diff options
-rw-r--r-- | .github/pull_request_template.md | 1 | ||||
-rw-r--r-- | .github/workflows/sort.yml | 1 | ||||
-rw-r--r-- | README | 22 | ||||
-rw-r--r-- | RELNOTES | 8 | ||||
-rwxr-xr-x | contrib/gdb-firejail.sh | 2 | ||||
-rw-r--r-- | etc-fixes/0.9.58/atom.profile | 1 | ||||
-rw-r--r-- | etc-fixes/seccomp-join-bug/README | 1 | ||||
-rw-r--r-- | etc/apparmor/firejail-default | 2 | ||||
-rw-r--r-- | etc/inc/disable-devel.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/email-common.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/kdiff3.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/links-common.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/spectacle.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/sway.profile | 2 | ||||
-rwxr-xr-x | gcov.sh | 6 | ||||
-rwxr-xr-x | linecnt.sh | 4 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 8 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 22 | ||||
-rw-r--r-- | src/man/firejail.txt | 18 | ||||
-rw-r--r-- | src/man/firemon.txt | 2 |
20 files changed, 52 insertions, 58 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 57ac2e9c4..7cb92a938 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,4 +1,3 @@ | |||
1 | |||
2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. |
3 | 2 | ||
4 | If you submit a PR for new profiles or changing profiles, please do the following: | 3 | If you submit a PR for new profiles or changing profiles, please do the following: |
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml index f3ded0f22..cfa40d2d2 100644 --- a/.github/workflows/sort.yml +++ b/.github/workflows/sort.yml | |||
@@ -19,4 +19,3 @@ jobs: | |||
19 | - uses: actions/checkout@v2 | 19 | - uses: actions/checkout@v2 |
20 | - name: check profiles | 20 | - name: check profiles |
21 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} | 21 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} |
22 | |||
@@ -1,13 +1,13 @@ | |||
1 | Firejail is a SUID sandbox program that reduces the risk of security | 1 | Firejail is a SUID sandbox program that reduces the risk of security |
2 | breaches by restricting the running environment of untrusted applications | 2 | breaches by restricting the running environment of untrusted applications |
3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for | 3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for |
4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, | 4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, |
5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. | 5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. |
6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, | 6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, |
7 | Pidgin, Quassel, and XChat. | 7 | Pidgin, Quassel, and XChat. |
8 | 8 | ||
9 | Firejail also expands the restricted shell facility found in bash by adding | 9 | Firejail also expands the restricted shell facility found in bash by adding |
10 | Linux namespace support. It supports sandboxing specific users upon login. | 10 | Linux namespace support. It supports sandboxing specific users upon login. |
11 | 11 | ||
12 | Download: https://sourceforge.net/projects/firejail/files/ | 12 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 13 | Build and install: ./configure && make && sudo make install |
@@ -460,7 +460,7 @@ hawkey116477 (https://github.com/hawkeye116477) | |||
460 | Helmut Grohne (https://github.com/helmutg) | 460 | Helmut Grohne (https://github.com/helmutg) |
461 | - compiler support in the build system - Debian bug #869707 | 461 | - compiler support in the build system - Debian bug #869707 |
462 | hhzek0014 (https://github.com/hhzek0014) | 462 | hhzek0014 (https://github.com/hhzek0014) |
463 | - updated bibletime.profile | 463 | - updated bibletime.profile |
464 | hlein (https://github.com/hlein) | 464 | hlein (https://github.com/hlein) |
465 | - strip out \r's from jail prober | 465 | - strip out \r's from jail prober |
466 | Holger Heinz (https://github.com/hheinz) | 466 | Holger Heinz (https://github.com/hheinz) |
@@ -579,7 +579,7 @@ Kishore96in (https://github.com/Kishore96in) | |||
579 | - added falkon profile | 579 | - added falkon profile |
580 | - kxmlgui fixes | 580 | - kxmlgui fixes |
581 | - okular profile fixes | 581 | - okular profile fixes |
582 | - jitsi-meet-desktop profile | 582 | - jitsi-meet-desktop profile |
583 | - konversatin profile fix | 583 | - konversatin profile fix |
584 | - added Neochat profile | 584 | - added Neochat profile |
585 | - added whitelist-1793-workaround.inc | 585 | - added whitelist-1793-workaround.inc |
@@ -715,7 +715,7 @@ Ondra Nekola (https://github.com/satai) | |||
