diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/apostrophe.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/audacity.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/fix-qdf.profile | 13 | ||||
-rw-r--r-- | etc/profile-a-l/gimp.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/iagno.profile | 10 | ||||
-rw-r--r-- | etc/profile-m-z/qpdf.profile | 68 | ||||
-rw-r--r-- | etc/profile-m-z/rhythmbox.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/totem.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/zlib-flate.profile | 13 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 3 | ||||
-rw-r--r-- | src/include/etc_groups.h | 8 | ||||
-rwxr-xr-x | test/sysutils/less.exp | 20 | ||||
-rwxr-xr-x | test/sysutils/man.exp | 13 | ||||
-rwxr-xr-x | test/sysutils/sysutils.sh | 8 | ||||
-rwxr-xr-x | test/sysutils/xzdec.exp | 29 |
17 files changed, 139 insertions, 57 deletions
@@ -17,6 +17,7 @@ firejail (0.9.73) baseline; urgency=low | |||
17 | support (#5589) | 17 | support (#5589) |
18 | * docs: selinux.c: Split Copyright notice & use same license as upstream | 18 | * docs: selinux.c: Split Copyright notice & use same license as upstream |
19 | (#5667) | 19 | (#5667) |
20 | * new profiles: fix-qdf, qpdf, zlib-flate | ||
20 | -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500 | 21 | -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500 |
21 | 22 | ||
22 | firejail (0.9.72) baseline; urgency=low | 23 | firejail (0.9.72) baseline; urgency=low |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 81f417232..65159b951 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -168,8 +168,10 @@ blacklist ${HOME}/.local/share/systemd | |||
168 | blacklist ${PATH}/systemctl | 168 | blacklist ${PATH}/systemctl |
169 | blacklist ${PATH}/systemd-run | 169 | blacklist ${PATH}/systemd-run |
170 | blacklist ${RUNUSER}/systemd | 170 | blacklist ${RUNUSER}/systemd |
171 | blacklist /etc/credstore* | ||
171 | blacklist /etc/systemd/network | 172 | blacklist /etc/systemd/network |
172 | blacklist /etc/systemd/system | 173 | blacklist /etc/systemd/system |
174 | blacklist /run/credentials | ||
173 | blacklist /var/lib/systemd | 175 | blacklist /var/lib/systemd |
174 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 176 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
175 | #blacklist /var/run/systemd | 177 | #blacklist /var/run/systemd |
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 4ad6ac6bc..0655c2e6f 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -35,7 +35,6 @@ whitelist /usr/share/apostrophe | |||
35 | whitelist /usr/share/texlive | 35 | whitelist /usr/share/texlive |
36 | whitelist /usr/share/texmf | 36 | whitelist /usr/share/texmf |
37 | whitelist /usr/share/pandoc-* | 37 | whitelist /usr/share/pandoc-* |
38 | whitelist /usr/share/perl5 | ||
39 | include whitelist-runuser-common.inc | 38 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
41 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 392b189f8..c2a482b61 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | 50 | ||
51 | private-bin audacity | 51 | private-bin audacity |
52 | private-dev | 52 | private-dev |
53 | private-etc @tls-ca,@x11 | 53 | private-etc @x11 |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | # problems on Fedora 27 | 56 | # problems on Fedora 27 |
diff --git a/etc/profile-a-l/fix-qdf.profile b/etc/profile-a-l/fix-qdf.profile new file mode 100644 index 000000000..2dbb44e1d --- /dev/null +++ b/etc/profile-a-l/fix-qdf.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for fix-qdf | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include fix-qdf.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin fix-qdf | ||
11 | |||
12 | # Redirect | ||
13 | include qpdf.profile | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 717519112..6f350f8ac 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -59,7 +59,7 @@ seccomp !mbind | |||
59 | tracelog | 59 | tracelog |
60 | 60 | ||
61 | private-dev | 61 | private-dev |
62 | private-etc @tls-ca,@x11,python* | 62 | private-etc @x11,python* |
63 | private-tmp | 63 | private-tmp |
64 | 64 | ||
65 | dbus-user none | 65 | dbus-user none |
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index e16f3f1d5..82cba7887 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile | |||
@@ -13,6 +13,13 @@ include disable-interpreters.inc | |||
13 | include disable-programs.inc | 13 | include disable-programs.inc |
14 | include disable-shell.inc | 14 | include disable-shell.inc |
15 | 15 | ||
16 | whitelist ${HOME}/.local/share/glib-2.0/schemas | ||
17 | include whitelist-common.inc | ||
18 | |||
