diff options
39 files changed, 267 insertions, 140 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 6c2905e43..918c879ad 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
| @@ -41,9 +41,10 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
| 41 | jobs: | 41 | jobs: |
| 42 | build-clang: | 42 | build-clang: |
| 43 | runs-on: ubuntu-22.04 | 43 | runs-on: ubuntu-22.04 |
| 44 | timeout-minutes: 10 | ||
| 44 | steps: | 45 | steps: |
| 45 | - name: Harden Runner | 46 | - name: Harden Runner |
| 46 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 47 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 47 | with: | 48 | with: |
| 48 | egress-policy: block | 49 | egress-policy: block |
| 49 | allowed-endpoints: > | 50 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ae1aef039..df706c898 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
| @@ -57,9 +57,10 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
| 57 | jobs: | 57 | jobs: |
| 58 | build: | 58 | build: |
| 59 | runs-on: ubuntu-22.04 | 59 | runs-on: ubuntu-22.04 |
| 60 | timeout-minutes: 10 | ||
| 60 | steps: | 61 | steps: |
| 61 | - name: Harden Runner | 62 | - name: Harden Runner |
| 62 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 63 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 63 | with: | 64 | with: |
| 64 | egress-policy: block | 65 | egress-policy: block |
| 65 | allowed-endpoints: > | 66 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 16e034d48..b1bda3bd4 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
| @@ -43,9 +43,10 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
| 43 | jobs: | 43 | jobs: |
| 44 | scan-build: | 44 | scan-build: |
| 45 | runs-on: ubuntu-22.04 | 45 | runs-on: ubuntu-22.04 |
| 46 | timeout-minutes: 10 | ||
| 46 | steps: | 47 | steps: |
| 47 | - name: Harden Runner | 48 | - name: Harden Runner |
| 48 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 49 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 49 | with: | 50 | with: |
| 50 | egress-policy: block | 51 | egress-policy: block |
| 51 | allowed-endpoints: > | 52 | allowed-endpoints: > |
| @@ -74,9 +75,10 @@ jobs: | |||
| 74 | 75 | ||
| 75 | cppcheck: | 76 | cppcheck: |
| 76 | runs-on: ubuntu-22.04 | 77 | runs-on: ubuntu-22.04 |
| 78 | timeout-minutes: 10 | ||
| 77 | steps: | 79 | steps: |
| 78 | - name: Harden Runner | 80 | - name: Harden Runner |
| 79 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 81 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 80 | with: | 82 | with: |
| 81 | egress-policy: block | 83 | egress-policy: block |
| 82 | allowed-endpoints: > | 84 | allowed-endpoints: > |
| @@ -101,9 +103,10 @@ jobs: | |||
| 101 | # scan all files also with older cppcheck version from ubuntu 20.04. | 103 | # scan all files also with older cppcheck version from ubuntu 20.04. |
| 102 | cppcheck_old: | 104 | cppcheck_old: |
| 103 | runs-on: ubuntu-20.04 | 105 | runs-on: ubuntu-20.04 |
| 106 | timeout-minutes: 10 | ||
| 104 | steps: | 107 | steps: |
| 105 | - name: Harden Runner | 108 | - name: Harden Runner |
| 106 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 109 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 107 | with: | 110 | with: |
| 108 | egress-policy: block | 111 | egress-policy: block |
| 109 | allowed-endpoints: > | 112 | allowed-endpoints: > |
| @@ -129,10 +132,11 @@ jobs: | |||
| 129 | contents: read | 132 | contents: read |
| 130 | security-events: write | 133 | security-events: write |
| 131 | runs-on: ubuntu-latest | 134 | runs-on: ubuntu-latest |
| 135 | timeout-minutes: 10 | ||
| 132 | 136 | ||
| 133 | steps: | 137 | steps: |
| 134 | - name: Harden Runner | 138 | - name: Harden Runner |
| 135 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 139 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 136 | with: | 140 | with: |
| 137 | disable-sudo: true | 141 | disable-sudo: true |
| 138 | egress-policy: block | 142 | egress-policy: block |
| @@ -150,7 +154,7 @@ jobs: | |||
| 150 | 154 | ||
| 151 | # Initializes the CodeQL tools for scanning. | 155 | # Initializes the CodeQL tools for scanning. |
| 152 | - name: Initialize CodeQL | 156 | - name: Initialize CodeQL |
| 153 | uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 | 157 | uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 |
| 154 | with: | 158 | with: |
| 155 | languages: cpp | 159 | languages: cpp |
| 156 | 160 | ||
| @@ -161,4 +165,4 @@ jobs: | |||
| 161 | run: make -j "$(nproc)" | 165 | run: make -j "$(nproc)" |
| 162 | 166 | ||
| 163 | - name: Perform CodeQL Analysis | 167 | - name: Perform CodeQL Analysis |
| 164 | uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 | 168 | uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 0185376a4..b116c9773 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
| @@ -29,9 +29,11 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
