdd5c1f8..47468a531 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -6,9 +6,9 @@ include softmaker-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # The offical packages install the desktop file under /usr/local/share/applications | 9 | # The official packages install the desktop file under /usr/local/share/applications |
10 | # with an absolute Exec line. These files are NOT handelt by firecfg, | 10 | # with an absolute Exec line. These files are NOT handled by firecfg, |
11 | # therefore you must manualy copy them in you home and remove '/usr/bin/'. | 11 | # therefore you must manually copy them in you home and remove '/usr/bin/'. |
12 | 12 | ||
13 | noblacklist ${HOME}/SoftMaker | 13 | noblacklist ${HOME}/SoftMaker |
14 | 14 | ||
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index d73927f2a..513abc21b 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer | |||
18 | private-bin gtk-straw-viewer,straw-viewer | 18 | private-bin gtk-straw-viewer,straw-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index b54dd37ad..825599fcc 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer | |||
18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer | 18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index e580a0c0c..7628313e0 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -204,7 +204,7 @@ include globals.local | |||
204 | 204 | ||
205 | # Since 0.9.63 also a more granular control of dbus is supported. | 205 | # Since 0.9.63 also a more granular control of dbus is supported. |
206 | # To get the dbus-addresses an application needs access to you can | 206 | # To get the dbus-addresses an application needs access to you can |
207 | # check with flatpak (when the application is distriputed that way): | 207 | # check with flatpak (when the application is distributed that way): |
208 | # flatpak remote-info --show-metadata flathub <APP-ID> | 208 | # flatpak remote-info --show-metadata flathub <APP-ID> |
209 | # Notes: | 209 | # Notes: |
210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
diff --git a/src/fids/fids.h b/src/fids/fids.h index a2e2886fe..eaf2bbd29 100644 --- a/src/fids/fids.h +++ b/src/fids/fids.h | |||
@@ -48,4 +48,4 @@ int db_exclude_check(const char *fname); | |||
48 | //#define KEY_SIZE 512 | 48 | //#define KEY_SIZE 512 |
49 | int blake2b(void *out, size_t outlen, const void *in, size_t inlen); | 49 | int blake2b(void *out, size_t outlen, const void *in, size_t inlen); |
50 | 50 | ||
51 | #endif \ No newline at end of file | 51 | #endif |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 698630180..a544e25f2 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -348,6 +348,7 @@ gnome-weather | |||
348 | gnote | 348 | gnote |
349 | gnubik | 349 | gnubik |
350 | godot | 350 | godot |
351 | goldendict | ||
351 | goobox | 352 | goobox |
352 | google-chrome | 353 | google-chrome |
353 | google-chrome-beta | 354 | google-chrome-beta |
diff --git a/src/firejail/env.c b/src/firejail/env.c index f5e9dd980..ad16de037 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -262,7 +262,7 @@ static const char * const env_whitelist[] = { | |||
262 | "LANG", | 262 | "LANG", |
263 | "LANGUAGE", | 263 | "LANGUAGE", |
264 | "LC_MESSAGES", | 264 | "LC_MESSAGES", |
265 | "PATH", | 265 | // "PATH", |
266 | "DISPLAY" // required by X11 | 266 | "DISPLAY" // required by X11 |
267 | }; | 267 | }; |
268 | 268 | ||
@@ -311,6 +311,10 @@ void env_apply_whitelist(void) { | |||
311 | errExit("clearenv"); | 311 | errExit("clearenv"); |
312 | 312 | ||
313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); | 313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); |
314 | |||
315 | // hardcoding PATH | ||
316 | if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) | ||
317 | errExit("setenv"); | ||
314 | } | 318 | } |
315 | 319 | ||
316 | // Filter env variables for a sbox app | 320 | // Filter env variables for a sbox app |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5ac2da164..dd4c2139d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
108 | } | 108 | } |
109 | 109 | ||
110 | // check for firejail executable | 110 | // check for firejail executable |
111 | // we migth have a file found in ${PATH} pointing to /usr/bin/firejail | 111 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail |
112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | 112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird |
113 | // and expects Firefox to open in the same sandbox | 113 | // and expects Firefox to open in the same sandbox |
114 | if (strcmp(BINDIR "/firejail", fname) == 0) { | 114 | if (strcmp(BINDIR "/firejail", fname) == 0) { |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1a9a78ceb..7d320e90b 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) { | |||
93 | invalid_filename(fname, 0); // no globbing | 93 | invalid_filename(fname, 0); // no globbing |
94 | char *rv = expand_macros(fname); | 94 | char *rv = expand_macros(fname); |
95 | 95 | ||
96 | // no a link | ||
97 | if (is_link(rv)) | ||
98 | goto errexit; | ||
99 | |||
100 | // the user has read access to the file | 96 | // the user has read access to the file |
101 | if (access(rv, R_OK)) | 97 | if (access(rv, R_OK)) |
102 | goto errexit; | 98 | goto errexit; |
@@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) { | |||
119 | struct stat s; | 115 | struct stat s; |
120 | if (stat("/etc/hosts", &s) == -1) | 116 | if (stat("/etc/hosts", &s) == -1) |
121 | goto errexit; | 117 | goto errexit; |
122 | // not a link | ||
123 | if (is_link("/etc/hosts")) | ||
124 | goto errexit; | ||
125 | // owned by root | 118 | // owned by root |
126 | if (s.st_uid != 0) | 119 | if (s.st_uid != 0) |
127 | goto errexit; | 120 | goto errexit; |
diff --git a/src/firejail/ids.c b/src/firejail/ids.c index 59acdb1fe..a9ff59be4 100644 --- a/src/firejail/ids.c +++ b/src/firejail/ids.c | |||
