diff options
32 files changed, 247 insertions, 157 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 839ba6f49..643832617 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
61 | azure.archive.ubuntu.com:80 | 61 | azure.archive.ubuntu.com:80 |
62 | github.com:443 | 62 | github.com:443 |
63 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 63 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
64 | - name: install dependencies | 64 | - name: install dependencies |
65 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 65 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
66 | - name: configure | 66 | - name: configure |
@@ -81,7 +81,7 @@ jobs: | |||
81 | allowed-endpoints: > | 81 | allowed-endpoints: > |
82 | azure.archive.ubuntu.com:80 | 82 | azure.archive.ubuntu.com:80 |
83 | github.com:443 | 83 | github.com:443 |
84 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 84 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
85 | - name: install clang-tools-14 and dependencies | 85 | - name: install clang-tools-14 and dependencies |
86 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 86 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
87 | - name: configure | 87 | - name: configure |
@@ -98,7 +98,7 @@ jobs: | |||
98 | allowed-endpoints: > | 98 | allowed-endpoints: > |
99 | azure.archive.ubuntu.com:80 | 99 | azure.archive.ubuntu.com:80 |
100 | github.com:443 | 100 | github.com:443 |
101 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 101 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
102 | - name: install cppcheck | 102 | - name: install cppcheck |
103 | run: sudo apt-get install cppcheck | 103 | run: sudo apt-get install cppcheck |
104 | - name: cppcheck | 104 | - name: cppcheck |
@@ -115,7 +115,7 @@ jobs: | |||
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
116 | azure.archive.ubuntu.com:80 | 116 | azure.archive.ubuntu.com:80 |
117 | github.com:443 | 117 | github.com:443 |
118 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 118 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
119 | - name: install cppcheck | 119 | - name: install cppcheck |
120 | run: sudo apt-get install cppcheck | 120 | run: sudo apt-get install cppcheck |
121 | - name: cppcheck | 121 | - name: cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 852575532..ab15f42e7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -56,7 +56,7 @@ jobs: | |||
56 | www.debian.org:443 | 56 | www.debian.org:443 |
57 | www.debian.org:80 | 57 | www.debian.org:80 |
58 | yahoo.com:1025 | 58 | yahoo.com:1025 |
59 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 59 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
60 | - name: update package information | 60 | - name: update package information |
61 | run: sudo apt-get update | 61 | run: sudo apt-get update |
62 | - name: install dependencies | 62 | - name: install dependencies |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 47b4bfca3..bf08e01e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -84,7 +84,7 @@ jobs: | |||
84 | uploads.github.com:443 | 84 | uploads.github.com:443 |
85 | 85 | ||
86 | - name: Checkout repository | 86 | - name: Checkout repository |
87 | uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 87 | uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
88 | 88 | ||
89 | # Initializes the CodeQL tools for scanning. | 89 | # Initializes the CodeQL tools for scanning. |
90 | - name: Initialize CodeQL | 90 | - name: Initialize CodeQL |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 4acd94c96..0504a58fd 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -33,7 +33,7 @@ jobs: | |||
33 | allowed-endpoints: > | 33 | allowed-endpoints: > |
34 | github.com:443 | 34 | github.com:443 |
35 | 35 | ||
36 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 36 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
37 | - name: sort.py | 37 | - name: sort.py |
38 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 38 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
39 | - name: private-etc-always-required.sh | 39 | - name: private-etc-always-required.sh |
@@ -268,16 +268,16 @@ scan-build: clean | |||
268 | # make test | 268 | # make test |
269 | # | 269 | # |
270 | 270 | ||
271 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter | 271 | TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter |
272 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) | 272 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) |
273 | 273 | ||
274 | $(TEST_TARGETS): | 274 | $(TEST_TARGETS): |
275 | $(MAKE) -C test $(subst test-,,$@) | 275 | $(MAKE) -C test $(subst test-,,$@) |
276 | 276 | ||
277 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 277 | test: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
278 | echo "TEST COMPLETE" | 278 | echo "TEST COMPLETE" |
279 | 279 | ||
280 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 280 | test-noprofiles: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
281 | echo "TEST COMPLETE" | 281 | echo "TEST COMPLETE" |
282 | 282 | ||
283 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment | 283 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment |
@@ -288,6 +288,9 @@ test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy | |||
288 | # The tests are very intrusive, by the time you are done | 288 | # The tests are very intrusive, by the time you are done |
289 | # with them you will need to restart your computer. | 289 | # with them you will need to restart your computer. |
290 | ########################################## | 290 | ########################################## |
291 | # private-lib is disabled by default in /etc/firejail/firejail.config | ||
292 | test-private-lib: | ||
293 | $(MAKE) -C test $(subst test-,,$@) | ||
291 | 294 | ||