19 | include whitelist-runuser-common.inc | ||
20 | whitelist /usr/share/iagno | ||
21 | whitelist /usr/share/gdm | ||
22 | include whitelist-usr-share-common.inc | ||
16 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
17 | 24 | ||
18 | apparmor | 25 | apparmor |
@@ -28,11 +35,12 @@ nou2f | |||
28 | novideo | 35 | novideo |
29 | protocol unix | 36 | protocol unix |
30 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
31 | 39 | ||
32 | disable-mnt | 40 | disable-mnt |
33 | private | ||
34 | private-bin iagno | 41 | private-bin iagno |
35 | private-dev | 42 | private-dev |
43 | private-etc @x11,gconf | ||
36 | private-tmp | 44 | private-tmp |
37 | 45 | ||
38 | # dbus-user none | 46 | # dbus-user none |
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile new file mode 100644 index 000000000..0c1e09e92 --- /dev/null +++ b/etc/profile-m-z/qpdf.profile | |||
@@ -0,0 +1,68 @@ | |||
1 | # Firejail profile for qpdf | ||
2 | # Description: A Content-Preserving PDF Transformation System | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include qpdf.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-proc.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-X11.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | whitelist ${DOCUMENTS} | ||
25 | whitelist ${DOWNLOADS} | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-run-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | hostname qpdf | ||
35 | ipc-namespace | ||
36 | machine-id | ||
37 | net none | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | noinput | ||
42 | nonewprivs | ||
43 | noprinters | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | # block the socket syscall to simulate an be empty protocol line, see #639 | ||
50 | seccomp socket | ||
51 | tracelog | ||
52 | x11 none | ||
53 | |||
54 | private-bin qpdf | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc | ||
58 | private-lib libqpdf.so.* | ||
59 | #private-tmp # breaks on Arch Linux | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
63 | |||
64 | memory-deny-write-execute | ||
65 | restrict-namespaces | ||
66 | read-only ${HOME} | ||
67 | read-write ${DOCUMENTS} | ||
68 | read-write ${DOWNLOADS} | ||
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index dccd93429..77c032a53 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -51,6 +51,7 @@ tracelog | |||
51 | private-bin rhythmbox,rhythmbox-client | 51 | private-bin rhythmbox,rhythmbox-client |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc @tls-ca,@x11,python* | ||
54 | private-tmp | 55 | private-tmp |
55 | 56 | ||
56 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index e21d37040..a4cb49171 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -51,7 +51,7 @@ private-bin totem | |||
51 | # totem needs access to ~/.cache/tracker or it exits | 51 | # totem needs access to ~/.cache/tracker or it exits |
52 | #private-cache | 52 | #private-cache |
53 | private-dev | 53 | private-dev |
54 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | 54 | private-etc @tls-ca,@x11,python* |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | # makes settings immutable | 57 | # makes settings immutable |
diff --git a/etc/profile-m-z/zlib-flate.profile b/etc/profile-m-z/zlib-flate.profile new file mode 100644 index 000000000..48a2c9845 --- /dev/null +++ b/etc/profile-m-z/zlib-flate.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for zlib-flate | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zlib-flate.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin zlib-flate | ||
11 | |||
12 | # Redirect | ||
13 | include qpdf.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index db73dd1f6..45457fb47 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -260,6 +260,7 @@ firefox-nightly | |||
260 | firefox-wayland | 260 | firefox-wayland |
261 | firefox-x11 | 261 | firefox-x11 |
262 | five-or-more | 262 | five-or-more |
263 | fix-qdf | ||
263 | flacsplt | 264 | flacsplt |
264 | flameshot | 265 | flameshot |
265 | flashpeak-slimjet | 266 | flashpeak-slimjet |
@@ -694,6 +695,7 @@ qgis | |||
694 | qlipper | 695 | qlipper |
695 | qmmp | 696 | qmmp |
696 | qnapi | 697 | qnapi |
698 | qpdf | ||
697 | qpdfview | 699 | qpdfview |
698 | 700 | ||
699 | qt-faststart | 701 | qt-faststart |
@@ -957,6 +959,7 @@ zart | |||
957 | zathura | 959 | zathura |
958 | zeal | 960 | zeal |
959 | zim | 961 | zim |
962 | zlib-flate | ||
960 | zoom | 963 | zoom |
961 | # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 964 | # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
962 | # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 965 | # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index 0ed5d4e32..9e24256c0 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h | |||