| 29 | jobs: | 29 | jobs: |
| 30 | profile-checks: | 30 | profile-checks: |
| 31 | runs-on: ubuntu-latest | 31 | runs-on: ubuntu-latest |
| 32 | timeout-minutes: 5 | ||
| 33 | |||
| 32 | steps: | 34 | steps: |
| 33 | - name: Harden Runner | 35 | - name: Harden Runner |
| 34 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 36 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 35 | with: | 37 | with: |
| 36 | disable-sudo: true | 38 | disable-sudo: true |
| 37 | egress-policy: block | 39 | egress-policy: block |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 76eaa584e..2442ae2a0 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
| @@ -27,10 +27,11 @@ jobs: | |||
| 27 | contents: read | 27 | contents: read |
| 28 | security-events: write | 28 | security-events: write |
| 29 | runs-on: ubuntu-latest | 29 | runs-on: ubuntu-latest |
| 30 | timeout-minutes: 10 | ||
| 30 | 31 | ||
| 31 | steps: | 32 | steps: |
| 32 | - name: Harden Runner | 33 | - name: Harden Runner |
| 33 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 34 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 34 | with: | 35 | with: |
| 35 | disable-sudo: true | 36 | disable-sudo: true |
| 36 | egress-policy: block | 37 | egress-policy: block |
| @@ -50,9 +51,9 @@ jobs: | |||
| 50 | 51 | ||
| 51 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
| 52 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
| 53 | uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 | 54 | uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 |
| 54 | with: | 55 | with: |
| 55 | languages: python | 56 | languages: python |
| 56 | 57 | ||
| 57 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
| 58 | uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 | 59 | uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index f3c512c3e..32287ee09 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
| @@ -21,9 +21,10 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
| 21 | jobs: | 21 | jobs: |
| 22 | codespell: | 22 | codespell: |
| 23 | runs-on: ubuntu-22.04 | 23 | runs-on: ubuntu-22.04 |
| 24 | timeout-minutes: 5 | ||
| 24 | steps: | 25 | steps: |
| 25 | - name: Harden Runner | 26 | - name: Harden Runner |
| 26 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 27 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 27 | with: | 28 | with: |
| 28 | egress-policy: block | 29 | egress-policy: block |
| 29 | allowed-endpoints: > | 30 | allowed-endpoints: > |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0a6069a5c..c76401022 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
| @@ -49,11 +49,12 @@ permissions: # added using https://github.com/step-security/secure-workflows | |||
| 49 | jobs: | 49 | jobs: |
| 50 | test-main: | 50 | test-main: |
| 51 | runs-on: ubuntu-22.04 | 51 | runs-on: ubuntu-22.04 |
| 52 | timeout-minutes: 10 | ||
| 52 | env: | 53 | env: |
| 53 | SHELL: /bin/bash | 54 | SHELL: /bin/bash |
| 54 | steps: | 55 | steps: |
| 55 | - name: Harden Runner | 56 | - name: Harden Runner |
| 56 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 57 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 57 | with: | 58 | with: |
| 58 | egress-policy: block | 59 | egress-policy: block |
| 59 | allowed-endpoints: > | 60 | allowed-endpoints: > |
| @@ -96,11 +97,12 @@ jobs: | |||
| 96 | 97 | ||
| 97 | test-fs: | 98 | test-fs: |
| 98 | runs-on: ubuntu-22.04 | 99 | runs-on: ubuntu-22.04 |
| 100 | timeout-minutes: 10 | ||
| 99 | env: | 101 | env: |
| 100 | SHELL: /bin/bash | 102 | SHELL: /bin/bash |
| 101 | steps: | 103 | steps: |
| 102 | - name: Harden Runner | 104 | - name: Harden Runner |
| 103 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 105 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 104 | with: | 106 | with: |
| 105 | egress-policy: block | 107 | egress-policy: block |
| 106 | allowed-endpoints: > | 108 | allowed-endpoints: > |
| @@ -134,11 +136,12 @@ jobs: | |||
| 134 | 136 | ||
| 135 | test-environment: | 137 | test-environment: |
| 136 | runs-on: ubuntu-22.04 | 138 | runs-on: ubuntu-22.04 |
| 139 | timeout-minutes: 10 | ||
| 137 | env: | 140 | env: |
| 138 | SHELL: /bin/bash | 141 | SHELL: /bin/bash |
| 139 | steps: | 142 | steps: |
| 140 | - name: Harden Runner | 143 | - name: Harden Runner |
| 141 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 144 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 142 | with: | 145 | with: |
| 143 | egress-policy: block | 146 | egress-policy: block |
| 144 | allowed-endpoints: > | 147 | allowed-endpoints: > |
| @@ -172,11 +175,12 @@ jobs: | |||
| 172 | 175 | ||
| 173 | test-utils: | 176 | test-utils: |
| 174 | runs-on: ubuntu-22.04 | 177 | runs-on: ubuntu-22.04 |
| 178 | timeout-minutes: 10 | ||
| 175 | env: | 179 | env: |
| 176 | SHELL: /bin/bash | 180 | SHELL: /bin/bash |
| 177 | steps: | 181 | steps: |