292 | # a firejail-test account is required, public/private key setup | 295 | # a firejail-test account is required, public/private key setup |
293 | test-ssh: | 296 | test-ssh: |
@@ -208,11 +208,12 @@ bbhtt (https://github.com/bbhtt) | |||
208 | - email clients whitelisting and fixes | 208 | - email clients whitelisting and fixes |
209 | Benjamin Kampmann (https://github.com/ligthyear) | 209 | Benjamin Kampmann (https://github.com/ligthyear) |
210 | - Forward exit code from child process | 210 | - Forward exit code from child process |
211 | BeautyYuYanli (https://github.com/BeautyYuYanli) | ||
212 | - add linuxqq and qq profiles | ||
211 | bitfreak25 (https://github.com/bitfreak25) | 213 | bitfreak25 (https://github.com/bitfreak25) |
212 | - added PlayOnLinux profile | 214 | - added PlayOnLinux profile |
213 | - minetest profile fix | 215 | - minetest profile fix |
214 | - added sylpheed profile | 216 | - added sylpheed profile |
215 | |||
216 | bn0785ac (https://github.com/bn0785ac) | 217 | bn0785ac (https://github.com/bn0785ac) |
217 | - fixed bnox, dnox profiles | 218 | - fixed bnox, dnox profiles |
218 | - support all tor-browser langpacks | 219 | - support all tor-browser langpacks |
@@ -283,6 +284,8 @@ croket (https://github.com/crocket) | |||
283 | - fix dino profile | 284 | - fix dino profile |
284 | - fix wireshark profile | 285 | - fix wireshark profile |
285 | - prevent emptty /usr/share in google-chrome profiles | 286 | - prevent emptty /usr/share in google-chrome profiles |
287 | cubercsl (https://github.com/cubercsl) | ||
288 | - add linuxqq and qq profiles | ||
286 | curiosity-seeker (https://github.com/curiosity-seeker - old) | 289 | curiosity-seeker (https://github.com/curiosity-seeker - old) |
287 | curiosityseeker (https://github.com/curiosityseeker - new) | 290 | curiosityseeker (https://github.com/curiosityseeker - new) |
288 | - tightening unbound and dnscrypt-proxy profiles | 291 | - tightening unbound and dnscrypt-proxy profiles |
@@ -338,7 +338,8 @@ Stats: | |||
338 | ### New profiles: | 338 | ### New profiles: |
339 | 339 | ||
340 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, | 340 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, |
341 | cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp | 341 | cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp, |
342 | linuxqq, qq | ||
342 | 343 | ||
343 | 344 | ||
344 | 345 | ||
@@ -1,5 +1,4 @@ | |||
1 | firejail (0.9.72rc1) baseline; urgency=low | 1 | firejail (0.9.72) baseline; urgency=low |
2 | * work in progress | ||
3 | * feature: On failing to remount a fuse filesystem, give warning instead of | 2 | * feature: On failing to remount a fuse filesystem, give warning instead of |
4 | erroring out (#5240 #5242) | 3 | erroring out (#5240 #5242) |
5 | * feature: Update syscall tables and seccomp groups (#5188) | 4 | * feature: Update syscall tables and seccomp groups (#5188) |
@@ -8,7 +7,7 @@ firejail (0.9.72rc1) baseline; urgency=low | |||
8 | (--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp | 7 | (--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp |
9 | filter for both 64 and 32 bit architectures (#4939 #5259) | 8 | filter for both 64 and 32 bit architectures (#4939 #5259) |
10 | * feature: add support for custom AppArmor profiles (--apparmor=) (#5274 | 9 | * feature: add support for custom AppArmor profiles (--apparmor=) (#5274 |
11 | #5316 #5317) | 10 | #5316 #5317 #5475) |
12 | * feature: add support for ICMP in nettrace | 11 | * feature: add support for ICMP in nettrace |
13 | * feature: add --dnstrace, --icmptrace, and --snitrace commands | 12 | * feature: add --dnstrace, --icmptrace, and --snitrace commands |
14 | * feature: Add basic gtksourceview language-spec (file type detection/syntax | 13 | * feature: Add basic gtksourceview language-spec (file type detection/syntax |
@@ -27,6 +26,7 @@ firejail (0.9.72rc1) baseline; urgency=low | |||
27 | (#5190) | 26 | (#5190) |
28 | * modif: removed grsecurity support | 27 | * modif: removed grsecurity support |
29 | * bugfix: Flood of seccomp audit log entries (#5207) | 28 | * bugfix: Flood of seccomp audit log entries (#5207) |
29 | * bugfix: --netlock does not work (Error: no valid sandbox) (#5312) | ||
30 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | 30 | * build: deduplicate configure-time vars into new config files (#5140 #5284) |
31 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 31 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
32 | * build: reduce autoconf input files from 32 to 2 (#5219) | 32 | * build: reduce autoconf input files from 32 to 2 (#5219) |
@@ -41,6 +41,7 @@ firejail (0.9.72rc1) baseline; urgency=low | |||
41 | * build: deduplicate makefiles (#5478) | 41 | * build: deduplicate makefiles (#5478) |
42 | * build: fix formatting and misc in configure (#5488) | 42 | * build: fix formatting and misc in configure (#5488) |
43 | * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504) | 43 | * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504) |
44 | * build: make shell commands more portable in firejail.vim (#5577) | ||
44 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) | 45 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) |
45 | * ci: ignore git-related paths and the project license (#5249) | 46 | * ci: ignore git-related paths and the project license (#5249) |
46 | * ci: Harden GitHub Actions (StepSecurity) (#5439) | 47 | * ci: Harden GitHub Actions (StepSecurity) (#5439) |
@@ -58,7 +59,9 @@ firejail (0.9.72rc1) baseline; urgency=low | |||
58 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) | 59 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) |
59 | * docs: add more Firefox examples to the firejail-local AppArmor profile | 60 | * docs: add more Firefox examples to the firejail-local AppArmor profile |
60 | (#5493) | 61 | (#5493) |