@@ -86,4 +86,4 @@ void run_ids(int argc, char **argv) { | |||
86 | fprintf(stderr, "Error: unrecognized IDS command\n"); | 86 | fprintf(stderr, "Error: unrecognized IDS command\n"); |
87 | 87 | ||
88 | exit(0); | 88 | exit(0); |
89 | } \ No newline at end of file | 89 | } |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 394bbb528..a869f6b64 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -45,7 +45,7 @@ static unsigned display = 0; | |||
45 | static void signal_handler(int sig){ | 45 | static void signal_handler(int sig){ |
46 | flush_stdin(); | 46 | flush_stdin(); |
47 | 47 | ||
48 | exit(sig); | 48 | exit(128 + sig); |
49 | } | 49 | } |
50 | 50 | ||
51 | static void install_handler(void) { | 51 | static void install_handler(void) { |
@@ -536,7 +536,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
536 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | 536 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
537 | 537 | ||
538 | #ifdef HAVE_APPARMOR | 538 | #ifdef HAVE_APPARMOR |
539 | // add apparmor confinement after the execve | ||
540 | set_apparmor(); | 539 | set_apparmor(); |
541 | #endif | 540 | #endif |
542 | 541 | ||
@@ -552,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
552 | if (cfg.cpus) // not available for uid 0 | 551 | if (cfg.cpus) // not available for uid 0 |
553 | set_cpu_affinity(); | 552 | set_cpu_affinity(); |
554 | 553 | ||
555 | // set nice value | ||
556 | if (arg_nice) | ||
557 | set_nice(cfg.nice); | ||
558 | |||
559 | // add x11 display | 554 | // add x11 display |
560 | if (display) { | 555 | if (display) { |
561 | char *display_str; | 556 | char *display_str; |
@@ -574,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
574 | dbus_set_system_bus_env(); | 569 | dbus_set_system_bus_env(); |
575 | #endif | 570 | #endif |
576 | 571 | ||
572 | // set nice and rlimits | ||
573 | if (arg_nice) | ||
574 | set_nice(cfg.nice); | ||
575 | set_rlimits(); | ||
576 | |||
577 | start_application(0, shfd, NULL); | 577 | start_application(0, shfd, NULL); |
578 | 578 | ||
579 | __builtin_unreachable(); | 579 | __builtin_unreachable(); |
@@ -596,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
596 | 596 | ||
597 | // end of signal-safe code | 597 | // end of signal-safe code |
598 | //***************************** | 598 | //***************************** |
599 | flush_stdin(); | ||
600 | 599 | ||
601 | if (WIFEXITED(status)) { | 600 | if (WIFEXITED(status)) { |
601 | // if we had a proper exit, return that exit status | ||
602 | status = WEXITSTATUS(status); | 602 | status = WEXITSTATUS(status); |
603 | } else if (WIFSIGNALED(status)) { | 603 | } else if (WIFSIGNALED(status)) { |
604 | status = WTERMSIG(status); | 604 | // distinguish fatal signals by adding 128 |
605 | status = 128 + WTERMSIG(status); | ||
605 | } else { | 606 | } else { |
606 | status = 0; | 607 | status = -1; |
607 | } | 608 | } |
608 | 609 | ||
610 | flush_stdin(); | ||
609 | exit(status); | 611 | exit(status); |
610 | } | 612 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e0bf44f62..81d148257 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -189,13 +189,15 @@ static void my_handler(int s) { | |||
189 | logsignal(s); | 189 | logsignal(s); |
190 | 190 | ||
191 | if (waitpid(child, NULL, WNOHANG) == 0) { | 191 | if (waitpid(child, NULL, WNOHANG) == 0) { |
192 | if (has_handler(child, s)) // signals are not delivered if there is no handler yet | 192 | // child is pid 1 of a pid namespace: |
193 | // signals are not delivered if there is no handler yet | ||
194 | if (has_handler(child, s)) | ||
193 | kill(child, s); | 195 | kill(child, s); |
194 | else | 196 | else |
195 | kill(child, SIGKILL); | 197 | kill(child, SIGKILL); |
196 | waitpid(child, NULL, 0); | 198 | waitpid(child, NULL, 0); |
197 | } | 199 | } |
198 | myexit(s); | 200 | myexit(128 + s); |
199 | } | 201 | } |
200 | 202 | ||
201 | static void install_handler(void) { | 203 | static void install_handler(void) { |
@@ -1263,9 +1265,9 @@ int main(int argc, char **argv, char **envp) { | |||
1263 | arg_debug = 1; | 1265 | arg_debug = 1; |
1264 | arg_quiet = 0; | 1266 | arg_quiet = 0; |
1265 | } | 1267 | } |
1266 | else if (strcmp(argv[i], "--debug-deny") == 0) | 1268 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
1267 | arg_debug_blacklists = 1; | 1269 | arg_debug_blacklists = 1; |
1268 | else if (strcmp(argv[i], "--debug-allow") == 0) | 1270 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
1269 | arg_debug_whitelists = 1; | 1271 | arg_debug_whitelists = 1; |
1270 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1272 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1271 | arg_debug_private_lib = 1; | 1273 | arg_debug_private_lib = 1; |
@@ -3216,10 +3218,11 @@ printf("link #%s#\n", prf->link); | |||
3216 | if (WIFEXITED(status)){ | 3218 | if (WIFEXITED(status)){ |
3217 | myexit(WEXITSTATUS(status)); | 3219 | myexit(WEXITSTATUS(status)); |
3218 | } else if (WIFSIGNALED(status)) { | 3220 | } else if (WIFSIGNALED(status)) { |
3219 | myexit(WTERMSIG(status)); | 3221 | // distinguish fatal signals by adding 128 |
3222 | myexit(128 + WTERMSIG(status)); | ||
3220 | } else { | 3223 | } else { |
3221 | myexit(0); | 3224 | myexit(1); |
3222 | } | 3225 | } |
3223 | 3226 | ||
3224 | return 0; | 3227 | return 1; |
3225 | } | 3228 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b7c7185a6..059100fcb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1938,7 +1938,7 @@ char *profile_list_compress(char *list) | |||
1938 | /* Include non-empty item */ | 1938 | /* Include non-empty item */ |
1939 | if (!*item) | 1939 | if (!*item) |
1940 | in[i] = 0; | 1940 | in[i] = 0; |
1941 | /* Remove all allready included items */ | 1941 | /* Remove all already included items */ |
1942 | for (k = 0; k < i; ++k) | 1942 | for (k = 0; k < i; ++k) |
1943 | in[k] = 0; | 1943 | in[k] = 0; |