@@ -28,6 +28,10 @@ | |||
28 | static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer | 28 | static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer |
29 | "alternatives", | 29 | "alternatives", |
30 | "fonts", | 30 | "fonts", |
31 | "gcrypt", // GNU crypto library - it contains configuration for specialized encryption | ||
32 | // and random number generators hardware. | ||
33 | // The directory is not installed in Debian. On Fedora it is an empty directory. | ||
34 | // The defaults in glibc cover the regular PC. | ||
31 | "group", | 35 | "group", |
32 | "ld.so.cache", | 36 | "ld.so.cache", |
33 | "ld.so.conf", | 37 | "ld.so.conf", |
@@ -49,7 +53,6 @@ static char *etc_group_games[] = { | |||
49 | "openal", // 3D sound | 53 | "openal", // 3D sound |
50 | "timidity", // MIDI | 54 | "timidity", // MIDI |
51 | "timidity.cfg", | 55 | "timidity.cfg", |
52 | "vulkan", // next generation OpenGL stack | ||
53 | NULL | 56 | NULL |
54 | }; | 57 | }; |
55 | 58 | ||
@@ -75,8 +78,6 @@ static char *etc_group_sound[] = { | |||
75 | static char *etc_group_tls_ca[] = { | 78 | static char *etc_group_tls_ca[] = { |
76 | "ca-certificates", | 79 | "ca-certificates", |
77 | "crypto-policies", | 80 | "crypto-policies", |
78 | "gcrypt", // GNU crypto library - contains hardware config for various encryption schemes | ||
79 | // and random number generators. The file is not installed by Debian. | ||
80 | "pki", | 81 | "pki", |
81 | "ssl", | 82 | "ssl", |
82 | NULL | 83 | NULL |
@@ -95,6 +96,7 @@ static char *etc_group_x11[] = { | |||
95 | "nvidia", // 3D | 96 | "nvidia", // 3D |
96 | "pango", // text rendering/internationalization | 97 | "pango", // text rendering/internationalization |
97 | "Trolltech.conf", // old QT config file | 98 | "Trolltech.conf", // old QT config file |
99 | "vulkan", // next generation OpenGL stack | ||
98 | "X11", | 100 | "X11", |
99 | "xdg", | 101 | "xdg", |
100 | NULL | 102 | NULL |
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 9e19af83a..182e259e1 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -7,17 +7,19 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail less sysutils.sh\r" | 10 | send -- "rm -f /tmp/tt\r" |
11 | after 500 | ||
12 | |||
13 | send -- "firejail less sysutils.sh > /tmp/t\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "cat /tmp/t | grep Authors\r" | ||
11 | expect { | 17 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit} | ||
14 | "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit} | ||
15 | "Firejail Authors" | 19 | "Firejail Authors" |
16 | } | 20 | } |
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 2\n";exit} | ||
19 | "MALLOC_CHECK" | ||
20 | } | ||
21 | |||
22 | after 100 | 21 | after 100 |
22 | |||
23 | send -- "rm -f /tmp/t\r" | ||
24 | after 500 | ||
23 | puts "\nall done\n" | 25 | puts "\nall done\n" |
diff --git a/test/sysutils/man.exp b/test/sysutils/man.exp index f4fc5aa2c..0386b2e92 100755 --- a/test/sysutils/man.exp +++ b/test/sysutils/man.exp | |||
@@ -7,12 +7,19 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail man firejail\r" | 10 | send -- "rm -f /tmp/t\r" |
11 | after 500 | ||
12 | |||
13 | send -- "firejail man firejail > /tmp/t\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "cat /tmp/t\r" | ||
11 | expect { | 17 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit} | ||
14 | "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit} | ||
15 | "NAME" | 19 | "NAME" |
16 | } | 20 | } |
17 | after 100 | 21 | after 100 |
22 | |||
23 | send -- "rm -f /tmp/t\r" | ||
24 | after 500 | ||
18 | puts "\nall done\n" | 25 | puts "\nall done\n" |
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 34acca07d..231f5afa8 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -47,14 +47,6 @@ else | |||
47 | echo "TESTING SKIP: gzip not found" | 47 | echo "TESTING SKIP: gzip not found" |
48 | fi | 48 | fi |
49 | 49 | ||
50 | if command -v xzdec | ||
51 | then | ||
52 | echo "TESTING: xzdec" | ||
53 | ./xzdec.exp | ||
54 | else | ||
55 | echo "TESTING SKIP: xzdec not found" | ||
56 | fi | ||
57 | |||
58 | if command -v xz | 50 | if command -v xz |
59 | then | 51 | then |
60 | echo "TESTING: xz" | 52 | echo "TESTING: xz" |
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp deleted file mode 100755 index 62cc1c225..000000000 --- a/test/sysutils/xzdec.exp +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "firejail_t1 and firejail_t2 are identical" | ||
23 | } | ||
24 | |||
25 | send -- "rm firejail_t*\r" | ||
26 | sleep 1 | ||
27 | |||
28 | |||
29 | puts "\nall done\n" | ||