715 | OndrejMalek (https://github.com/OndrejMalek) | 715 | OndrejMalek (https://github.com/OndrejMalek) |
716 | - various manpage fixes | 716 | - various manpage fixes |
717 | Ondřej Nový (https://github.com/onovy) | 717 | Ondřej Nový (https://github.com/onovy) |
718 | - allow video for Signal profile | 718 | - allow video for Signal profile |
719 | - added Mattermost desktop profile | 719 | - added Mattermost desktop profile |
720 | - hardened Zoom profile | 720 | - hardened Zoom profile |
721 | - hardened Signal desktop profile | 721 | - hardened Signal desktop profile |
@@ -732,7 +732,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) | |||
732 | Paul Moore <pmoore@redhat.com> | 732 | Paul Moore <pmoore@redhat.com> |
733 | -src/fsec-print/print.c extracted from libseccomp software package | 733 | -src/fsec-print/print.c extracted from libseccomp software package |
734 | Paupiah Yash (https://github.com/CaffeinatedStud) | 734 | Paupiah Yash (https://github.com/CaffeinatedStud) |
735 | - gzip profile | 735 | - gzip profile |
736 | Pawel (https://github.com/grimskies) | 736 | Pawel (https://github.com/grimskies) |
737 | - make --join return exit code of the invoked program | 737 | - make --join return exit code of the invoked program |
738 | Peter Millerchip (https://github.com/pmillerchip) | 738 | Peter Millerchip (https://github.com/pmillerchip) |
@@ -960,7 +960,7 @@ SYN-cook (https://github.com/SYN-cook) | |||
960 | - gnome-calculator changes | 960 | - gnome-calculator changes |
961 | startx2017 (https://github.com/startx2017) | 961 | startx2017 (https://github.com/startx2017) |
962 | - syscall list update | 962 | - syscall list update |
963 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 963 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, |
964 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 964 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old |
965 | - enable/disable join support in /etc/firejail/firejail.config | 965 | - enable/disable join support in /etc/firejail/firejail.config |
966 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 966 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist |
@@ -1011,7 +1011,7 @@ Topi Miettinen (https://github.com/topimiettinen) | |||
1011 | - improve loading of seccomp filter and memory-deny-write-execute feature | 1011 | - improve loading of seccomp filter and memory-deny-write-execute feature |
1012 | - private-lib feature | 1012 | - private-lib feature |
1013 | - make --nodbus block also system D-Bus socket | 1013 | - make --nodbus block also system D-Bus socket |
1014 | Ted Robertson (https://github.com/tredondo) | 1014 | Ted Robertson (https://github.com/tredondo) |
1015 | - webstorm profile fixes | 1015 | - webstorm profile fixes |
1016 | - added bcompare profile | 1016 | - added bcompare profile |
1017 | - various documentation fixes | 1017 | - various documentation fixes |
@@ -1071,7 +1071,7 @@ vismir2 (https://github.com/vismir2) | |||
1071 | - feh, ranger, 7z, keepass, keepassx and zathura profiles | 1071 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
1072 | - claws-mail, mutt, git, emacs, vim profiles | 1072 | - claws-mail, mutt, git, emacs, vim profiles |
1073 | - lots of profile fixes | 1073 | - lots of profile fixes |
1074 | - support for truecrypt and zuluCrypt | 1074 | - support for truecrypt and zuluCrypt |
1075 | viq (https://github.com/viq) | 1075 | viq (https://github.com/viq) |
1076 | - discord-canary profile | 1076 | - discord-canary profile |
1077 | Vladimir Gorelov (https://github.com/larkvirtual) | 1077 | Vladimir Gorelov (https://github.com/larkvirtual) |
@@ -59,7 +59,7 @@ firejail (0.9.64.4) baseline; urgency=low | |||
59 | 59 | ||
60 | firejail (0.9.64.2) baseline; urgency=low | 60 | firejail (0.9.64.2) baseline; urgency=low |
61 | * allow --tmpfs inside $HOME for unprivileged users | 61 | * allow --tmpfs inside $HOME for unprivileged users |
62 | * --disable-usertmpfs compile time option | 62 | * --disable-usertmpfs compile time option |
63 | * allow AF_BLUETOOTH via --protocol=bluetooth | 63 | * allow AF_BLUETOOTH via --protocol=bluetooth |
64 | * Setup guide for new users: contrib/firejail-welcome.sh | 64 | * Setup guide for new users: contrib/firejail-welcome.sh |
65 | * implement netns in profiles | 65 | * implement netns in profiles |
@@ -566,7 +566,7 @@ firejail (0.9.44) baseline; urgency=low | |||
566 | * feature: disable 3D hardware acceleration (--no3d) | 566 | * feature: disable 3D hardware acceleration (--no3d) |
567 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | 567 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands |
568 | * feature: move files in sandbox (--put) | 568 | * feature: move files in sandbox (--put) |