| 178 | - name: Harden Runner | 182 | - name: Harden Runner |
| 179 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 183 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 180 | with: | 184 | with: |
| 181 | egress-policy: block | 185 | egress-policy: block |
| 182 | allowed-endpoints: > | 186 | allowed-endpoints: > |
| @@ -212,11 +216,12 @@ jobs: | |||
| 212 | 216 | ||
| 213 | test-network: | 217 | test-network: |
| 214 | runs-on: ubuntu-22.04 | 218 | runs-on: ubuntu-22.04 |
| 219 | timeout-minutes: 10 | ||
| 215 | env: | 220 | env: |
| 216 | SHELL: /bin/bash | 221 | SHELL: /bin/bash |
| 217 | steps: | 222 | steps: |
| 218 | - name: Harden Runner | 223 | - name: Harden Runner |
| 219 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | 224 | uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 |
| 220 | with: | 225 | with: |
| 221 | egress-policy: block | 226 | egress-policy: block |
| 222 | allowed-endpoints: > | 227 | allowed-endpoints: > |
diff --git a/.gitignore b/.gitignore index 3413abd55..5e126990f 100644 --- a/.gitignore +++ b/.gitignore | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | *.swp | 5 | *.swp |
| 6 | *.deb | 6 | *.deb |
| 7 | *.rpm | 7 | *.rpm |
| 8 | *.tar.xz | ||
| 8 | *.gcda | 9 | *.gcda |
| 9 | *.gcno | 10 | *.gcno |
| 10 | *.gz | 11 | *.gz |
| @@ -20,7 +21,6 @@ config.status | |||
| 20 | contrib/syntax/files/example | 21 | contrib/syntax/files/example |
| 21 | contrib/syntax/files/firejail-profile.lang | 22 | contrib/syntax/files/firejail-profile.lang |
| 22 | contrib/syntax/files/firejail.vim | 23 | contrib/syntax/files/firejail.vim |
| 23 | firejail-*.tar.xz | ||
| 24 | src/fnettrace-dns/fnettrace-dns | 24 | src/fnettrace-dns/fnettrace-dns |
| 25 | src/fnettrace-sni/fnettrace-sni | 25 | src/fnettrace-sni/fnettrace-sni |
| 26 | src/fnettrace-icmp/fnettrace-icmp | 26 | src/fnettrace-icmp/fnettrace-icmp |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cb88c0263..33835ba71 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
| @@ -8,6 +8,7 @@ | |||
| 8 | 8 | ||
| 9 | build_ubuntu_package: | 9 | build_ubuntu_package: |
| 10 | image: ubuntu:rolling | 10 | image: ubuntu:rolling |
| 11 | timeout: 10 minutes | ||
| 11 | variables: | 12 | variables: |
| 12 | DEBIAN_FRONTEND: noninteractive | 13 | DEBIAN_FRONTEND: noninteractive |
| 13 | script: | 14 | script: |
| @@ -24,6 +25,7 @@ build_ubuntu_package: | |||
| 24 | 25 | ||
| 25 | build_debian_package: | 26 | build_debian_package: |
| 26 | image: debian:buster | 27 | image: debian:buster |
| 28 | timeout: 10 minutes | ||
| 27 | variables: | 29 | variables: |
| 28 | DEBIAN_FRONTEND: noninteractive | 30 | DEBIAN_FRONTEND: noninteractive |
| 29 | script: | 31 | script: |
| @@ -40,28 +42,31 @@ build_debian_package: | |||
| 40 | 42 | ||
| 41 | build_redhat_package: | 43 | build_redhat_package: |
| 42 | image: almalinux:latest | 44 | image: almalinux:latest |
| 45 | timeout: 10 minutes | ||
| 43 | script: | 46 | script: |
| 44 | - dnf update -y | 47 | - dnf update -y |
| 45 | - dnf install -y rpm-build gcc make | 48 | - dnf install -y rpm-build gcc make |
| 46 | - ./ci/printenv.sh | 49 | - ./ci/printenv.sh |
| 47 | - ./configure --prefix=/usr || (cat config.log; exit 1) | 50 | - ./configure || (cat config.log; exit 1) |
| 48 | - make rpms | 51 | - make rpms |
| 49 | - rpm -i firejail*.rpm | 52 | - rpm -i firejail*.rpm |
| 50 | - command -V firejail && firejail --version | 53 | - command -V firejail && firejail --version |
| 51 | 54 | ||
| 52 | build_fedora_package: | 55 | build_fedora_package: |
| 53 | image: fedora:latest | 56 | image: fedora:latest |
| 57 | timeout: 10 minutes | ||
| 54 | script: | 58 | script: |
| 55 | - dnf update -y | 59 | - dnf update -y |
| 56 | - dnf install -y rpm-build gcc make | 60 | - dnf install -y rpm-build gcc make |
| 57 | - ./ci/printenv.sh | 61 | - ./ci/printenv.sh |
| 58 | - ./configure --prefix=/usr || (cat config.log; exit 1) | 62 | - ./configure || (cat config.log; exit 1) |
| 59 | - make rpms | 63 | - make rpms |
| 60 | - rpm -i firejail*.rpm | 64 | - rpm -i firejail*.rpm |
| 61 | - command -V firejail && firejail --version | 65 | - command -V firejail && firejail --version |
| 62 | 66 | ||
| 63 | build_src_package: | 67 | build_src_package: |
| 64 | image: alpine:latest | 68 | image: alpine:latest |
| 69 | timeout: 10 minutes | ||
| 65 | script: | 70 | script: |
| 66 | - apk update | 71 | - apk update |
| 67 | - apk upgrade | 72 | - apk upgrade |
| @@ -74,6 +79,7 @@ build_src_package: | |||
| 74 | 79 | ||
| 75 | build_no_apparmor: | 80 | build_no_apparmor: |
| 76 | image: ubuntu:latest | 81 | image: ubuntu:latest |
| 82 | timeout: 10 minutes | ||
| 77 | variables: | 83 | variables: |
| 78 | DEBIAN_FRONTEND: noninteractive | 84 | DEBIAN_FRONTEND: noninteractive |
| 79 | script: | 85 | script: |
| @@ -92,6 +98,7 @@ build_no_apparmor: | |||
| 92 | 98 | ||
