diff options
| -rw-r--r-- | README.md | 22 | ||||
| -rw-r--r-- | chromium-whitelist.png | bin | 0 -> 47978 bytes | |||
| -rw-r--r-- | etc/chromium.profile | 5 | ||||
| -rw-r--r-- | etc/firefox.profile | 4 | ||||
| -rw-r--r-- | src/firejail/protocol.c | 5 | ||||
| -rw-r--r-- | src/firejail/usage.c | 9 | ||||
| -rw-r--r-- | src/man/firejail.txt | 22 |
7 files changed, 56 insertions, 11 deletions
| @@ -51,17 +51,35 @@ whitelist ~/Downloads | |||
| 51 | whitelist ~/dwhelper | 51 | whitelist ~/dwhelper |
| 52 | whitelist ~/.zotero | 52 | whitelist ~/.zotero |
| 53 | whitelist ~/.lastpass | 53 | whitelist ~/.lastpass |
| 54 | whitelist ~/.gtkrc-2.0 | ||
| 55 | whitelist ~/.vimperatorrc | ||
| 56 | whitelist ~/.vimperator | ||
| 54 | ````` | 57 | ````` |
| 55 | 58 | ||
| 56 | I intend to bring in all files and directories used by Firefox addons and plugins. So far I have | 59 | I intend to bring in all files and directories used by Firefox addons and plugins. So far I have |
| 57 | [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), | 60 | [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), |
| 58 | [Zotero](https://www.zotero.org/download/) and | 61 | [Zotero](https://www.zotero.org/download/) |
| 59 | [LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/). | 62 | [LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/), |
| 63 | and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) | ||
| 60 | If you're using a anything else, please let me know. | 64 | If you're using a anything else, please let me know. |
| 61 | 65 | ||
| 66 | ### Whitelisting in default Cromium profile | ||
| 67 | |||
| 68 |  | ||
| 69 | |||
| 62 | ### --ignore option | 70 | ### --ignore option |
| 63 | 71 | ||
| 64 | Ignore commands in profile files. Example: | 72 | Ignore commands in profile files. Example: |
| 65 | ````` | 73 | ````` |
| 66 | $ firejail --ignore=seccomp wine | 74 | $ firejail --ignore=seccomp wine |
| 67 | ````` | 75 | ````` |
| 76 | |||
| 77 | ### --protocol option | ||
| 78 | |||
| 79 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | ||
| 80 | Recognized values: unix, inet, inet6, netlink and packet. Example: | ||
| 81 | ````` | ||
| 82 | $ firejail --protocol=unix,inet,inet6 firefox | ||
| 83 | ````` | ||
| 84 | |||
| 85 | |||
diff --git a/chromium-whitelist.png b/chromium-whitelist.png new file mode 100644 index 000000000..a90f2aa1f --- /dev/null +++ b/chromium-whitelist.png | |||
| Binary files differ | |||
diff --git a/etc/chromium.profile b/etc/chromium.profile index f493e1b96..a66578436 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
| @@ -5,6 +5,5 @@ include /etc/firejail/disable-secret.inc | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-history.inc | 6 | include /etc/firejail/disable-history.inc |
| 7 | netfilter | 7 | netfilter |
| 8 | 8 | whitelist ~/Downloads | |
| 9 | 9 | whitelist ~/.config/chromium | |
| 10 | |||
diff --git a/etc/firefox.profile b/etc/firefox.profile index aee97073d..d81f6a9e1 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -16,7 +16,3 @@ whitelist ~/.lastpass | |||
| 16 | whitelist ~/.gtkrc-2.0 | 16 | whitelist ~/.gtkrc-2.0 |
| 17 | whitelist ~/.vimperatorrc | 17 | whitelist ~/.vimperatorrc |
| 18 | whitelist ~/.vimperator | 18 | whitelist ~/.vimperator |
| 19 | |||
| 20 | |||
| 21 | |||
| 22 | |||
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 5f730afef..8e75277c2 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
| @@ -74,6 +74,11 @@ static struct sock_filter *find_protocol_domain(const char *p) { | |||
| 74 | 74 | ||
| 75 | // --debug-protocols | 75 | // --debug-protocols |
| 76 | void protocol_list(void) { | 76 | void protocol_list(void) { |
| 77 | #ifndef SYS_socket | ||
| 78 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
| 79 | return; | ||
| 80 | #endif | ||
| 81 | |||
| 77 | int i = 0; | 82 | int i = 0; |
| 78 | while (protocol[i] != NULL) { | 83 | while (protocol[i] != NULL) { |
| 79 | printf("%s, ", protocol[i]); | 84 | printf("%s, ", protocol[i]); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3cad1e63..c829b94f2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -70,6 +70,8 @@ void usage(void) { | |||
| 70 | printf("\t\tFirejail software build and exit.\n\n"); | 70 | printf("\t\tFirejail software build and exit.\n\n"); |