569 | * feature: accept wildcard patterns in user name field of restricted | 569 | * feature: accept wildcard patterns in user name field of restricted |
570 | shell login feature | 570 | shell login feature |
571 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | 571 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape |
572 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | 572 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, |
@@ -608,7 +608,7 @@ firejail (0.9.42) baseline; urgency=low | |||
608 | * compile time: disable whitelisting (--disable-whitelist) | 608 | * compile time: disable whitelisting (--disable-whitelist) |
609 | * compile time: disable global config (--disable-globalcfg) | 609 | * compile time: disable global config (--disable-globalcfg) |
610 | * run time: enable/disable overlayfs (overlayfs yes/no) | 610 | * run time: enable/disable overlayfs (overlayfs yes/no) |
611 | * run time: enable/disable quiet as default (quiet-by-default yes/no) | 611 | * run time: enable/disable quiet as default (quiet-by-default yes/no) |
612 | * run time: user-defined network filter (netfilter-default) | 612 | * run time: user-defined network filter (netfilter-default) |
613 | * run time: enable/disable whitelisting (whitelist yes/no) | 613 | * run time: enable/disable whitelisting (whitelist yes/no) |
614 | * run time: enable/disable remounting of /proc and /sys | 614 | * run time: enable/disable remounting of /proc and /sys |
@@ -706,7 +706,7 @@ firejail (0.9.38) baseline; urgency=low | |||
706 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | 706 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
707 | 707 | ||
708 | firejail (0.9.36) baseline; urgency=low | 708 | firejail (0.9.36) baseline; urgency=low |
709 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, | 709 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, |
710 | parole and rtorrent profiles | 710 | parole and rtorrent profiles |
711 | * Google Chrome profile rework | 711 | * Google Chrome profile rework |
712 | * added google-chrome-stable profile | 712 | * added google-chrome-stable profile |
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index 941fc45ef..686bdc2c0 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh | |||
@@ -21,4 +21,4 @@ else | |||
21 | fi | 21 | fi |
22 | 22 | ||
23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & | 23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & |
24 | sudo gdb -e "$FIREJAIL" -p "$!" | 24 | sudo gdb -e "$FIREJAIL" -p "$!" |
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile index 9bc35da5a..1cc9b0116 100644 --- a/etc-fixes/0.9.58/atom.profile +++ b/etc-fixes/0.9.58/atom.profile | |||
@@ -1,4 +1,3 @@ | |||
1 | |||
2 | # Firejail profile for atom | 1 | # Firejail profile for atom |
3 | # Description: A hackable text editor for the 21st Century | 2 | # Description: A hackable text editor for the 21st Century |
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README index 9f85a0e00..15596eca7 100644 --- a/etc-fixes/seccomp-join-bug/README +++ b/etc-fixes/seccomp-join-bug/README | |||
@@ -8,4 +8,3 @@ on May 21, 2019: | |||
8 | 8 | ||
9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 | 9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 |
10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 | 10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 |
11 | |||
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ca32f5b0d..a7044152e 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -129,7 +129,7 @@ signal (receive), | |||
129 | ########## | 129 | ########## |
130 | # The list of recognized capabilities varies from one apparmor version to another. | 130 | # The list of recognized capabilities varies from one apparmor version to another. |
131 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available | 131 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
132 | # We allow all caps by default and remove the ones we don't like: | 132 | # We allow all caps by default and remove the ones we don't like: |
133 | capability, | 133 | capability, |
134 | deny capability audit_write, | 134 | deny capability audit_write, |
135 | deny capability audit_control, | 135 | deny capability audit_control, |
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index e74b1b40b..98bf5ecc8 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc | |||
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc | |||
60 | blacklist ${PATH}/valgrind* | 60 | blacklist ${PATH}/valgrind* |
61 | blacklist /usr/lib/valgrind | 61 | blacklist /usr/lib/valgrind |
62 | 62 | ||
63 | |||
64 | # Source-Code | 63 | # Source-Code |