61 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 62 | * docs: Fix broken Restrict-DBus wiki link on profile.template (#5554) |
63 | * docs: Remove invalid --profile-path from --help (#5585 #5586) | ||
64 | -- netblue30 <netblue30@yahoo.com> Thu, 12 Jan 2023 09:00:00 -0500 | ||
62 | 65 | ||
63 | firejail (0.9.70) baseline; urgency=low | 66 | firejail (0.9.70) baseline; urgency=low |
64 | * security: CVE-2022-31214 - root escalation in --join logic | 67 | * security: CVE-2022-31214 - root escalation in --join logic |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.72rc1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.72. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@protonmail.com>. | 5 | # Report bugs to <netblue30@protonmail.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.72rc1' | 583 | PACKAGE_VERSION='0.9.72' |
584 | PACKAGE_STRING='firejail 0.9.72rc1' | 584 | PACKAGE_STRING='firejail 0.9.72' |
585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' | 585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1298,7 +1298,7 @@ if test "$ac_init_help" = "long"; then | |||
1298 | # Omit some internal or obsolete options to make the list less imposing. | 1298 | # Omit some internal or obsolete options to make the list less imposing. |
1299 | # This message is too long to be a string in the A/UX 3.1 sh. | 1299 | # This message is too long to be a string in the A/UX 3.1 sh. |
1300 | cat <<_ACEOF | 1300 | cat <<_ACEOF |
1301 | \`configure' configures firejail 0.9.72rc1 to adapt to many kinds of systems. | 1301 | \`configure' configures firejail 0.9.72 to adapt to many kinds of systems. |
1302 | 1302 | ||
1303 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1303 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1304 | 1304 | ||
@@ -1360,7 +1360,7 @@ fi | |||
1360 | 1360 | ||
1361 | if test -n "$ac_init_help"; then | 1361 | if test -n "$ac_init_help"; then |
1362 | case $ac_init_help in | 1362 | case $ac_init_help in |
1363 | short | recursive ) echo "Configuration of firejail 0.9.72rc1:";; | 1363 | short | recursive ) echo "Configuration of firejail 0.9.72:";; |
1364 | esac | 1364 | esac |
1365 | cat <<\_ACEOF | 1365 | cat <<\_ACEOF |
1366 | 1366 | ||
@@ -1484,7 +1484,7 @@ fi | |||
1484 | test -n "$ac_init_help" && exit $ac_status | 1484 | test -n "$ac_init_help" && exit $ac_status |
1485 | if $ac_init_version; then | 1485 | if $ac_init_version; then |
1486 | cat <<\_ACEOF | 1486 | cat <<\_ACEOF |
1487 | firejail configure 0.9.72rc1 | 1487 | firejail configure 0.9.72 |
1488 | generated by GNU Autoconf 2.69 | 1488 | generated by GNU Autoconf 2.69 |
1489 | 1489 | ||
1490 | Copyright (C) 2012 Free Software Foundation, Inc. | 1490 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1740,7 +1740,7 @@ cat >config.log <<_ACEOF | |||
1740 | This file contains any messages produced by compilers while | 1740 | This file contains any messages produced by compilers while |
1741 | running configure, to aid debugging if configure makes a mistake. | 1741 | running configure, to aid debugging if configure makes a mistake. |
1742 | 1742 | ||
1743 | It was created by firejail $as_me 0.9.72rc1, which was | 1743 | It was created by firejail $as_me 0.9.72, which was |
1744 | generated by GNU Autoconf 2.69. Invocation command line was | 1744 | generated by GNU Autoconf 2.69. Invocation command line was |
1745 | 1745 | ||
1746 | $ $0 $@ | 1746 | $ $0 $@ |
@@ -4640,7 +4640,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4640 | # report actual input values of CONFIG_FILES etc. instead of their | 4640 | # report actual input values of CONFIG_FILES etc. instead of their |
4641 | # values after options handling. | 4641 | # values after options handling. |
4642 | ac_log=" | 4642 | ac_log=" |
4643 | This file was extended by firejail $as_me 0.9.72rc1, which was | 4643 | This file was extended by firejail $as_me 0.9.72, which was |
4644 | generated by GNU Autoconf 2.69. Invocation command line was | 4644 | generated by GNU Autoconf 2.69. Invocation command line was |
4645 | 4645 | ||
4646 | CONFIG_FILES = $CONFIG_FILES | 4646 | CONFIG_FILES = $CONFIG_FILES |
@@ -4694,7 +4694,7 @@ _ACEOF | |||
4694 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4694 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4695 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4695 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4696 | ac_cs_version="\\ | 4696 | ac_cs_version="\\ |
4697 | firejail config.status 0.9.72rc1 | 4697 | firejail config.status 0.9.72 |
4698 | configured by $0, generated by GNU Autoconf 2.69, | 4698 | configured by $0, generated by GNU Autoconf 2.69, |
4699 | with options \\"\$ac_cs_config\\" | 4699 | with options \\"\$ac_cs_config\\" |
4700 | 4700 | ||
diff --git a/configure.ac b/configure.ac index bee9143c2..412cdd6f5 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -12,7 +12,7 @@ | |||
12 | # | 12 | # |
13 | 13 | ||
14 | AC_PREREQ([2.68]) | 14 | AC_PREREQ([2.68]) |
15 | AC_INIT([firejail], [0.9.72rc1], [netblue30@protonmail.com], [], | 15 | AC_INIT([firejail], [0.9.72], [netblue30@protonmail.com], [], |
16 | [https://firejail.wordpress.com]) | 16 | [https://firejail.wordpress.com]) |
17 | 17 | ||
18 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 18 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 0c8ebdbd8..c844350d8 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -24,14 +24,14 @@ syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList c | |||
24 | syn match fjProtocolList /,/ nextgroup=fjProtocol contained | 24 | syn match fjProtocolList /,/ nextgroup=fjProtocol contained |
25 | 25 | ||
26 | " Syscalls grabbed from: src/include/syscall*.h | 26 | " Syscalls grabbed from: src/include/syscall*.h |