| 93 | debian_ci: | 99 | debian_ci: |
| 94 | image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest | 100 | image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest |
| 101 | timeout: 10 minutes | ||
| 95 | variables: | 102 | variables: |
| 96 | DEBFULLNAME: "$GITLAB_USER_NAME" | 103 | DEBFULLNAME: "$GITLAB_USER_NAME" |
| 97 | DEBEMAIL: "$GITLAB_USER_EMAIL" | 104 | DEBEMAIL: "$GITLAB_USER_EMAIL" |
| @@ -173,21 +173,10 @@ clean: | |||
| 173 | $(MAKE) -C src/man clean | 173 | $(MAKE) -C src/man clean |
| 174 | $(MAKE) -C test clean | 174 | $(MAKE) -C test clean |
| 175 | rm -f $(SECCOMP_FILTERS) | 175 | rm -f $(SECCOMP_FILTERS) |
| 176 | rm -f firejail*.rpm | ||
| 177 | rm -f $(SYNTAX_FILES) | 176 | rm -f $(SYNTAX_FILES) |
| 178 | rm -f src/fnettrace/static-ip-map | 177 | rm -fr ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz |
| 179 | rm -f test/utils/index.html* | 178 | rm -f ./$(TARNAME)*.deb |
| 180 | rm -f test/utils/wget-log | 179 | rm -f ./$(TARNAME)*.rpm |
| 181 | rm -f test/utils/firejail-test-file* | ||
| 182 | rm -f test/utils/lstesting | ||
| 183 | rm -f test/environment/index.html* | ||
| 184 | rm -f test/environment/wget-log* | ||
| 185 | rm -fr test/environment/-testdir | ||
| 186 | rm -f test/environment/logfile* | ||
| 187 | rm -f test/environment/index.html | ||
| 188 | rm -f test/environment/wget-log | ||
| 189 | rm -f test/sysutils/firejail_t* | ||
| 190 | cd test/compile; ./compile.sh --clean; cd ../.. | ||
| 191 | 180 | ||
| 192 | .PHONY: distclean | 181 | .PHONY: distclean |
| 193 | distclean: clean | 182 | distclean: clean |
| @@ -339,7 +328,6 @@ DISTFILES_TEST = \ | |||
| 339 | 328 | ||
| 340 | .PHONY: dist | 329 | .PHONY: dist |
| 341 | dist: clean config.mk | 330 | dist: clean config.mk |
| 342 | rm -fr $(TARNAME)-$(VERSION) $(TARNAME)-$(VERSION).tar.xz | ||
| 343 | mkdir -p $(TARNAME)-$(VERSION)/test | 331 | mkdir -p $(TARNAME)-$(VERSION)/test |
| 344 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) | 332 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) |
| 345 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test | 333 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test |
| @@ -380,8 +368,8 @@ scan-build: clean | |||
| 380 | .PHONY: codespell | 368 | .PHONY: codespell |
| 381 | codespell: | 369 | codespell: |
| 382 | @printf 'Running %s...\n' $@ | 370 | @printf 'Running %s...\n' $@ |
| 383 | @codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \ | 371 | @codespell --ignore-regex 'Manuel|UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \ |
| 384 | -S *.gz,*.o,*.so \ | 372 | -S *.d,*.gz,*.o,*.so \ |
| 385 | -S COPYING,m4 \ | 373 | -S COPYING,m4 \ |
| 386 | -S ./contrib/syscalls.sh \ | 374 | -S ./contrib/syscalls.sh \ |
| 387 | . | 375 | . |
| @@ -1,5 +1,6 @@ | |||
| 1 | firejail (0.9.73) baseline; urgency=low | 1 | firejail (0.9.73) baseline; urgency=low |
| 2 | * work in progress | 2 | * work in progress |
| 3 | * security: fix sscanf rv checks (CodeQL) (#6184) | ||
| 3 | * feature: Add "keep-shell-rc" command and option (#1127 #5634) | 4 | * feature: Add "keep-shell-rc" command and option (#1127 #5634) |
| 4 | * feature: Print the argument when failing with "too long arguments" (#5677) | 5 | * feature: Print the argument when failing with "too long arguments" (#5677) |
| 5 | * feature: a random hostname is assigned to each sandbox unless | 6 | * feature: a random hostname is assigned to each sandbox unless |
| @@ -13,7 +14,7 @@ firejail (0.9.73) baseline; urgency=low | |||
| 13 | #6153) | 14 | #6153) |
| 14 | * feature: expand simple macros in more commands (--chroot= --netfilter= | 15 | * feature: expand simple macros in more commands (--chroot= --netfilter= |
| 15 | --netfilter6= --trace=) (#6032 #6109) | 16 | --netfilter6= --trace=) (#6032 #6109) |
| 16 | * feature: add Landlock support (#5269 #6078 #6115 #6125) | 17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200) |
| 17 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 18 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
| 18 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 19 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
| 19 | from containing only digits (#5578 #5741) | 20 | from containing only digits (#5578 #5741) |
| @@ -23,7 +24,7 @@ firejail (0.9.73) baseline; urgency=low | |||
| 23 | * modif: remove firemon --interface option (duplicating --net.print option) | 24 | * modif: remove firemon --interface option (duplicating --net.print option) |
| 24 | * modif: make private-lib a configure-time option, disabled by default (see | 25 | * modif: make private-lib a configure-time option, disabled by default (see |
| 25 | --enable-private-lib) (#5727 #5732) | 26 | --enable-private-lib) (#5727 #5732) |
| 26 | * modif: Improve --version/--help & print version on startup (#5829) | 27 | * modif: Improve --version/--help & print version on startup (#5829 #6172) |