1944 | break; | 1944 | break; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 59ddfb855..995827fb7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -87,9 +87,9 @@ static void sandbox_handler(int sig){ | |||
87 | 87 | ||
88 | // broadcast a SIGKILL | 88 | // broadcast a SIGKILL |
89 | kill(-1, SIGKILL); | 89 | kill(-1, SIGKILL); |
90 | flush_stdin(); | ||
91 | 90 | ||
92 | exit(sig); | 91 | flush_stdin(); |
92 | exit(128 + sig); | ||
93 | } | 93 | } |
94 | 94 | ||
95 | static void install_handler(void) { | 95 | static void install_handler(void) { |
@@ -1243,7 +1243,6 @@ int sandbox(void* sandbox_arg) { | |||
1243 | 1243 | ||
1244 | if (app_pid == 0) { | 1244 | if (app_pid == 0) { |
1245 | #ifdef HAVE_APPARMOR | 1245 | #ifdef HAVE_APPARMOR |
1246 | // add apparmor confinement after the execve | ||
1247 | set_apparmor(); | 1246 | set_apparmor(); |
1248 | #endif | 1247 | #endif |
1249 | 1248 | ||
@@ -1258,13 +1257,17 @@ int sandbox(void* sandbox_arg) { | |||
1258 | munmap(set_sandbox_status, 1); | 1257 | munmap(set_sandbox_status, 1); |
1259 | 1258 | ||
1260 | int status = monitor_application(app_pid); // monitor application | 1259 | int status = monitor_application(app_pid); // monitor application |
1261 | flush_stdin(); | ||
1262 | 1260 | ||
1263 | if (WIFEXITED(status)) { | 1261 | if (WIFEXITED(status)) { |
1264 | // if we had a proper exit, return that exit status | 1262 | // if we had a proper exit, return that exit status |
1265 | return WEXITSTATUS(status); | 1263 | status = WEXITSTATUS(status); |
1264 | } else if (WIFSIGNALED(status)) { | ||
1265 | // distinguish fatal signals by adding 128 | ||
1266 | status = 128 + WTERMSIG(status); | ||
1266 | } else { | 1267 | } else { |
1267 | // something else went wrong! | 1268 | status = -1; |
1268 | return -1; | ||
1269 | } | 1269 | } |
1270 | |||
1271 | flush_stdin(); | ||
1272 | return status; | ||
1270 | } | 1273 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d843c74ae..43f862b9d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -28,7 +28,6 @@ static char *usage_str = | |||
28 | "\n" | 28 | "\n" |
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow=filename - allow file system access.\n" | ||
32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
33 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
34 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
@@ -39,12 +38,13 @@ static char *usage_str = | |||
39 | #endif | 38 | #endif |
40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
42 | " --build - build a profile for the application.\n" | 41 | " --blacklist=filename - blacklist directory or file.\n" |
43 | " --build=filename - build a profile for the application.\n" | 42 | " --build - build a whitelisted profile for the application.\n" |
43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
46 | " --caps.drop=capability,capability - drop capabilities.\n" | 46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
47 | " --caps.keep=capability,capability - allow capabilities.\n" | 47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
@@ -75,18 +75,17 @@ static char *usage_str = | |||
75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
76 | #endif | 76 | #endif |
77 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
78 | " --debug-allow - debug file system access.\n" | 78 | " --debug-blacklists - debug blacklisting.\n" |
79 | " --debug-deny - debug file system access.\n" | ||
80 | " --debug-caps - print all recognized capabilities.\n" | 79 | " --debug-caps - print all recognized capabilities.\n" |
81 | " --debug-errnos - print all recognized error numbers.\n" | 80 | " --debug-errnos - print all recognized error numbers.\n" |
82 | " --debug-private-lib - debug for --private-lib option.\n" | 81 | " --debug-private-lib - debug for --private-lib option.\n" |
83 | " --debug-protocols - print all recognized protocols.\n" | 82 | " --debug-protocols - print all recognized protocols.\n" |
84 | " --debug-syscalls - print all recognized system calls.\n" | 83 | " --debug-syscalls - print all recognized system calls.\n" |
85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 84 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
85 | " --debug-whitelists - debug whitelisting.\n" | ||
86 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
87 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 88 | #endif |
89 | " --deny=filename - deny access to directory or file.\n" | ||
90 | " --deterministic-exit-code - always exit with first child's status code.\n" | 89 | " --deterministic-exit-code - always exit with first child's status code.\n" |
91 | " --dns=address - set DNS server.\n" | 90 | " --dns=address - set DNS server.\n" |
92 | " --dns.print=name|pid - print DNS configuration.\n" | 91 | " --dns.print=name|pid - print DNS configuration.\n" |
@@ -147,14 +146,13 @@ static char *usage_str = | |||
147 | " --netfilter6=filename - enable IPv6 firewall.\n" | 146 | " --netfilter6=filename - enable IPv6 firewall.\n" |
148 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 147 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
149 | " --netmask=address - define a network mask when dealing with unconfigured\n" | 148 | " --netmask=address - define a network mask when dealing with unconfigured\n" |
150 | "\tparrent interfaces.\n" | 149 | "\tparent interfaces.\n" |
151 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 150 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
152 | " --netstats - monitor network statistics.\n" | 151 | " --netstats - monitor network statistics.\n" |
153 | #endif | 152 | #endif |
154 | " --nice=value - set nice value.\n" | 153 | " --nice=value - set nice value.\n" |
155 | " --no3d - disable 3D hardware acceleration.\n" | 154 | " --no3d - disable 3D hardware acceleration.\n" |
156 | " --noallow=filename - disable allow command for file or directory.\n" | 155 | " --noblacklist=filename - disable blacklist for file or directory.\n" |