27 | " Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' ' | 27 | " Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' ' |
28 | syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained | 28 | syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained |
29 | " Syscall groups grabbed from: src/fseccomp/syscall.c | 29 | " Syscall groups grabbed from: src/fseccomp/syscall.c |
30 | " Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|' | 30 | " Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|' |
31 | syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained | 31 | syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained |
32 | syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained | 32 | syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained |
33 | " Errnos grabbed from: src/fseccomp/errno.c | 33 | " Errnos grabbed from: src/fseccomp/errno.c |
34 | " Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|' | 34 | " Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|' |
35 | syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained | 35 | syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained |
36 | syn match fjSyscallList /,/ nextgroup=fjSyscall contained | 36 | syn match fjSyscallList /,/ nextgroup=fjSyscall contained |
37 | 37 | ||
@@ -47,13 +47,13 @@ syn keyword fjLo lo contained | |||
47 | syn keyword fjFilter filter contained | 47 | syn keyword fjFilter filter contained |
48 | 48 | ||
49 | " Variable names grabbed from: src/firejail/macros.c | 49 | " Variable names grabbed from: src/firejail/macros.c |
50 | " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|' | 50 | " Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|' |
51 | syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/ | 51 | syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/ |
52 | 52 | ||
53 | " Commands grabbed from: src/firejail/profile.c | 53 | " Commands grabbed from: src/firejail/profile.c |
54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 54 | " Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 56 | " Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below |
57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
59 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 59 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
@@ -75,7 +75,7 @@ syn match fjCommandNoCond /include / skipwhite contained | |||
75 | syn match fjCommandNoCond /quiet$/ contained | 75 | syn match fjCommandNoCond /quiet$/ contained |
76 | 76 | ||
77 | " Conditionals grabbed from: src/firejail/profile.c | 77 | " Conditionals grabbed from: src/firejail/profile.c |
78 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' | 78 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|' |
79 | syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained | 79 | syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained |
80 | 80 | ||
81 | " A line is either a command, a conditional or a comment | 81 | " A line is either a command, a conditional or a comment |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 5e253f232..7d7f84d4b 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -320,6 +320,7 @@ blacklist ${HOME}/.config/Philipp Schmieder | |||
320 | blacklist ${HOME}/.config/Pinta | 320 | blacklist ${HOME}/.config/Pinta |
321 | blacklist ${HOME}/.config/QGIS | 321 | blacklist ${HOME}/.config/QGIS |
322 | blacklist ${HOME}/.config/QMediathekView | 322 | blacklist ${HOME}/.config/QMediathekView |
323 | blacklist ${HOME}/.config/QQ | ||
323 | blacklist ${HOME}/.config/Qlipper | 324 | blacklist ${HOME}/.config/Qlipper |
324 | blacklist ${HOME}/.config/QuiteRss | 325 | blacklist ${HOME}/.config/QuiteRss |
325 | blacklist ${HOME}/.config/QuiteRssrc | 326 | blacklist ${HOME}/.config/QuiteRssrc |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 661356ff6..fb66016a9 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -7,76 +7,20 @@ include balsa.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.balsa | 9 | noblacklist ${HOME}/.balsa |
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.signature | ||
13 | noblacklist ${HOME}/mail | 10 | noblacklist ${HOME}/mail |
14 | noblacklist /var/mail | ||
15 | noblacklist /var/spool/mail | ||
16 | 11 | ||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | 12 | include disable-shell.inc |
23 | include disable-xdg.inc | ||
24 | 13 | ||
25 | mkdir ${HOME}/.balsa | 14 | mkdir ${HOME}/.balsa |
26 | mkdir ${HOME}/.gnupg | ||
27 | mkfile ${HOME}/.signature | ||
28 | mkdir ${HOME}/mail | 15 | mkdir ${HOME}/mail |
29 | whitelist ${HOME}/.balsa | 16 | whitelist ${HOME}/.balsa |
30 | whitelist ${HOME}/.gnupg | ||
31 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
32 | whitelist ${HOME}/.signature | ||
33 | whitelist ${HOME}/mail | 17 | whitelist ${HOME}/mail |
34 | whitelist ${RUNUSER}/gnupg | ||
35 | whitelist /usr/share/balsa | 18 | whitelist /usr/share/balsa |
36 | whitelist /usr/share/gnupg | ||
37 | whitelist /usr/share/gnupg2 | ||
38 | whitelist /var/mail | ||
39 | whitelist /var/spool/mail | ||
40 | include whitelist-common.inc | ||
41 | include whitelist-runuser-common.inc | ||
42 | include whitelist-usr-share-common.inc | ||
43 | include whitelist-var-common.inc | ||
44 | 19 | ||
45 | apparmor | 20 | # Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg. |
46 | caps.drop all | 21 | #private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm |
47 | netfilter | ||
48 | no3d | ||
49 | nodvd | ||
50 | nogroups | ||
51 | noinput | ||
52 | nonewprivs | ||
53 | noroot | ||
54 | nosound | ||
55 | notv | ||
56 | nou2f | ||
57 | novideo | ||
58 | protocol unix,inet,inet6 | ||
59 | seccomp | ||
60 | tracelog | ||
61 | 22 | ||
62 | # disable-mnt | ||
63 | # Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
64 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
65 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | ||