| 27 | * modif: improve errExit error messages (#5871) | 28 | * modif: improve errExit error messages (#5871) |
| 28 | * modif: drop deprecated 'shell' option references (#5894) | 29 | * modif: drop deprecated 'shell' option references (#5894) |
| 29 | * modif: keep pipewire group unless nosound is used (#5992 #5993) | 30 | * modif: keep pipewire group unless nosound is used (#5992 #5993) |
| @@ -59,6 +60,8 @@ firejail (0.9.73) baseline; urgency=low | |||
| 59 | * build: use CPPFLAGS instead of INCLUDE in compile targets (#6159) | 60 | * build: use CPPFLAGS instead of INCLUDE in compile targets (#6159) |
| 60 | * build: use full paths on compile/link targets (#6158) | 61 | * build: use full paths on compile/link targets (#6158) |
| 61 | * build: automatically generate header dependencies (#6164) | 62 | * build: automatically generate header dependencies (#6164) |
| 63 | * build: improve main clean target (#6186) | ||
| 64 | * build: mkrpm.sh improvements (#6196) | ||
| 62 | * ci: always update the package db before installing packages (#5742) | 65 | * ci: always update the package db before installing packages (#5742) |
| 63 | * ci: fix codeql unable to download its own bundle (#5783) | 66 | * ci: fix codeql unable to download its own bundle (#5783) |
| 64 | * ci: split configure/build/install commands on gitlab (#5784) | 67 | * ci: split configure/build/install commands on gitlab (#5784) |
| @@ -71,6 +74,7 @@ firejail (0.9.73) baseline; urgency=low | |||
| 71 | * ci: fix dependabot duplicated workflow runs (#5984) | 74 | * ci: fix dependabot duplicated workflow runs (#5984) |
| 72 | * ci: allow running workflows manually (#6026) | 75 | * ci: allow running workflows manually (#6026) |
| 73 | * ci: re-enable sort.py (#6104) | 76 | * ci: re-enable sort.py (#6104) |
| 77 | * ci: add timeout limits (#6178) | ||
| 74 | * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 | 78 | * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 |
| 75 | #6059) | 79 | #6059) |
| 76 | * contrib/vim: match profile files more broadly (#5850) | 80 | * contrib/vim: match profile files more broadly (#5850) |
| @@ -266,7 +270,7 @@ firejail (0.9.68) baseline; urgency=low | |||
| 266 | -- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500 | 270 | -- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500 |
| 267 | 271 | ||
| 268 | firejail (0.9.66) baseline; urgency=low | 272 | firejail (0.9.66) baseline; urgency=low |
| 269 | * deprecated --audit options, relpaced by jailcheck utility | 273 | * deprecated --audit options, replaced by jailcheck utility |
| 270 | * deprecated follow-symlink-as-user from firejail.config | 274 | * deprecated follow-symlink-as-user from firejail.config |
| 271 | * new firejail.config settings: private-bin, private-etc | 275 | * new firejail.config settings: private-bin, private-etc |
| 272 | * new firejail.config settings: private-opt, private-srv | 276 | * new firejail.config settings: private-opt, private-srv |
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index e76b6ef40..8d5cae7f2 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
| @@ -30,8 +30,9 @@ iprange | |||
| 30 | join-or-start | 30 | join-or-start |
| 31 | keep-fd | 31 | keep-fd |
| 32 | landlock.execute | 32 | landlock.execute |
| 33 | landlock.makedev | ||
| 34 | landlock.makeipc | ||
| 33 | landlock.read | 35 | landlock.read |
| 34 | landlock.special | ||
| 35 | landlock.write | 36 | landlock.write |
| 36 | mac | 37 | mac |
| 37 | mkdir | 38 | mkdir |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index eb4d21675..f3b44ac3e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -78,6 +78,7 @@ blacklist ${HOME}/.cache/PawelStolowski | |||
| 78 | blacklist ${HOME}/.cache/Psi | 78 | blacklist ${HOME}/.cache/Psi |
| 79 | blacklist ${HOME}/.cache/QuiteRss | 79 | blacklist ${HOME}/.cache/QuiteRss |
| 80 | blacklist ${HOME}/.cache/Quotient/quaternion | 80 | blacklist ${HOME}/.cache/Quotient/quaternion |
| 81 | blacklist ${HOME}/.cache/RawTherapee | ||
| 81 | blacklist ${HOME}/.cache/Shortwave | 82 | blacklist ${HOME}/.cache/Shortwave |
| 82 | blacklist ${HOME}/.cache/Tox | 83 | blacklist ${HOME}/.cache/Tox |
| 83 | blacklist ${HOME}/.cache/Zeal | 84 | blacklist ${HOME}/.cache/Zeal |
| @@ -335,6 +336,7 @@ blacklist ${HOME}/.config/QuiteRssrc | |||
| 335 | blacklist ${HOME}/.config/Quotient | 336 | blacklist ${HOME}/.config/Quotient |
| 336 | blacklist ${HOME}/.config/RSS Guard 4 | 337 | blacklist ${HOME}/.config/RSS Guard 4 |
| 337 | blacklist ${HOME}/.config/Rambox | 338 | blacklist ${HOME}/.config/Rambox |
| 339 | blacklist ${HOME}/.config/RawTherapee | ||
| 338 | blacklist ${HOME}/.config/Riot | 340 | blacklist ${HOME}/.config/Riot |
| 339 | blacklist ${HOME}/.config/Rocket.Chat | 341 | blacklist ${HOME}/.config/Rocket.Chat |