157 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
158 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
159 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
160 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
@@ -169,6 +167,7 @@ static char *usage_str = | |||
169 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
170 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
171 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
170 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
172 | #ifdef HAVE_OUTPUT | 171 | #ifdef HAVE_OUTPUT |
173 | " --output=logfile - stdout logging and log rotation.\n" | 172 | " --output=logfile - stdout logging and log rotation.\n" |
174 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 173 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
@@ -225,14 +224,14 @@ static char *usage_str = | |||
225 | #ifdef HAVE_NETWORK | 224 | #ifdef HAVE_NETWORK |
226 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 225 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
227 | #endif | 226 | #endif |
228 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" | 227 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
229 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" | 228 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
230 | "\tdefault syscall list and the syscalls specified by the command.\n" | 229 | "\tdefault syscall list and the syscalls specified by the command.\n" |
231 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 230 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
232 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 231 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
233 | "\tdrop the syscalls specified by the command.\n" | 232 | "\tblacklist the syscalls specified by the command.\n" |
234 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 233 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
235 | "\tallow the syscalls specified by the command.\n" | 234 | "\twhitelist the syscalls specified by the command.\n" |
236 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 235 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
237 | "\tidentified by name or PID.\n" | 236 | "\tidentified by name or PID.\n" |
238 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 237 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
@@ -247,7 +246,7 @@ static char *usage_str = | |||
247 | " --top - monitor the most CPU-intensive sandboxes.\n" | 246 | " --top - monitor the most CPU-intensive sandboxes.\n" |
248 | " --trace - trace open, access and connect system calls.\n" | 247 | " --trace - trace open, access and connect system calls.\n" |
249 | " --tracelog - add a syslog message for every access to files or\n" | 248 | " --tracelog - add a syslog message for every access to files or\n" |
250 | "\tdirectories dropped by the security profile.\n" | 249 | "\tdirectories blacklisted by the security profile.\n" |
251 | " --tree - print a tree of all sandboxed processes.\n" | 250 | " --tree - print a tree of all sandboxed processes.\n" |
252 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 251 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
253 | "\tfiretunnel utility.\n" | 252 | "\tfiretunnel utility.\n" |
@@ -255,6 +254,7 @@ static char *usage_str = | |||
255 | #ifdef HAVE_NETWORK | 254 | #ifdef HAVE_NETWORK |
256 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 255 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
257 | #endif | 256 | #endif |
257 | " --whitelist=filename - whitelist directory or file.\n" | ||
258 | " --writable-etc - /etc directory is mounted read-write.\n" | 258 | " --writable-etc - /etc directory is mounted read-write.\n" |
259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
260 | "\t/run/user/$UID/gnupg.\n" | 260 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h index be3104da3..3f8c89bfb 100644 --- a/src/jailcheck/jailcheck.h +++ b/src/jailcheck/jailcheck.h | |||
@@ -61,4 +61,4 @@ char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | |||
61 | int find_child(pid_t pid); | 61 | int find_child(pid_t pid); |
62 | pid_t switch_to_child(pid_t pid); | 62 | pid_t switch_to_child(pid_t pid); |
63 | 63 | ||
64 | #endif \ No newline at end of file | 64 | #endif |
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index 7f994d6a1..be18ac109 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -110,4 +110,4 @@ void noexec_test(const char *path) { | |||
110 | wait(&status); | 110 | wait(&status); |
111 | int rv = unlink(fname); | 111 | int rv = unlink(fname); |
112 | (void) rv; | 112 | (void) rv; |
113 | } \ No newline at end of file | 113 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6280026e6..a768829a1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -156,7 +156,7 @@ Scripting commands: | |||
156 | \fBFile and directory names | 156 | \fBFile and directory names |
157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. | 157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. |
158 | 158 | ||
159 | Example: "deny ~/My Virtual Machines" | 159 | Example: "blacklist ~/My Virtual Machines" |
160 | 160 | ||
161 | .TP | 161 | .TP |
162 | \fB# this is a comment | 162 | \fB# this is a comment |
@@ -170,9 +170,9 @@ net none # this command creates an empty network namespace | |||
170 | \fB?CONDITIONAL: profile line | 170 | \fB?CONDITIONAL: profile line |
171 | Conditionally add profile line. | 171 | Conditionally add profile line. |
172 | 172 | ||
173 | Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" | 173 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" |
174 | 174 | ||
175 | This example will load the profile line only if the \-\-appimage option has been specified on the command line. | 175 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
176 | 176 | ||