66 | private-cache | ||
67 | private-dev | ||
68 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
69 | private-tmp | ||
70 | writable-run-user | ||
71 | writable-var | ||
72 | |||
73 | dbus-user filter | ||
74 | dbus-user.own org.desktop.Balsa | 23 | dbus-user.own org.desktop.Balsa |
75 | dbus-user.talk ca.desrt.dconf | ||
76 | dbus-user.talk org.freedesktop.Notifications | ||
77 | dbus-user.talk org.freedesktop.secrets | ||
78 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
79 | dbus-system none | ||
80 | 24 | ||
81 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 25 | # Redirect |
82 | restrict-namespaces | 26 | include email-common.profile |
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index ce7b30122..e0f1bca94 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -20,17 +20,5 @@ whitelist /usr/share/doc/claws-mail | |||
20 | 20 | ||
21 | # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 | 21 | # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 |
22 | 22 | ||
23 | dbus-user filter | ||
24 | dbus-user.talk ca.desrt.dconf | ||
25 | # Add the next line to your claws-mail.local if you use the notification plugin. | ||
26 | # dbus-user.talk org.freedesktop.Notifications | ||
27 | dbus-user.talk org.freedesktop.secrets | ||
28 | dbus-user.talk org.gnome.keyring | ||
29 | dbus-user.talk org.gnome.keyring.PrivatePrompter | ||
30 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
31 | dbus-user.talk org.gnome.seahorse | ||
32 | dbus-user.talk org.gnome.seahorse.Application | ||
33 | dbus-user.talk org.mozilla.* | ||
34 | |||
35 | # Redirect | 23 | # Redirect |
36 | include email-common.profile | 24 | include email-common.profile |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 86fb27514..0bdfe995e 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for email-common | 1 | # Firejail profile for email-common |
2 | # Description: Common profile for claws-mail and sylpheed email clients | 2 | # Description: Common profile for GUI mail clients |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include email-common.local | 5 | include email-common.local |
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.signature | |||
14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | 14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | 15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
16 | noblacklist ${HOME}/Mail | 16 | noblacklist ${HOME}/Mail |
17 | noblacklist /var/mail | ||
18 | noblacklist /var/spool/mail | ||
17 | 19 | ||
18 | noblacklist ${DOCUMENTS} | 20 | noblacklist ${DOCUMENTS} |
19 | 21 | ||
@@ -38,6 +40,8 @@ whitelist ${HOME}/Mail | |||
38 | whitelist ${RUNUSER}/gnupg | 40 | whitelist ${RUNUSER}/gnupg |
39 | whitelist /usr/share/gnupg | 41 | whitelist /usr/share/gnupg |
40 | whitelist /usr/share/gnupg2 | 42 | whitelist /usr/share/gnupg2 |
43 | whitelist /var/mail | ||
44 | whitelist /var/spool/mail | ||
41 | include whitelist-common.inc | 45 | include whitelist-common.inc |
42 | include whitelist-runuser-common.inc | 46 | include whitelist-runuser-common.inc |
43 | include whitelist-usr-share-common.inc | 47 | include whitelist-usr-share-common.inc |
@@ -69,16 +73,17 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnup | |||
69 | private-tmp | 73 | private-tmp |
70 | # encrypting and signing email | 74 | # encrypting and signing email |
71 | writable-run-user | 75 | writable-run-user |
76 | writable-var | ||
72 | 77 | ||
78 | dbus-user filter | ||
79 | dbus-user.talk ca.desrt.dconf | ||
80 | dbus-user.talk org.freedesktop.Notifications | ||
81 | dbus-user.talk org.freedesktop.secrets | ||
82 | dbus-user.talk org.gnome.keyring.* | ||
83 | dbus-user.talk org.gnome.seahorse.* | ||
84 | dbus-user.talk org.mozilla.* | ||
73 | dbus-system none | 85 | dbus-system none |
74 | 86 | ||
75 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: | ||
76 | #noblacklist /var/mail | ||
77 | #noblacklist /var/spool/mail | ||
78 | #whitelist /var/mail | ||
79 | #whitelist /var/spool/mail | ||
80 | #writable-var | ||
81 | |||
82 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 87 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
83 | read-only ${HOME}/.signature | 88 | read-only ${HOME}/.signature |
84 | restrict-namespaces | 89 | restrict-namespaces |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index ad9b45b57..6aaf1ab05 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -88,6 +88,7 @@ dbus-user.talk org.gnome.OnlineAccounts | |||
88 | dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 | 88 | dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 |
89 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 | 89 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 |
90 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 90 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
91 | dbus-user.talk org.mozilla.* | ||
91 | dbus-system none | 92 | dbus-system none |
92 | 93 | ||
93 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 94 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile new file mode 100644 index 000000000..8855f09f5 --- /dev/null +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for linuxqq | ||
2 | # Description: IM client based on Electron | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include linuxqq.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QQ | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | |||
12 | include allow-bin-sh.inc | ||
13 | |||
14 | include disable-shell.inc | ||
15 | |||
16 | mkdir ${HOME}/.config/QQ | ||
17 | whitelist ${HOME}/.config/QQ | ||
18 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | whitelist ${DESKTOP} | ||
20 | |||
21 | ignore apparmor | ||
22 | noprinters | ||
23 | |||
24 | # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. | ||
25 | #private | ||