| 340 | blacklist ${HOME}/.config/RogueLegacy | 342 | blacklist ${HOME}/.config/RogueLegacy |
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index ebe9f98dc..694d447b5 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc | |||
| @@ -4,7 +4,7 @@ include landlock-common.local | |||
| 4 | 4 | ||
| 5 | landlock.read / # whole system read | 5 | landlock.read / # whole system read |
| 6 | landlock.read /proc | 6 | landlock.read /proc |
| 7 | landlock.special / # sockets etc. | 7 | landlock.makeipc / # sockets etc. |
| 8 | 8 | ||
| 9 | # write access | 9 | # write access |
| 10 | landlock.write ${HOME} | 10 | landlock.write ${HOME} |
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile index 7df7b4480..9545fb8bc 100644 --- a/etc/profile-a-l/crawl.profile +++ b/etc/profile-a-l/crawl.profile | |||
| @@ -8,6 +8,9 @@ include globals.local | |||
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.crawl | 9 | noblacklist ${HOME}/.crawl |
| 10 | 10 | ||
| 11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
| 12 | include allow-lua.inc | ||
| 13 | |||
| 11 | include disable-common.inc | 14 | include disable-common.inc |
| 12 | include disable-devel.inc | 15 | include disable-devel.inc |
| 13 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/profile-a-l/enchant-lsmod-2.profile b/etc/profile-a-l/enchant-lsmod-2.profile index a7199955e..3fe9e94c0 100644 --- a/etc/profile-a-l/enchant-lsmod-2.profile +++ b/etc/profile-a-l/enchant-lsmod-2.profile | |||
| @@ -7,4 +7,4 @@ include enchant-lsmod-2.local | |||
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | # Redirect | 9 | # Redirect |
| 10 | include enchant.profile | 10 | include enchant-2.profile |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 6cd28f25d..beffb28e3 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
| @@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/geeqie | |||
| 10 | noblacklist ${HOME}/.config/geeqie | 10 | noblacklist ${HOME}/.config/geeqie |
| 11 | noblacklist ${HOME}/.local/share/geeqie | 11 | noblacklist ${HOME}/.local/share/geeqie |
| 12 | 12 | ||
| 13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
| 14 | include allow-lua.inc | ||
| 15 | |||
| 13 | # Allow perl (blacklisted by disable-interpreters.inc) | 16 | # Allow perl (blacklisted by disable-interpreters.inc) |
| 14 | include allow-perl.inc | 17 | include allow-perl.inc |
| 15 | 18 | ||
diff --git a/etc/profile-a-l/gnome-keyring-daemon.profile b/etc/profile-a-l/gnome-keyring-daemon.profile new file mode 100644 index 000000000..41ea136a6 --- /dev/null +++ b/etc/profile-a-l/gnome-keyring-daemon.profile | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | # Firejail profile for gnome-keyring-daemon | ||
| 2 | # Description: Stores passwords and encryption keys | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | quiet | ||
| 5 | # Persistent local customizations | ||
| 6 | include gnome-keyring-daemon.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | ||
| 12 | |||
| 13 | include disable-common.inc | ||
| 14 | include disable-devel.inc | ||
| 15 | include disable-exec.inc | ||
| 16 | include disable-interpreters.inc | ||
| 17 | include disable-programs.inc | ||
| 18 | #include disable-X11.inc # x11 none | ||
| 19 | include disable-xdg.inc | ||
| 20 | |||
| 21 | whitelist ${RUNUSER}/gnupg | ||
| 22 | whitelist ${RUNUSER}/keyring | ||
| 23 | whitelist /usr/share/gnupg | ||
| 24 | whitelist /usr/share/gnupg2 | ||
| 25 | include whitelist-common.inc | ||
| 26 | include whitelist-runuser-common.inc | ||
| 27 | include whitelist-usr-share-common.inc | ||
| 28 | include whitelist-var-common.inc | ||
| 29 | |||
| 30 | apparmor | ||
| 31 | caps.drop all | ||
| 32 | ipc-namespace | ||
| 33 | machine-id | ||
| 34 | netfilter | ||
| 35 | no3d | ||
| 36 | nodvd | ||
| 37 | nogroups | ||
| 38 | noinput | ||
| 39 | nonewprivs | ||
| 40 | noroot | ||
| 41 | nosound | ||
| 42 | notv | ||
| 43 | nou2f | ||
| 44 | novideo | ||
| 45 | protocol unix,inet,inet6 | ||
| 46 | seccomp | ||
| 47 | seccomp.block-secondary | ||
| 48 | tracelog | ||
| 49 | x11 none | ||
| 50 | |||
| 51 | disable-mnt | ||
| 52 | #private-bin gnome-keyrin*,secret-tool | ||
| 53 | private-cache | ||
| 54 | private-dev | ||
| 55 | #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security | ||
| 56 | private-tmp | ||
| 57 | |||
| 58 | #dbus-user none | ||
| 59 | dbus-system none | ||
| 60 | |||
| 61 | memory-deny-write-execute | ||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index aa0a7f4cc..287c6dcf9 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile | |||
| @@ -1,62 +1,17 @@ | |||
| 1 | # Firejail profile for gnome-keyring | 1 | # Firejail profile for gnome-keyring |
| 2 | # Description: Stores passwords and encryption keys | 2 | # Description: Stores passwords and encryption keys |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | quiet | ||
