diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common-hardened.inc.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/code.profile | 39 | ||||
-rw-r--r-- | etc/profile-a-l/kodi.profile | 6 | ||||
-rw-r--r-- | etc/profile-m-z/minitube.profile | 2 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 30 | ||||
-rwxr-xr-x | src/tools/profcleaner.sh | 8 |
7 files changed, 50 insertions, 41 deletions
@@ -2,7 +2,8 @@ firejail (0.9.67) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * deprecated --disable-whitelist at compile time | 3 | * deprecated --disable-whitelist at compile time |
4 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | 4 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config |
5 | * new profiles: microsoft-edge-beta | 5 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim |
6 | * new profiles: io.github.lainsce.Notejot, rednotebook | ||
6 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 | 7 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 |
7 | 8 | ||
8 | firejail (0.9.66) baseline; urgency=low | 9 | firejail (0.9.66) baseline; urgency=low |
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index 87a0a0994..19addd285 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
@@ -6,5 +6,4 @@ caps.drop all | |||
6 | nonewprivs | 6 | nonewprivs |
7 | noroot | 7 | noroot |
8 | protocol unix,inet,inet6,netlink | 8 | protocol unix,inet,inet6,netlink |
9 | # kcmp is required for ozone-platform=wayland, see #3783. | 9 | seccomp !chroot |
10 | seccomp !chroot,!kcmp | ||
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile index e19b78908..fdf94ec41 100644 --- a/etc/profile-a-l/code.profile +++ b/etc/profile-a-l/code.profile | |||
@@ -5,6 +5,21 @@ include code.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include disable-devel.inc | ||
10 | ignore include disable-exec.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore whitelist ${DOWNLOADS} | ||
14 | ignore include whitelist-common.inc | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | ignore include whitelist-var-common.inc | ||
18 | ignore apparmor | ||
19 | ignore disable-mnt | ||
20 | ignore dbus-user none | ||
21 | ignore dbus-system none | ||
22 | |||
8 | noblacklist ${HOME}/.config/Code | 23 | noblacklist ${HOME}/.config/Code |
9 | noblacklist ${HOME}/.config/Code - OSS | 24 | noblacklist ${HOME}/.config/Code - OSS |
10 | noblacklist ${HOME}/.vscode | 25 | noblacklist ${HOME}/.vscode |
@@ -13,31 +28,13 @@ noblacklist ${HOME}/.vscode-oss | |||
13 | # Allows files commonly used by IDEs | 28 | # Allows files commonly used by IDEs |
14 | include allow-common-devel.inc | 29 | include allow-common-devel.inc |
15 | 30 | ||
16 | include disable-common.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | noinput | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | 31 | nosound |
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | 32 | ||
39 | # Disabling noexec ${HOME} for now since it will | 33 | # Disabling noexec ${HOME} for now since it will |
40 | # probably interfere with running some programmes | 34 | # probably interfere with running some programmes |
41 | # in VS Code | 35 | # in VS Code |
42 | # noexec ${HOME} | 36 | # noexec ${HOME} |
43 | noexec /tmp | 37 | noexec /tmp |
38 | |||
39 | # Redirect | ||
40 | include electron.profile | ||
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index b7091f1fc..f909728a5 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile | |||
@@ -12,6 +12,12 @@ ignore noexec ${HOME} | |||
12 | #ignore nogroups | 12 | #ignore nogroups |
13 | #ignore noroot | 13 | #ignore noroot |
14 | #ignore private-dev | 14 | #ignore private-dev |
15 | # Add the following to your kodi.local if you use the Lutris Kodi Addon | ||
16 | #noblacklist /sbin | ||
17 | #noblacklist /usr/sbin | ||
18 | #noblacklist ${HOME}/.cache/lutris | ||
19 | #noblacklist ${HOME}/.config/lutris | ||
20 | #noblacklist ${HOME}/.local/share/lutris | ||
15 | 21 | ||
16 | noblacklist ${HOME}/.kodi | 22 | noblacklist ${HOME}/.kodi |
17 | noblacklist ${MUSIC} | 23 | noblacklist ${MUSIC} |
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 3fe3428d0..b8a551b6c 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile | |||
@@ -47,7 +47,7 @@ notv | |||
47 | nou2f | 47 | nou2f |
48 | novideo | 48 | novideo |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | seccomp !kcmp | 50 | seccomp |
51 | shell none | 51 | shell none |
52 | tracelog | 52 | tracelog |
53 | 53 | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 3992c984a..38f789923 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -89,18 +89,24 @@ Inheritance of groups | |||
89 | What to do if seccomp breaks a program | 89 | What to do if seccomp breaks a program |
90 | -------------------------------------- | 90 | -------------------------------------- |
91 | 91 | ||
92 | Start `journalctl --grep=SECCOMP --follow` in a terminal and run | ||
93 | `firejail --seccomp-error-action=log /path/to/program` in a second terminal. | ||
94 | Now switch back to the first terminal (where `journalctl` is running) and look | ||
95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | ||
96 | have found them, you can stop `journalctl` (^C) and execute | ||
97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | ||
98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | ||
99 | Now you can add a seccomp exception using `seccomp !NAME`. | ||
100 | |||
101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||
102 | |||
92 | ``` | 103 | ``` |
93 | $ journalctl --grep=syscall --follow | 104 | term1$ journalctl --grep=SECCOMP --follow |
94 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 105 | term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop |
95 | $ firejail --debug-syscalls | grep 161 | 106 | term1$ (journalctl --grep=SECCOMP --follow) |
96 | 161 - chroot | 107 | audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... |
108 | ^C | ||
109 | term1$ firejail --debug-syscalls | grep "^161[[:space:]]" | ||
110 | 161 - chroot | ||
97 | ``` | 111 | ``` |
98 | Profile: `seccomp -> seccomp !chroot` | 112 | Profile: `seccomp -> seccomp !chroot` |
99 | |||
100 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken | ||
101 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. | ||
102 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | ||
103 | will see something like `NUMBER - NAME`, because you now know the name of the | ||
104 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. | ||
105 | |||
106 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh index 709008e08..96402aed6 100755 --- a/src/tools/profcleaner.sh +++ b/src/tools/profcleaner.sh | |||
@@ -38,8 +38,8 @@ else | |||
38 | fi | 38 | fi |
39 | 39 | ||
40 | sed -i -E \ | 40 | sed -i -E \ |
41 | -e "s/^(# |#)?blacklist/\1deny/" \ | 41 | -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \ |
42 | -e "s/^(# |#)?noblacklist/\1nodeny/" \ | 42 | -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \ |
43 | -e "s/^(# |#)?whitelist/\1allow/" \ | 43 | -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \ |
44 | -e "s/^(# |#)?nowhitelist/\1noallow/" \ | 44 | -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \ |
45 | "${profiles[@]}" | 45 | "${profiles[@]}" |