26 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | ||
27 | private-opt QQ | ||
28 | |||
29 | dbus-user filter | ||
30 | dbus-user.talk org.freedesktop.Notifications | ||
31 | dbus-user.talk org.freedesktop.portal.Desktop | ||
32 | dbus-user.talk org.freedesktop.portal.Fcitx | ||
33 | dbus-user.talk org.freedesktop.portal.IBus | ||
34 | dbus-user.talk org.freedesktop.ScreenSaver | ||
35 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
36 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
37 | dbus-user.talk org.mozilla.* | ||
38 | ignore dbus-user none | ||
39 | |||
40 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
41 | |||
42 | # Redirect | ||
43 | include electron.profile | ||
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 1e9af5769..22c4c4631 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -27,10 +27,30 @@ include disable-programs.inc | |||
27 | include disable-shell.inc | 27 | include disable-shell.inc |
28 | include disable-xdg.inc | 28 | include disable-xdg.inc |
29 | 29 | ||
30 | mkdir ${HOME}/.config/QMediathekView | ||
31 | mkdir ${HOME}/.local/share/QMediathekView | ||
32 | whitelist ${HOME}/.config/QMediathekView | ||
33 | whitelist ${HOME}/.local/share/QMediathekView | ||
34 | |||
35 | whitelist ${DOWNLOADS} | ||
36 | whitelist ${VIDEOS} | ||
37 | |||
38 | whitelist ${HOME}/.config/mpv | ||
39 | whitelist ${HOME}/.config/smplayer | ||
40 | whitelist ${HOME}/.config/totem | ||
41 | whitelist ${HOME}/.config/vlc | ||
42 | whitelist ${HOME}/.config/xplayer | ||
43 | whitelist ${HOME}/.local/share/totem | ||
44 | whitelist ${HOME}/.local/share/xplayer | ||
45 | whitelist ${HOME}/.mplayer | ||
30 | whitelist /usr/share/qtchooser | 46 | whitelist /usr/share/qtchooser |
47 | include whitelist-common.inc | ||
48 | include whitelist-run-common.inc | ||
49 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 50 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 51 | include whitelist-var-common.inc |
33 | 52 | ||
53 | apparmor | ||
34 | caps.drop all | 54 | caps.drop all |
35 | netfilter | 55 | netfilter |
36 | # no3d | 56 | # no3d |
@@ -38,11 +58,12 @@ nodvd | |||
38 | nogroups | 58 | nogroups |
39 | noinput | 59 | noinput |
40 | nonewprivs | 60 | nonewprivs |
61 | noprinters | ||
41 | noroot | 62 | noroot |
42 | notv | 63 | notv |
43 | nou2f | 64 | nou2f |
44 | novideo | 65 | novideo |
45 | protocol unix,inet,inet6,netlink | 66 | protocol unix,inet,inet6 |
46 | seccomp | 67 | seccomp |
47 | tracelog | 68 | tracelog |
48 | 69 | ||
@@ -50,6 +71,7 @@ disable-mnt | |||
50 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 71 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
51 | private-cache | 72 | private-cache |
52 | private-dev | 73 | private-dev |
74 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | ||
53 | private-tmp | 75 | private-tmp |
54 | 76 | ||
55 | dbus-user none | 77 | dbus-user none |
diff --git a/etc/profile-m-z/qq.profile b/etc/profile-m-z/qq.profile new file mode 100644 index 000000000..bf031471e --- /dev/null +++ b/etc/profile-m-z/qq.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for qq | ||
2 | # Description: IM client based on Electron | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qq.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include linuxqq.profile | ||
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 483ff39a8..6abef85f0 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -15,13 +15,5 @@ whitelist /usr/share/sylpheed | |||
15 | 15 | ||
16 | # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed | 16 | # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed |
17 | 17 | ||
18 | dbus-user filter | ||
19 | dbus-user.talk ca.desrt.dconf | ||
20 | # Add the next line to your sylpheed.local to enable notifications. | ||
21 | # dbus-user.talk org.freedesktop.Notifications | ||
22 | dbus-user.talk org.freedesktop.secrets | ||
23 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
24 | dbus-user.talk org.mozilla.* | ||
25 | |||
26 | # Redirect | 18 | # Redirect |
27 | include email-common.profile | 19 | include email-common.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 15169f983..793ec9a52 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -479,6 +479,7 @@ lincity-ng | |||
479 | links | 479 | links |
480 | links2 | 480 | links2 |
481 | linphone | 481 | linphone |
482 | linuxqq | ||
482 | lmms | 483 | lmms |
483 | lobase | 484 | lobase |
484 | localc | 485 | localc |
@@ -693,6 +694,7 @@ qlipper | |||
693 | qmmp | 694 | qmmp |
694 | qnapi | 695 | qnapi |
695 | qpdfview | 696 | qpdfview |
697 | |||
696 | qt-faststart | 698 | qt-faststart |
697 | qtox | 699 | qtox |
698 | quadrapassel | 700 | quadrapassel |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 04c586f79..0a4c8a483 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -212,7 +212,6 @@ static char *usage_str = | |||
212 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | 212 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" |
213 | " --profile=filename|profile_name - use a custom profile.\n" | 213 | " --profile=filename|profile_name - use a custom profile.\n" |
214 | " --profile.print=name|pid - print the name of profile file.\n" | 214 | " --profile.print=name|pid - print the name of profile file.\n" |
215 | " --profile-path=directory - use this directory to look for profile files.\n" | ||
216 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 215 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
217 | " --protocol.print=name|pid - print the protocol filter.\n" | 216 | " --protocol.print=name|pid - print the protocol filter.\n" |
218 | #ifdef HAVE_FILE_TRANSFER | 217 | #ifdef HAVE_FILE_TRANSFER |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index c630b6688..e310354af 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -1586,11 +1586,13 @@ | |||