| 5 | # Persistent local customizations | 4 | # Persistent local customizations |
| 6 | include gnome-keyring.local | 5 | include gnome-keyring.local |
| 7 | # Persistent global definitions | 6 | # Persistent global definitions |
| 8 | include globals.local | 7 | # added by included profile |
| 8 | #include globals.local | ||
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
| 11 | 11 | ||
| 12 | include disable-common.inc | ||
| 13 | include disable-devel.inc | ||
| 14 | include disable-exec.inc | ||
| 15 | include disable-interpreters.inc | ||
| 16 | include disable-programs.inc | ||
| 17 | include disable-xdg.inc | ||
| 18 | |||
| 19 | mkdir ${HOME}/.gnupg | 12 | mkdir ${HOME}/.gnupg |
| 20 | whitelist ${HOME}/.gnupg | 13 | whitelist ${HOME}/.gnupg |
| 21 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
| 22 | whitelist ${RUNUSER}/gnupg | ||
| 23 | whitelist ${RUNUSER}/keyring | ||
| 24 | whitelist /usr/share/gnupg | ||
| 25 | whitelist /usr/share/gnupg2 | ||
| 26 | include whitelist-common.inc | ||
| 27 | include whitelist-runuser-common.inc | ||
| 28 | include whitelist-usr-share-common.inc | ||
| 29 | include whitelist-var-common.inc | ||
| 30 | |||
| 31 | apparmor | ||
| 32 | caps.drop all | ||
| 33 | ipc-namespace | ||
| 34 | machine-id | ||
| 35 | netfilter | ||
| 36 | no3d | ||
| 37 | nodvd | ||
| 38 | nogroups | ||
| 39 | noinput | ||
| 40 | nonewprivs | ||
| 41 | noroot | ||
| 42 | nosound | ||
| 43 | notv | ||
| 44 | nou2f | ||
| 45 | novideo | ||
| 46 | protocol unix,inet,inet6 | ||
| 47 | seccomp | ||
| 48 | seccomp.block-secondary | ||
| 49 | tracelog | ||
| 50 | |||
| 51 | disable-mnt | ||
| 52 | #private-bin gnome-keyrin*,secret-tool | ||
| 53 | private-cache | ||
| 54 | private-dev | ||
| 55 | #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security | ||
| 56 | private-tmp | ||
| 57 | |||
| 58 | #dbus-user none | ||
| 59 | dbus-system none | ||
| 60 | 15 | ||
| 61 | memory-deny-write-execute | 16 | # Redirect |
| 62 | restrict-namespaces | 17 | include gnome-keyring-daemon.profile |
diff --git a/etc/profile-m-z/rawtherapee.profile b/etc/profile-m-z/rawtherapee.profile new file mode 100644 index 000000000..0cf946eec --- /dev/null +++ b/etc/profile-m-z/rawtherapee.profile | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | # Firejail profile for rawtherapee | ||
| 2 | # Description: Free cross-platform raw image processing program | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include rawtherapee.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.cache/RawTherapee | ||
| 10 | noblacklist ${HOME}/.config/RawTherapee | ||
| 11 | noblacklist ${PICTURES} | ||
| 12 | |||
| 13 | include disable-common.inc | ||
| 14 | include disable-devel.inc | ||
| 15 | include disable-exec.inc | ||
| 16 | include disable-interpreters.inc | ||
| 17 | include disable-programs.inc | ||
| 18 | include disable-shell.inc | ||
| 19 | include disable-xdg.inc | ||
| 20 | |||
| 21 | caps.drop all | ||
| 22 | netfilter | ||
| 23 | nodvd | ||
| 24 | nogroups | ||
| 25 | noinput | ||
| 26 | nonewprivs | ||
| 27 | noroot | ||
| 28 | nosound | ||
| 29 | notv | ||
| 30 | nou2f | ||
| 31 | novideo | ||
| 32 | protocol unix,inet,inet6 | ||
| 33 | seccomp | ||
| 34 | |||
| 35 | private-bin rawtherapee | ||
| 36 | private-dev | ||
| 37 | private-tmp | ||
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index c0293406d..5d2ea4ae6 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | # Firejail profile for tesseract | 1 | # Firejail profile for tesseract |
| 2 | # Description: An OCR program | 2 | # Description: An OCR program |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | quiet | ||
| 4 | # Persistent local customizations | 5 | # Persistent local customizations |
| 5 | include tesseract.local | 6 | include tesseract.local |
| 6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 8882c9012..0e6a5734e 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
| @@ -140,7 +140,8 @@ include globals.local | |||
| 140 | # Landlock commands | 140 | # Landlock commands |
| 141 | ##landlock.read PATH | 141 | ##landlock.read PATH |
| 142 | ##landlock.write PATH | 142 | ##landlock.write PATH |
| 143 | ##landlock.special PATH | 143 | ##landlock.makeipc PATH |
| 144 | ##landlock.makedev PATH | ||
| 144 | ##landlock.execute PATH | 145 | ##landlock.execute PATH |
| 145 | #include landlock-common.inc | 146 | #include landlock-common.inc |
| 146 | 147 | ||
diff --git a/platform/debian/control.amd64 b/platform/debian/control.amd64 index f666200d5..59776d325 100644 --- a/platform/debian/control.amd64 +++ b/platform/debian/control.amd64 | |||
| @@ -8,7 +8,7 @@ Suggests: python, python3 | |||
| 8 | Section: admin | 8 | Section: admin |
| 9 | Priority: optional | 9 | Priority: optional |
| 10 | Homepage: https://github.com/netblue30/firejail | 10 | Homepage: https://github.com/netblue30/firejail |