65 | |||
66 | blacklist /usr/src | 64 | blacklist /usr/src |
67 | blacklist /usr/local/src | 65 | blacklist /usr/local/src |
68 | blacklist /usr/include | 66 | blacklist /usr/include |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index fe8d4e9cb..8673b65ca 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg | |||
12 | noblacklist ${HOME}/.mozilla | 12 | noblacklist ${HOME}/.mozilla |
13 | noblacklist ${HOME}/.signature | 13 | noblacklist ${HOME}/.signature |
14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | 14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | 15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
16 | noblacklist ${HOME}/Mail | 16 | noblacklist ${HOME}/Mail |
17 | 17 | ||
18 | noblacklist ${DOCUMENTS} | 18 | noblacklist ${DOCUMENTS} |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 7c9be2bcc..fa50b0a20 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -48,7 +48,7 @@ shell none | |||
48 | tracelog | 48 | tracelog |
49 | 49 | ||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin kdiff3 | 51 | private-bin kdiff3 |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | 54 | ||
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index 9606671bb..dac3eaee3 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
@@ -47,7 +47,7 @@ shell none | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. | 50 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. |
51 | private-bin sh | 51 | private-bin sh |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index f6bb15b30..fc4ae2b04 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -22,7 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | mkfile ${HOME}/.config/spectaclerc | 25 | mkfile ${HOME}/.config/spectaclerc |
26 | whitelist ${HOME}/.config/spectaclerc | 26 | whitelist ${HOME}/.config/spectaclerc |
27 | whitelist ${PICTURES} | 27 | whitelist ${PICTURES} |
28 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd | 28 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd |
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index 4637419bf..046d1b4be 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Sway | 1 | # Firejail profile for Sway |
2 | # Description: i3-compatible Wayland compositor | 2 | # Description: i3-compatible Wayland compositor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sway.local | 5 | include sway.local |
@@ -24,8 +24,8 @@ gcov_init() { | |||
24 | } | 24 | } |
25 | 25 | ||
26 | generate() { | 26 | generate() { |
27 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new | 27 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new |
28 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file | 28 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file |
29 | rm -fr gcov-dir | 29 | rm -fr gcov-dir |
30 | genhtml -q gcov-file --output-directory gcov-dir | 30 | genhtml -q gcov-file --output-directory gcov-dir |
31 | sudo rm `find . -name *.gcda` | 31 | sudo rm `find . -name *.gcda` |
@@ -35,7 +35,7 @@ generate() { | |||
35 | 35 | ||
36 | 36 | ||
37 | gcov_init | 37 | gcov_init |
38 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old | 38 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old |
39 | 39 | ||
40 | #make test-utils | 40 | #make test-utils |
41 | #generate | 41 | #generate |
diff --git a/linecnt.sh b/linecnt.sh index ccce2da82..86bccbc07 100755 --- a/linecnt.sh +++ b/linecnt.sh | |||
@@ -26,6 +26,6 @@ gcov_init() { | |||
26 | rm -fr gcov-dir | 26 | rm -fr gcov-dir |
27 | gcov_init | 27 | gcov_init |
28 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ | 28 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ |
29 | -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ | 29 | -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ |
30 | -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file | 30 | -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file |
31 | genhtml -q gcov-file --output-directory gcov-dir | 31 | genhtml -q gcov-file --output-directory gcov-dir |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index f68edf380..ff411c807 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -5,7 +5,7 @@ | |||
5 | # http://bash-completion.alioth.debian.org | 5 | # http://bash-completion.alioth.debian.org |
6 | #******************************************************************* | 6 | #******************************************************************* |
7 | 7 | ||
8 | __interfaces(){ | 8 | __interfaces() { |
9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs | 9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs |
10 | } | 10 | } |
11 | 11 | ||
@@ -90,11 +90,11 @@ _firejail() | |||
90 | _filedir | 90 | _filedir |
91 | return 0 | 91 | return 0 |