1586 | 16.162.0.0/15 Amazon | 1586 | 16.162.0.0/15 Amazon |
1587 | 16.168.0.0/15 Amazon | 1587 | 16.168.0.0/15 Amazon |
1588 | 16.170.0.0/15 Amazon | 1588 | 16.170.0.0/15 Amazon |
1589 | 18.32.0.0/11 Amazon | ||
1589 | 18.60.0.0/15 Amazon | 1590 | 18.60.0.0/15 Amazon |
1590 | 18.64.0.0/14 Amazon | 1591 | 18.64.0.0/10 Amazon |
1591 | 18.100.0.0/15 Amazon | 1592 | 18.100.0.0/15 Amazon |
1592 | 18.102.0.0/16 Amazon | 1593 | 18.102.0.0/16 Amazon |
1593 | 18.116.0.0/14 Amazon | 1594 | 18.116.0.0/14 Amazon |
1595 | 18.128.0.0/9 Amazon | ||
1594 | 18.130.0.0/16 Amazon | 1596 | 18.130.0.0/16 Amazon |
1595 | 18.132.0.0/14 Amazon | 1597 | 18.132.0.0/14 Amazon |
1596 | 18.136.0.0/16 Amazon | 1598 | 18.136.0.0/16 Amazon |
diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index 3df23dcff..8254b54ef 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c | |||
@@ -133,7 +133,8 @@ void deny_ns(const char *fname, const char *list) { | |||
133 | RETURN_ALLOW | 133 | RETURN_ALLOW |
134 | #endif | 134 | #endif |
135 | }; | 135 | }; |
136 | write_to_file(fd, filter, sizeof(filter)); | 136 | if (sizeof(filter)) |
137 | write_to_file(fd, filter, sizeof(filter)); | ||
137 | 138 | ||
138 | filter_end_blacklist(fd); | 139 | filter_end_blacklist(fd); |
139 | 140 | ||
@@ -188,7 +189,21 @@ void deny_ns_32(const char *fname, const char *list) { | |||
188 | RETURN_ALLOW | 189 | RETURN_ALLOW |
189 | #endif | 190 | #endif |
190 | }; | 191 | }; |
191 | write_to_file(fd, filter, sizeof(filter)); | 192 | |
193 | // For Debian 10 and older, the size of the filter[] array will be 0. | ||
194 | // The following filter will end up being generated: | ||
195 | // | ||
196 | // FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32 | ||
197 | // line OP JT JF K | ||
198 | // ================================= | ||
199 | // 0000: 20 00 00 00000004 ld data.architecture | ||
200 | // 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) | ||
201 | // 0002: 06 00 00 7fff0000 ret ALLOW | ||
202 | // 0003: 20 00 00 00000000 ld data.syscall-number | ||
203 | // 0004: 06 00 00 7fff0000 ret ALLOW | ||
204 | // | ||
205 | if (sizeof(filter)) | ||
206 | write_to_file(fd, filter, sizeof(filter)); | ||
192 | 207 | ||
193 | filter_end_blacklist(fd); | 208 | filter_end_blacklist(fd); |
194 | 209 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 39c81312c..e5020e37e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -3064,7 +3064,7 @@ Example: | |||
3064 | .br | 3064 | .br |
3065 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | 3065 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
3066 | .br | 3066 | .br |
3067 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 3067 | $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null |
3068 | .br | 3068 | .br |
3069 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 3069 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
3070 | .br | 3070 | .br |
diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp index 13ce4dd06..0797a1db3 100755 --- a/test/filters/apparmor.exp +++ b/test/filters/apparmor.exp | |||
@@ -30,7 +30,7 @@ expect { | |||
30 | } | 30 | } |
31 | expect { | 31 | expect { |
32 | timeout {puts "TESTING ERROR 3\n";exit} | 32 | timeout {puts "TESTING ERROR 3\n";exit} |
33 | "AppArmor: firejail-default enforce" | 33 | "AppArmor: firejail-default//&unconfined enforce" |
34 | } | 34 | } |
35 | expect { | 35 | expect { |
36 | timeout {puts "TESTING ERROR 4\n";exit} | 36 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -38,21 +38,21 @@ expect { | |||
38 | } | 38 | } |
39 | expect { | 39 | expect { |
40 | timeout {puts "TESTING ERROR 5\n";exit} | 40 | timeout {puts "TESTING ERROR 5\n";exit} |
41 | "AppArmor: firejail-default enforce" | 41 | "AppArmor: firejail-default//&unconfined enforce" |
42 | } | 42 | } |
43 | after 100 | 43 | after 100 |
44 | 44 | ||
45 | send -- "firejail --apparmor.print=test1\r" | 45 | send -- "firejail --apparmor.print=test1\r" |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 6\n";exit} | 47 | timeout {puts "TESTING ERROR 6\n";exit} |
48 | "AppArmor: firejail-default enforce" | 48 | "AppArmor: firejail-default//&unconfined enforce" |
49 | } | 49 | } |
50 | after 100 | 50 | after 100 |
51 | 51 | ||
52 | send -- "firejail --apparmor.print=test2\r" | 52 | send -- "firejail --apparmor.print=test2\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 7\n";exit} | 54 | timeout {puts "TESTING ERROR 7\n";exit} |
55 | "AppArmor: firejail-default enforce" | 55 | "AppArmor: firejail-default//&unconfined enforce" |
56 | } | 56 | } |
57 | after 100 | 57 | after 100 |
58 | 58 | ||
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index cbc7fdc1a..96ac8d586 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -10,35 +10,88 @@ match_max 100000 | |||
10 | send -- "firejail --noprofile --protocol=unix --debug\r" | 10 | send -- "firejail --noprofile --protocol=unix --debug\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "0009: 20 00 00 00000000 ld data.syscall-number" | 13 | "0009: 20 00 00 00000000" |
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
17 | "000a: 15 01 00 00000029 jeq socket 000c (false 000b)" | 17 | "000f: 20 00 00 00000010" |
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
21 | "000b: 06 00 00 7fff0000 ret ALLOW" | 21 | "0010: 15 00 01 00000001" |
22 | } | 22 | } |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 4\n";exit} | 24 | timeout {puts "TESTING ERROR 4\n";exit} |
25 | "000c: 20 00 00 00000010 ld data.args" | 25 | "0011: 06 00 00 7fff0000" |
26 | } | 26 | } |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 5\n";exit} | 28 | timeout {puts "TESTING ERROR 5\n";exit} |
29 | "000d: 15 00 01 00000001 jeq 1 000e (false 000f)" | 29 | "0012: 06 00 00 0005005f" |
30 | } | ||
31 | |||
32 | after 100 | ||
33 | send -- "exit\r" | ||
34 | sleep 1 | ||
35 | |||