177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
178 | can be enabled or disabled globally in Firejail's configuration file. | 178 | can be enabled or disabled globally in Firejail's configuration file. |
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files | |||
205 | are included at the start of regular profile files. | 205 | are included at the start of regular profile files. |
206 | 206 | ||
207 | .TP | 207 | .TP |
208 | \fBnoallow file_name | 208 | \fBnoblacklist file_name |
209 | If the file name matches file_name, the file will not be allowed in any allow commands that follow. | 209 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
210 | 210 | ||
211 | Example: "nowhitelist ~/.config" | 211 | Example: "noblacklist ${HOME}/.mozilla" |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBnodeny file_name | 214 | \fBnowhitelist file_name |
215 | If the file name matches file_name, the file will not be denied any deny commands that follow. | 215 | If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow. |
216 | 216 | ||
217 | Example: "nodeny ${HOME}/.mozilla" | 217 | Example: "nowhitelist ~/.config" |
218 | 218 | ||
219 | .TP | 219 | .TP |
220 | \fBignore | 220 | \fBignore |
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect | |||
242 | for more details. | 242 | for more details. |
243 | Examples: | 243 | Examples: |
244 | .TP | 244 | .TP |
245 | \fBallow file_or_directory | 245 | \fBblacklist file_or_directory |
246 | Allow directory or file. A temporary file system is mounted on the top directory, and the | 246 | Blacklist directory or file. Examples: |
247 | allowed files are mount-binded inside. Modifications to allowd files are persistent, | ||
248 | everything else is discarded when the sandbox is closed. The top directory can be | ||
249 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
250 | all directories in /usr. | ||
251 | .br | 247 | .br |
252 | 248 | ||
253 | .br | 249 | .br |
254 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 250 | blacklist /usr/bin |
255 | the same top directory. For user home, both the link and the real file should be owned by the user. | 251 | .br |
252 | blacklist /usr/bin/gcc* | ||
253 | .br | ||
254 | blacklist ${PATH}/ifconfig | ||
255 | .br | ||
256 | blacklist ${HOME}/.ssh | ||
257 | |||
256 | .TP | 258 | .TP |
257 | \fBblacklist-nolog file_or_directory | 259 | \fBblacklist-nolog file_or_directory |
258 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. | 260 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
271 | \fBbind file1,file2 | 273 | \fBbind file1,file2 |
272 | Mount-bind file1 on top of file2. This option is only available when running as root. | 274 | Mount-bind file1 on top of file2. This option is only available when running as root. |
273 | .TP | 275 | .TP |
274 | \fBdeny file_or_directory | ||
275 | Deny access to directory or file. Examples: | ||
276 | .br | ||
277 | |||
278 | .br | ||
279 | deny /usr/bin | ||
280 | .br | ||
281 | deny /usr/bin/gcc* | ||
282 | .br | ||
283 | deny ${PATH}/ifconfig | ||
284 | .br | ||
285 | deny ${HOME}/.ssh | ||
286 | |||
287 | .TP | ||
288 | \fBdisable-mnt | 276 | \fBdisable-mnt |
289 | Disable /mnt, /media, /run/mount and /run/media access. | 277 | Disable /mnt, /media, /run/mount and /run/media access. |
290 | .TP | 278 | .TP |
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist. | |||
304 | .br | 292 | .br |
305 | 293 | ||
306 | .br | 294 | .br |
307 | Use this command for allowed directories you need to preserve | 295 | Use this command for whitelisted directories you need to preserve |
308 | when the sandbox is closed. Without it, the application will create the directory, and the directory | 296 | when the sandbox is closed. Without it, the application will create the directory, and the directory |
309 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | 297 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from |
310 | firefox profile: | 298 | firefox profile: |
@@ -317,7 +305,7 @@ whitelist ~/.mozilla | |||
317 | .br | 305 | .br |
318 | mkdir ~/.cache/mozilla/firefox | 306 | mkdir ~/.cache/mozilla/firefox |
319 | .br | 307 | .br |
320 | allow ~/.cache/mozilla/firefox | 308 | whitelist ~/.cache/mozilla/firefox |
321 | .br | 309 | .br |
322 | 310 | ||
323 | .br | 311 | .br |
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed). | |||
423 | All modifications are discarded when the sandbox is closed. | 411 | All modifications are discarded when the sandbox is closed. |
424 | .TP | 412 | .TP |
425 | \fBprivate-tmp | 413 | \fBprivate-tmp |
426 | Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. | 414 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
427 | .TP | 415 | .TP |
428 | \fBread-only file_or_directory | 416 | \fBread-only file_or_directory |
429 | Make directory or file read-only. | 417 | Make directory or file read-only. |
@@ -435,13 +423,25 @@ Make directory or file read-write. | |||
435 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
436 | .TP | 424 | .TP |
437 | \fBtracelog | 425 | \fBtracelog |
438 | File system deny violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
427 | .TP | ||
428 | \fBwhitelist file_or_directory | ||
429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
431 | everything else is discarded when the sandbox is closed. The top directory can be | ||
432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
433 | all directories in /usr. | ||
434 | .br | ||
435 | |||
436 | .br | ||
437 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
438 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
439 | .TP | 439 | .TP |
440 | \fBwritable-etc | 440 | \fBwritable-etc |
441 | Mount /etc directory read-write. | 441 | Mount /etc directory read-write. |
442 | .TP | 442 | .TP |
443 | \fBwritable-run-user | 443 | \fBwritable-run-user |