92 | ;; | 92 | ;; |
93 | --net) | 93 | --net) |
94 | comps=$(__interfaces) | 94 | comps=$(__interfaces) |
95 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) | 95 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) |
96 | return 0 | 96 | return 0 |
97 | ;; | 97 | ;; |
98 | esac | 98 | esac |
99 | 99 | ||
100 | $split && return 0 | 100 | $split && return 0 |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index a768829a1..a76fd3765 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director | |||
78 | Several command line options can be passed to the program using | 78 | Several command line options can be passed to the program using |
79 | profile files. Firejail chooses the profile file as follows: | 79 | profile files. Firejail chooses the profile file as follows: |
80 | 80 | ||
81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. | 81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
82 | Example: | 82 | Example: |
83 | .PP | 83 | .PP |
84 | .RS | 84 | .RS |
@@ -324,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid. | |||
324 | #ifdef HAVE_OVERLAYFS | 324 | #ifdef HAVE_OVERLAYFS |
325 | .TP | 325 | .TP |
326 | \fBoverlay | 326 | \fBoverlay |
327 | Mount a filesystem overlay on top of the current filesystem. | 327 | Mount a filesystem overlay on top of the current filesystem. |
328 | The overlay is stored in $HOME/.firejail/<PID> directory. | 328 | The overlay is stored in $HOME/.firejail/<PID> directory. |
329 | .TP | 329 | .TP |
330 | \fBoverlay-named name | 330 | \fBoverlay-named name |
331 | Mount a filesystem overlay on top of the current filesystem. | 331 | Mount a filesystem overlay on top of the current filesystem. |
332 | The overlay is stored in $HOME/.firejail/name directory. | 332 | The overlay is stored in $HOME/.firejail/name directory. |
333 | .TP | 333 | .TP |
334 | \fBoverlay-tmpfs | 334 | \fBoverlay-tmpfs |
335 | Mount a filesystem overlay on top of the current filesystem. | 335 | Mount a filesystem overlay on top of the current filesystem. |
336 | All filesystem modifications are discarded when the sandbox is closed. | 336 | All filesystem modifications are discarded when the sandbox is closed. |
337 | #endif | 337 | #endif |
338 | .TP | 338 | .TP |
339 | \fBprivate | 339 | \fBprivate |
@@ -487,12 +487,12 @@ does not result in an increase of privilege. | |||
487 | #ifdef HAVE_USERNS | 487 | #ifdef HAVE_USERNS |
488 | .TP | 488 | .TP |
489 | \fBnoroot | 489 | \fBnoroot |
490 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 490 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
491 | There is no root account (uid 0) defined in the namespace. | 491 | There is no root account (uid 0) defined in the namespace. |
492 | #endif | 492 | #endif |
493 | .TP | 493 | .TP |
494 | \fBprotocol protocol1,protocol2,protocol3 | 494 | \fBprotocol protocol1,protocol2,protocol3 |
495 | Enable protocol filter. The filter is based on seccomp and checks the | 495 | Enable protocol filter. The filter is based on seccomp and checks the |
496 | first argument to socket system call. Recognized values: \fBunix\fR, | 496 | first argument to socket system call. Recognized values: \fBunix\fR, |
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually. | |||
873 | 873 | ||
874 | .TP | 874 | .TP |
875 | \fBiprange address,address | 875 | \fBiprange address,address |
876 | Assign an IP address in the provided range to the last network | 876 | Assign an IP address in the provided range to the last network |
877 | interface defined by a net command. A default gateway is assigned by default. | 877 | interface defined by a net command. A default gateway is assigned by default. |
878 | .br | 878 | .br |
879 | 879 | ||
880 | .br | 880 | .br |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0462705c0..2883ab257 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb | |||
45 | #ifdef HAVE_LTS | 45 | #ifdef HAVE_LTS |
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | 46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, |
47 | LTS is usually supported for two or three years. | 47 | LTS is usually supported for two or three years. |
48 | During this time only bugs and the occasional documentation problems are fixed. | 48 | During this time only bugs and the occasional documentation problems are fixed. |
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | 49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. |
50 | .br | 50 | .br |
51 | 51 | ||
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter. | |||
109 | .br | 109 | .br |
110 | Example: | 110 | Example: |
111 | .br | 111 | .br |
112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
113 | .TP | 113 | .TP |