36 | send -- "firejail --noprofile --protocol=bluetooth --debug\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 11\n";exit} | ||
39 | "0009: 20 00 00 00000000" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 12\n";exit} | ||
43 | "000f: 20 00 00 00000010" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 13\n";exit} | ||
47 | "0010: 15 00 01 0000001f" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 14\n";exit} | ||
51 | "0011: 06 00 00 7fff0000" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR1 5\n";exit} | ||
55 | "0012: 06 00 00 0005005f" | ||
56 | } | ||
57 | |||
58 | after 100 | ||
59 | send -- "exit\r" | ||
60 | sleep 1 | ||
61 | |||
62 | send -- "firejail --noprofile --protocol=inet,inet6 --debug\r" | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 31\n";exit} | ||
65 | "0009: 20 00 00 00000000" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 32\n";exit} | ||
69 | "000f: 20 00 00 00000010" | ||
30 | } | 70 | } |
31 | expect { | 71 | expect { |
32 | timeout {puts "TESTING ERROR 6\n";exit} | 72 | timeout {puts "TESTING ERROR 33\n";exit} |
33 | "000e: 06 00 00 7fff0000 ret ALLOW" | 73 | "0010: 15 00 01 00000002" |
34 | "" | ||
35 | } | 74 | } |
36 | expect { | 75 | expect { |
37 | timeout {puts "TESTING ERROR 7\n";exit} | 76 | timeout {puts "TESTING ERROR 34\n";exit} |
38 | "000f: 06 00 00 0005005f ret ERRNO(95)" | 77 | "0011: 06 00 00 7fff0000" |
78 | } | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR1 35\n";exit} | ||
81 | "0012: 15 00 01 0000000a" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 36\n";exit} | ||
85 | "0013: 06 00 00 7fff0000" | ||
86 | } | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 37\n";exit} | ||
89 | "0014: 06 00 00 0005005f" | ||
39 | } | 90 | } |
40 | 91 | ||
41 | after 100 | 92 | after 100 |
42 | send -- "exit\r" | 93 | send -- "exit\r" |
94 | |||
95 | |||
43 | after 100 | 96 | after 100 |
44 | puts "\nall done\n" | 97 | puts "\nall done\n" |
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp index 59a576c20..95258ad4a 100755 --- a/test/filters/seccomp-run-files.exp +++ b/test/filters/seccomp-run-files.exp | |||
@@ -24,7 +24,7 @@ after 100 | |||
24 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" | 24 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
27 | "6" | 27 | "8" |
28 | } | 28 | } |
29 | send -- "exit\r" | 29 | send -- "exit\r" |
30 | sleep 1 | 30 | sleep 1 |
@@ -90,7 +90,7 @@ after 100 | |||
90 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" | 90 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
91 | expect { | 91 | expect { |
92 | timeout {puts "TESTING ERROR 18\n";exit} | 92 | timeout {puts "TESTING ERROR 18\n";exit} |
93 | "8" | 93 | "10" |
94 | } | 94 | } |
95 | send -- "exit\r" | 95 | send -- "exit\r" |
96 | sleep 1 | 96 | sleep 1 |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 697c86d3d..7c8573661 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -45,17 +45,6 @@ echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" | |||
45 | ./fs_var_tmp.exp | 45 | ./fs_var_tmp.exp |
46 | rm -f /var/tmp/_firejail_test_file | 46 | rm -f /var/tmp/_firejail_test_file |
47 | 47 | ||
48 | if [[ $(uname -m) == "x86_64" ]]; then | ||
49 | fjconfig=/etc/firejail/firejail.config | ||
50 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null | ||
51 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | ||
52 | ./private-lib.exp | ||
53 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | | ||
54 | sudo tee "$fjconfig" >/dev/null | ||
55 | else | ||
56 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | ||
57 | fi | ||
58 | |||
59 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" | 48 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" |
60 | ./fs_var_lock.exp | 49 | ./fs_var_lock.exp |
61 | rm -f /var/lock/_firejail_test_file | 50 | rm -f /var/lock/_firejail_test_file |
@@ -153,8 +142,9 @@ echo "TESTING: whitelist (test/fs/whitelist.exp)" | |||
153 | ./whitelist.exp | 142 | ./whitelist.exp |
154 | rm -fr ~/_firejail_test_* | 143 | rm -fr ~/_firejail_test_* |
155 | 144 | ||
156 | echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | 145 | # TODO: whitelist /dev broken in 0.9.72 |
157 | ./whitelist-dev.exp | 146 | #echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" |
147 | #./whitelist-dev.exp | ||
158 | 148 | ||
159 | echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" | 149 | echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" |
160 | ./whitelist-noexec.exp | 150 | ./whitelist-noexec.exp |
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index 18d4561d6..fc860f219 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp | |||
@@ -7,7 +7,7 @@ set timeout 30 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" | 10 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/opt/blablabla\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
diff --git a/test/fs/private-lib.exp b/test/private-lib/private-lib.exp index 5290def35..5290def35 100755 --- a/test/fs/private-lib.exp +++ b/test/private-lib/private-lib.exp | |||
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 6b7d433c8..43c42a098 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -18,3 +18,15 @@ for app in "${apps[@]}"; do | |||
18 | echo "TESTING SKIP: $app not found" | 18 | echo "TESTING SKIP: $app not found" |
19 | fi | 19 | fi |
20 | done | 20 | done |
21 | |||
22 | if [[ $(uname -m) == "x86_64" ]]; then | ||
23 | fjconfig=/etc/firejail/firejail.config | ||
24 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null | ||
25 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | ||
26 | ./private-lib.exp | ||
27 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | | ||
28 | sudo tee "$fjconfig" >/dev/null | ||
29 | else | ||
30 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | ||
31 | fi | ||
32 | |||