444 | Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. | 444 | Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. |
445 | .TP | 445 | .TP |
446 | \fBwritable-var | 446 | \fBwritable-var |
447 | Mount /var directory read-write. | 447 | Mount /var directory read-write. |
@@ -455,7 +455,7 @@ The following security filters are currently implemented: | |||
455 | 455 | ||
456 | .TP | 456 | .TP |
457 | \fBallow-debuggers | 457 | \fBallow-debuggers |
458 | Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. | 458 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. |
459 | #ifdef HAVE_APPARMOR | 459 | #ifdef HAVE_APPARMOR |
460 | .TP | 460 | .TP |
461 | \fBapparmor | 461 | \fBapparmor |
@@ -466,13 +466,13 @@ Enable AppArmor confinement. | |||
466 | Enable default Linux capabilities filter. | 466 | Enable default Linux capabilities filter. |
467 | .TP | 467 | .TP |
468 | \fBcaps.drop capability,capability,capability | 468 | \fBcaps.drop capability,capability,capability |
469 | Deny given Linux capabilities. | 469 | Blacklist given Linux capabilities. |
470 | .TP | 470 | .TP |
471 | \fBcaps.drop all | 471 | \fBcaps.drop all |
472 | Deny all Linux capabilities. | 472 | Blacklist all Linux capabilities. |
473 | .TP | 473 | .TP |
474 | \fBcaps.keep capability,capability,capability | 474 | \fBcaps.keep capability,capability,capability |
475 | Allow given Linux capabilities. | 475 | Whitelist given Linux capabilities. |
476 | .TP | 476 | .TP |
477 | \fBmemory-deny-write-execute | 477 | \fBmemory-deny-write-execute |
478 | Install a seccomp filter to block attempts to create memory mappings | 478 | Install a seccomp filter to block attempts to create memory mappings |
@@ -497,32 +497,32 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
499 | \fBseccomp | 499 | \fBseccomp |
500 | Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. | 500 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
501 | .TP | 501 | .TP |
502 | \fBseccomp.32 | 502 | \fBseccomp.32 |
503 | Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. | 503 | Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. |
504 | .TP | 504 | .TP |
505 | \fBseccomp syscall,syscall,syscall | 505 | \fBseccomp syscall,syscall,syscall |
506 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. | 506 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
507 | .TP | 507 | .TP |
508 | \fBseccomp.32 syscall,syscall,syscall | 508 | \fBseccomp.32 syscall,syscall,syscall |
509 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. | 509 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. |
510 | .TP | 510 | .TP |
511 | \fBseccomp.block-secondary | 511 | \fBseccomp.block-secondary |
512 | Enable seccomp filter and filter system call architectures | 512 | Enable seccomp filter and filter system call architectures |
513 | so that only the native architecture is allowed. | 513 | so that only the native architecture is allowed. |
514 | .TP | 514 | .TP |
515 | \fBseccomp.drop syscall,syscall,syscall | 515 | \fBseccomp.drop syscall,syscall,syscall |
516 | Enable seccomp filter and deny the system calls in the list. | 516 | Enable seccomp filter and blacklist the system calls in the list. |
517 | .TP | 517 | .TP |
518 | \fBseccomp.32.drop syscall,syscall,syscall | 518 | \fBseccomp.32.drop syscall,syscall,syscall |
519 | Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 519 | Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
520 | .TP | 520 | .TP |
521 | \fBseccomp.keep syscall,syscall,syscall | 521 | \fBseccomp.keep syscall,syscall,syscall |
522 | Enable seccomp filter and allow the system calls in the list. | 522 | Enable seccomp filter and whitelist the system calls in the list. |
523 | .TP | 523 | .TP |
524 | \fBseccomp.32.keep syscall,syscall,syscall | 524 | \fBseccomp.32.keep syscall,syscall,syscall |
525 | Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 525 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
526 | .TP | 526 | .TP |
527 | \fBseccomp-error-action kill | log | ERRNO | 527 | \fBseccomp-error-action kill | log | ERRNO |
528 | Return a different error instead of EPERM to the process, kill it when | 528 | Return a different error instead of EPERM to the process, kill it when |
@@ -534,7 +534,7 @@ attempt. | |||
534 | Enable X11 sandboxing. | 534 | Enable X11 sandboxing. |
535 | .TP | 535 | .TP |
536 | \fBx11 none | 536 | \fBx11 none |
537 | Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 537 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
538 | Remove DISPLAY and XAUTHORITY environment variables. | 538 | Remove DISPLAY and XAUTHORITY environment variables. |
539 | Stop with error message if X11 abstract socket will be accessible in jail. | 539 | Stop with error message if X11 abstract socket will be accessible in jail. |
540 | .TP | 540 | .TP |
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
607 | .TP | 607 | .TP |
608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
609 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 609 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
610 | .TP | 610 | .TP |
611 | \fBdbus-user filter | 611 | \fBdbus-user filter |
612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 498ff9aa9..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
99 | \fB\-\- | 99 | \fB\-\- |
100 | Signal the end of options and disables further option processing. | 100 | Signal the end of options and disables further option processing. |
101 | .TP | 101 | .TP |
102 | \fB\-\-allow=dirname_or_filename | ||
103 | Allow access to a directory or file. A temporary file system is mounted on the top directory, and the | ||
104 | allowed files are mount-binded inside. Modifications to allowed files are persistent, | ||
105 | everything else is discarded when the sandbox is closed. The top directory can be | ||
106 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
107 | all directories in /usr. | ||