114 | \fB\-\-allusers | 114 | \fB\-\-allusers |
115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
@@ -947,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | |||
947 | 947 | ||
948 | .TP | 948 | .TP |
949 | \fB\-\-ipc-namespace | 949 | \fB\-\-ipc-namespace |
950 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default | 950 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default |
951 | for sandboxes started as root. | 951 | for sandboxes started as root. |
952 | .br | 952 | .br |
953 | 953 | ||
@@ -1014,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL | |||
1014 | .br | 1014 | .br |
1015 | 1015 | ||
1016 | .br | 1016 | .br |
1017 | # verify IP addresses | 1017 | # verify IP addresses |
1018 | .br | 1018 | .br |
1019 | $ sudo firejail --join-network=browser ip addr | 1019 | $ sudo firejail --join-network=browser ip addr |
1020 | .br | 1020 | .br |
@@ -2134,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | |||
2134 | .TP | 2134 | .TP |
2135 | \fB\-\-rlimit-cpu=number | 2135 | \fB\-\-rlimit-cpu=number |
2136 | Set the maximum limit, in seconds, for the amount of CPU time each | 2136 | Set the maximum limit, in seconds, for the amount of CPU time each |
2137 | sandboxed process can consume. When the limit is reached, the processes are killed. | 2137 | sandboxed process can consume. When the limit is reached, the processes are killed. |
2138 | 2138 | ||
2139 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | 2139 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds |
2140 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | 2140 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps |
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2178 | .TP | 2178 | .TP |
2179 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
2180 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2182 | then it is @default. | 2182 | then it is @default. |
2183 | 2183 | ||
2184 | .br | 2184 | .br |
@@ -2865,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support | |||
2865 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | 2865 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window |
2866 | contents of other clients, stealing input events, etc. | 2866 | contents of other clients, stealing input events, etc. |
2867 | 2867 | ||
2868 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | 2868 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients |
2869 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | 2869 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. |
2870 | Firefox and transmission-gtk seem to be working fine. | 2870 | Firefox and transmission-gtk seem to be working fine. |
2871 | A network namespace is not required for this option. | 2871 | A network namespace is not required for this option. |
@@ -3256,7 +3256,7 @@ The owner of the sandbox. | |||
3256 | .SH RESTRICTED SHELL | 3256 | .SH RESTRICTED SHELL |
3257 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 3257 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
3258 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 3258 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
3259 | you can specify /usr/bin/firejail in adduser command: | 3259 | you can specify /usr/bin/firejail in adduser command: |
3260 | 3260 | ||
3261 | adduser \-\-shell /usr/bin/firejail username | 3261 | adduser \-\-shell /usr/bin/firejail username |
3262 | 3262 | ||
@@ -3266,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e | |||
3266 | Several command line options can be passed to the program using | 3266 | Several command line options can be passed to the program using |
3267 | profile files. Firejail chooses the profile file as follows: | 3267 | profile files. Firejail chooses the profile file as follows: |
3268 | 3268 | ||
3269 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. | 3269 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. |
3270 | Example: | 3270 | Example: |
3271 | .PP | 3271 | .PP |
3272 | .RS | 3272 | .RS |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 76b2f7be2..c4e6e15b3 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -56,7 +56,7 @@ Print route table for each sandbox. | |||
56 | Print seccomp configuration for each sandbox. | 56 | Print seccomp configuration for each sandbox. |
57 | .TP | 57 | .TP |
58 | \fB\-\-top | 58 | \fB\-\-top |
59 | Monitor the most CPU-intensive sandboxes. This command is similar to | 59 | Monitor the most CPU-intensive sandboxes. This command is similar to |
60 | the regular UNIX top command, however it applies only to sandboxes. | 60 | the regular UNIX top command, however it applies only to sandboxes. |
61 | .TP | 61 | .TP |
62 | \fB\-\-tree | 62 | \fB\-\-tree |