| 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); |
| 72 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf("\t\tFirejail software build and exit.\n\n"); |
| 73 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | ||
| 74 | printf("\t\tFirejail software build and exit.\n\n"); | ||
| 73 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 75 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); |
| 74 | printf("\t\tFirejail software build and exit.\n\n"); | 76 | printf("\t\tFirejail software build and exit.\n\n"); |
| 75 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 77 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
| @@ -192,6 +194,10 @@ void usage(void) { | |||
| 192 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 194 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
| 193 | 195 | ||
| 194 | printf("\t--profile=filename - use a custom profile.\n\n"); | 196 | printf("\t--profile=filename - use a custom profile.\n\n"); |
| 197 | |||
| 198 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); | ||
| 199 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); | ||
| 200 | |||
| 195 | printf("\t--quiet - turn off Firejail's output.\n\n"); | 201 | printf("\t--quiet - turn off Firejail's output.\n\n"); |
| 196 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); | 202 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); |
| 197 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); | 203 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); |
| @@ -218,7 +224,8 @@ void usage(void) { | |||
| 218 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | 224 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); |
| 219 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | 225 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); |
| 220 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | 226 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); |
| 221 | printf("\t\tmigrate_pages, move_pages, vmsplice, and perf_event_open.\n\n"); | 227 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); |
| 228 | printf("\t\tkexec_file_load.\n\n"); | ||
| 222 | 229 | ||
| 223 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 230 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
| 224 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 231 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 12c32f4c7..52b75afaa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -23,7 +23,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | |||
| 23 | Miscellaneous: | 23 | Miscellaneous: |
| 24 | .PP | 24 | .PP |
| 25 | .RS | 25 | .RS |
| 26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-help | \-\-version} | 26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} |
| 27 | .RE | 27 | .RE |
| 28 | .SH DESCRIPTION | 28 | .SH DESCRIPTION |
| 29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
| @@ -258,6 +258,15 @@ Example: | |||
| 258 | .br | 258 | .br |
| 259 | $ firejail \-\-debug-errnos | 259 | $ firejail \-\-debug-errnos |
| 260 | .TP | 260 | .TP |
| 261 | \fB\-\-debug-protocols | ||
| 262 | Print all recognized protocols in the current Firejail software build and exit. | ||
| 263 | .br | ||
| 264 | |||
| 265 | .br | ||
| 266 | Example: | ||
| 267 | .br | ||
| 268 | $ firejail \-\-debug-protocols | ||
| 269 | .TP | ||
| 261 | \fB\-\-debug-syscalls | 270 | \fB\-\-debug-syscalls |
| 262 | Print all recognized system calls in the current Firejail software build and exit. | 271 | Print all recognized system calls in the current Firejail software build and exit. |
| 263 | .br | 272 | .br |
| @@ -842,6 +851,17 @@ For more information, see SECURITY PROFILES section below. | |||
| 842 | Example: | 851 | Example: |
| 843 | .br | 852 | .br |
| 844 | $ firejail \-\-profile=myprofile | 853 | $ firejail \-\-profile=myprofile |
| 854 | |||
| 855 | .TP | ||
| 856 | \fB\-\-protocol=protocol,protocol,protocol | ||
| 857 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | ||
| 858 | Recognized values: unix, inet, inet6, netlink and packet. | ||
| 859 | .br | ||
| 860 | |||
| 861 | .br | ||
| 862 | Example: | ||
| 863 | .br | ||
| 864 | $ firejail \-\-protocol=unix,inet,inet6 firefox | ||
| 845 | .TP | 865 | .TP |
| 846 | \fB\-\-quiet | 866 | \fB\-\-quiet |
| 847 | Turn off Firejail's output. | 867 | Turn off Firejail's output. |