108 | .br | ||
109 | |||
110 | .br | ||
111 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
112 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
113 | .br | ||
114 | |||
115 | .br | ||
116 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
117 | .br | ||
118 | |||
119 | .br | ||
120 | Example: | ||
121 | .br | ||
122 | $ firejail \-\-noprofile \-\-allow=~/.mozilla | ||
123 | .br | ||
124 | $ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null | ||
125 | .br | ||
126 | $ firejail "\-\-allow=/home/username/My Virtual Machines" | ||
127 | .br | ||
128 | $ firejail \-\-allow=~/work* \-\-allow=/var/backups* | ||
129 | |||
130 | |||
131 | |||
132 | |||
133 | |||
134 | |||
135 | .TP | ||
136 | \fB\-\-allow-debuggers | 102 | \fB\-\-allow-debuggers |
137 | Allow tools such as strace and gdb inside the sandbox by whitelisting | 103 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
138 | system calls ptrace and process_vm_readv. This option is only | 104 | system calls ptrace and process_vm_readv. This option is only |
@@ -203,6 +169,21 @@ Example: | |||
203 | .br | 169 | .br |
204 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 170 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
205 | .TP | 171 | .TP |
172 | \fB\-\-blacklist=dirname_or_filename | ||
173 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
174 | .br | ||
175 | |||
176 | .br | ||
177 | Example: | ||
178 | .br | ||
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
180 | .br | ||
181 | $ firejail \-\-blacklist=~/.mozilla | ||
182 | .br | ||
183 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | ||
184 | .br | ||
185 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | ||
186 | .TP | ||
206 | \fB\-\-build | 187 | \fB\-\-build |
207 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | 188 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also |
208 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | 189 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, |
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100 | |||
262 | 243 | ||
263 | .TP | 244 | .TP |
264 | \fB\-\-caps.drop=capability,capability,capability | 245 | \fB\-\-caps.drop=capability,capability,capability |
265 | Define a custom Linux capabilities filter. | 246 | Define a custom blacklist Linux capabilities filter. |
266 | .br | 247 | .br |
267 | 248 | ||
268 | .br | 249 | .br |
@@ -643,14 +624,14 @@ Example: | |||
643 | $ firejail \-\-debug firefox | 624 | $ firejail \-\-debug firefox |
644 | 625 | ||
645 | .TP | 626 | .TP |
646 | \fB\-\-debug-allow\fR | 627 | \fB\-\-debug-blacklists\fR |
647 | Debug file system access. | 628 | Debug blacklisting. |
648 | .br | 629 | .br |
649 | 630 | ||
650 | .br | 631 | .br |
651 | Example: | 632 | Example: |
652 | .br | 633 | .br |
653 | $ firejail \-\-debug-allow firefox | 634 | $ firejail \-\-debug-blacklists firefox |
654 | 635 | ||
655 | .TP | 636 | .TP |
656 | \fB\-\-debug-caps | 637 | \fB\-\-debug-caps |
@@ -663,16 +644,6 @@ Example: | |||
663 | $ firejail \-\-debug-caps | 644 | $ firejail \-\-debug-caps |
664 | 645 | ||
665 | .TP | 646 | .TP |
666 | \fB\-\-debug-deny\fR | ||
667 | Debug file access. | ||
668 | .br | ||
669 | |||
670 | .br | ||
671 | Example: | ||
672 | .br | ||
673 | $ firejail \-\-debug-deny firefox | ||
674 | |||
675 | .TP | ||
676 | \fB\-\-debug-errnos | 647 | \fB\-\-debug-errnos |
677 | Print all recognized error numbers in the current Firejail software build and exit. | 648 | Print all recognized error numbers in the current Firejail software build and exit. |
678 | .br | 649 | .br |
@@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls | |||
706 | \fB\-\-debug-syscalls32 | 677 | \fB\-\-debug-syscalls32 |
707 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | 678 | Print all recognized 32 bit system calls in the current Firejail software build and exit. |
708 | .br | 679 | .br |
709 | |||
710 | #ifdef HAVE_NETWORK | ||
711 | .TP | 680 | .TP |
712 | \fB\-\-defaultgw=address | 681 | \fB\-\-debug-whitelists\fR |
713 | Use this address as default gateway in the new network namespace. | 682 | Debug whitelisting. |
714 | .br | 683 | .br |
715 | 684 | ||
716 | .br | 685 | .br |
717 | Example: | 686 | Example: |
718 | .br | 687 | .br |
719 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 688 | $ firejail \-\-debug-whitelists firefox |
720 | #endif | 689 | #ifdef HAVE_NETWORK |
721 | |||
722 | .TP | 690 | .TP |
723 | \fB\-\-deny=dirname_or_filename | 691 | \fB\-\-defaultgw=address |
724 | Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 692 | Use this address as default gateway in the new network namespace. |
725 | .br | 693 | .br |
726 | 694 | ||
727 | .br | 695 | .br |
728 | Example: | 696 | Example: |
729 | .br | 697 | .br |
730 | $ firejail \-\-deny=/sbin \-\-deny=/usr/sbin | 698 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
731 | .br | 699 | #endif |
732 | $ firejail \-\-deny=~/.mozilla | ||
733 | .br | ||
734 | $ firejail "\-\-deny=/home/username/My Virtual Machines" | ||
735 | .br | ||
736 | $ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines | ||
737 | |||
738 | |||
739 | |||
740 | .TP | 700 | .TP |
741 | \fB\-\-deterministic-exit-code | 701 | \fB\-\-deterministic-exit-code |
742 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 702 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
743 | .br | 703 | .br |
744 | .TP | 704 | .TP |
745 | \fB\-\-disable-mnt | 705 | \fB\-\-disable-mnt |
746 | Deny access to /mnt, /media, /run/mount and /run/media. | 706 | Blacklist /mnt, /media, /run/mount and /run/media access. |
747 | .br | 707 | .br |
748 | 708 | ||
749 | .br | 709 | .br |
@@ -1511,16 +1471,12 @@ Example: | |||
1511 | $ firejail --no3d firefox | 1471 | $ firejail --no3d firefox |
1512 | 1472 | ||
1513 | .TP | 1473 | .TP |
1514 | \fB\-\-noallow=dirname_or_filename | ||
1515 | Disable \-\-allow for this directory or file. | ||
1516 | |||
1517 | .TP | ||
1518 | \fB\-\-noautopulse \fR(deprecated) | 1474 | \fB\-\-noautopulse \fR(deprecated) |
1519 | See --keep-config-pulse. | 1475 | See --keep-config-pulse. |
1520 | 1476 | ||
1521 | .TP | 1477 | .TP |
1522 | \fB\-\-nodeny=dirname_or_filename | 1478 | \fB\-\-noblacklist=dirname_or_filename |
1523 | Disable \-\-deny for this directory or file. | 1479 | Disable blacklist for this directory or file. |
1524 | .br | 1480 | .br |
1525 | 1481 | ||
1526 | .br | 1482 | .br |
@@ -1536,7 +1492,7 @@ $ exit | |||
1536 | .br | 1492 | .br |
1537 | 1493 | ||
1538 | .br | 1494 | .br |
1539 | $ firejail --nodeny=/bin/nc | 1495 | $ firejail --noblacklist=/bin/nc |
1540 | .br | 1496 | .br |
1541 | $ nc dict.org 2628 | 1497 | $ nc dict.org 2628 |
1542 | .br | 1498 | .br |
@@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f | |||
1710 | Disable video devices. | 1666 | Disable video devices. |
1711 | .br | 1667 | .br |
1712 | 1668 | ||
1669 | .TP | ||
1670 | \fB\-\-nowhitelist=dirname_or_filename | ||
1671 | Disable whitelist for this directory or file. | ||
1672 | |||
1713 | #ifdef HAVE_OUTPUT | 1673 | #ifdef HAVE_OUTPUT |
1714 | .TP | 1674 | .TP |
1715 | \fB\-\-output=logfile | 1675 | \fB\-\-output=logfile |
@@ -2773,6 +2733,34 @@ Example: | |||
2773 | .br | 2733 | .br |
2774 | $ firejail \-\-net=br0 --veth-name=if0 | 2734 | $ firejail \-\-net=br0 --veth-name=if0 |
2775 | #endif | 2735 | #endif |
2736 | .TP | ||
2737 | \fB\-\-whitelist=dirname_or_filename | ||
2738 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
2739 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
2740 | everything else is discarded when the sandbox is closed. The top directory can be | ||
2741 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
2742 | all directories in /usr. | ||
2743 | .br | ||
2744 | |||
2745 | .br | ||
2746 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
2747 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
2748 | .br | ||
2749 | |||
2750 | .br | ||
2751 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2752 | .br | ||
2753 | |||
2754 | .br | ||
2755 | Example: | ||
2756 | .br | ||
2757 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | ||
2758 | .br | ||
2759 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
2760 | .br | ||
2761 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | ||
2762 | .br | ||
2763 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
2776 | 2764 | ||
2777 | .TP | 2765 | .TP |
2778 | \fB\-\-writable-etc | 2766 | \fB\-\-writable-etc |
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c index 93bb3f73d..beff93199 100644 --- a/src/tools/profcleaner.c +++ b/src/tools/profcleaner.c | |||
@@ -72,4 +72,4 @@ int main(int argc, char **argv) { | |||
72 | } | 72 | } |
73 | 73 | ||
74 | return 0; | 74 | return 0; |
75 | } \ No newline at end of file | 75 | } |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 666dfd4c2..c7f6ee3f1 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -218,7 +218,7 @@ _firejail_args=( | |||
218 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' | 218 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' |
219 | '--netfilter6=-[enable IPv6 firewall]: :' | 219 | '--netfilter6=-[enable IPv6 firewall]: :' |
220 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' | 220 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' |
221 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' | 221 | '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :' |
222 | '--netns=-[Run the program in a named, persistent network namespace]: :' | 222 | '--netns=-[Run the program in a named, persistent network namespace]: :' |
223 | '--netstats[monitor network statistics]' | 223 | '--netstats[monitor network statistics]' |
224 | '--interface=-[move interface in sandbox]: :' | 224 | '--interface=-[move interface in sandbox]: :' |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 152975c9d..1e1dd549b 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)" | |||
112 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" | 112 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" |
113 | ./rlimit-profile.exp | 113 | ./rlimit-profile.exp |
114 | 114 | ||
115 | echo "TESTING: rlimit join (test/environment/rlimit-join.exp)" | ||
116 | ./rlimit-join.exp | ||
117 | |||
115 | echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" | 118 | echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" |
116 | ./rlimit-bad.exp | 119 | ./rlimit-bad.exp |
117 | 120 | ||
118 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | 121 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" |
119 | ./rlimit-bad-profile.exp | 122 | ./rlimit-bad-profile.exp |
120 | 123 | ||
121 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" | 124 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" |
122 | ./deterministic-exit-code.exp | 125 | ./deterministic-exit-code.exp |
123 | 126 | ||
124 | echo "TESTING: retain umask (test/environment/umask.exp" | 127 | echo "TESTING: retain umask (test/environment/umask.exp)" |
125 | (umask 123 && ./umask.exp) | 128 | (umask 123 && ./umask.exp) |
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp new file mode 100755 index 000000000..aa8a203c0 --- /dev/null +++ b/test/environment/rlimit-join.exp | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | cd /home | ||
8 | spawn $env(SHELL) | ||
9 | match_max 100000 | ||
10 | |||
11 | send -- "firejail --noprofile --name=\"rlimit testing\"\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Switching to pid" | ||
23 | } | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "cat /proc/self/limits\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "Max open files 1234 1234" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | send -- "exit\r" | ||
34 | after 100 | ||
35 | |||
36 | puts "\nall done\n" | ||