| 11 | Description: Linux namepaces sandbox program. | 11 | Description: Linux namespaces sandbox program. |
| 12 | Firejail is a SUID sandbox program that reduces the risk of security | 12 | Firejail is a SUID sandbox program that reduces the risk of security |
| 13 | breaches by restricting the running environment of untrusted applications | 13 | breaches by restricting the running environment of untrusted applications |
| 14 | using Linux namespaces and seccmp-bpf. It includes sandbox profiles for | 14 | using Linux namespaces and seccmp-bpf. It includes sandbox profiles for |
diff --git a/platform/debian/control.i386 b/platform/debian/control.i386 index ab9e0fc52..3d3f217c9 100644 --- a/platform/debian/control.i386 +++ b/platform/debian/control.i386 | |||
| @@ -8,7 +8,7 @@ Suggests: python, python3 | |||
| 8 | Section: admin | 8 | Section: admin |
| 9 | Priority: optional | 9 | Priority: optional |
| 10 | Homepage: https://github.com/netblue30/firejail | 10 | Homepage: https://github.com/netblue30/firejail |
| 11 | Description: Linux namepaces sandbox program. | 11 | Description: Linux namespaces sandbox program. |
| 12 | Firejail is a SUID sandbox program that reduces the risk of security | 12 | Firejail is a SUID sandbox program that reduces the risk of security |
| 13 | breaches by restricting the running environment of untrusted applications | 13 | breaches by restricting the running environment of untrusted applications |
| 14 | using Linux namespaces and seccmp-bpf. It includes sandbox profiles for | 14 | using Linux namespaces and seccmp-bpf. It includes sandbox profiles for |
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 7fbc35575..0221fa607 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
| @@ -8,6 +8,8 @@ | |||
| 8 | # Builds rpms in a temporary directory then places the result in the | 8 | # Builds rpms in a temporary directory then places the result in the |
| 9 | # current working directory. | 9 | # current working directory. |
| 10 | 10 | ||
| 11 | set -e | ||
| 12 | |||
| 11 | # shellcheck source=config.sh | 13 | # shellcheck source=config.sh |
| 12 | . "$(dirname "$0")/../../config.sh" || exit 1 | 14 | . "$(dirname "$0")/../../config.sh" || exit 1 |
| 13 | 15 | ||
| @@ -36,9 +38,9 @@ trap cleanup EXIT | |||
| 36 | 38 | ||
| 37 | # Create the spec file | 39 | # Create the spec file |
| 38 | tmp_spec_file="${tmpdir}/SPECS/${name}.spec" | 40 | tmp_spec_file="${tmpdir}/SPECS/${name}.spec" |
| 39 | sed -e "s/__NAME__/${name}/g" \ | 41 | sed -e "s|__NAME__|${name}|g" \ |
| 40 | -e "s/__VERSION__/${version}/g" \ | 42 | -e "s|__VERSION__|${version}|g" \ |
| 41 | -e "s/__CONFIG_OPT__/${config_opt}/g" \ | 43 | -e "s|__CONFIG_OPT__|${config_opt}|g" \ |
| 42 | "platform/rpm/${name}.spec" >"${tmp_spec_file}" | 44 | "platform/rpm/${name}.spec" >"${tmp_spec_file}" |
| 43 | # FIXME: We could parse RELNOTES and create a %changelog section here | 45 | # FIXME: We could parse RELNOTES and create a %changelog section here |
| 44 | 46 | ||
| @@ -47,7 +49,7 @@ tar --exclude='./.git*' --transform "s/^./${name}-${version}/" \ | |||
| 47 | -czf "${tmpdir}/SOURCES/${name}-${version}.tar.gz" . | 49 | -czf "${tmpdir}/SOURCES/${name}-${version}.tar.gz" . |
| 48 | 50 | ||
| 49 | # Build the files (rpm, debug rpm and source rpm) | 51 | # Build the files (rpm, debug rpm and source rpm) |
| 50 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba "${tmp_spec_file}" | 52 | rpmbuild --define "_topdir ${tmpdir}" -ba "${tmp_spec_file}" |
| 51 | 53 | ||
| 52 | # Copy the results to cwd | 54 | # Copy the results to cwd |
| 53 | mv "${tmpdir}/SRPMS"/*.rpm "${tmpdir}/RPMS"/*/*rpm . | 55 | mv "${tmpdir}/SRPMS"/*.rpm "${tmpdir}/RPMS"/*/*rpm . |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 76667ca0c..6c985bc6e 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
| @@ -53,7 +53,11 @@ _firejail() | |||
| 53 | _filedir | 53 | _filedir |
| 54 | return 0 | 54 | return 0 |
| 55 | ;; | 55 | ;; |
| 56 | --landlock.special) | 56 | --landlock.makeipc) |
| 57 | _filedir | ||
| 58 | return 0 | ||
| 59 | ;; | ||
| 60 | --landlock.makedev) | ||
| 57 | _filedir | 61 | _filedir |
| 58 | return 0 | 62 | return 0 |
| 59 | ;; | 63 | ;; |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index ecb18a60e..1895e437b 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
| @@ -57,7 +57,7 @@ static int check_profile(const char *name, const char *homedir) { | |||
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | 59 | ||
| 60 | // look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory | 60 | // look for a profile file in /etc/firejail and ~/.config/firejail |
| 61 | static int have_profile(const char *filename, const char *homedir) { | 61 | static int have_profile(const char *filename, const char *homedir) { |
| 62 | assert(filename); | 62 | assert(filename); |
| 63 | assert(homedir); | 63 | assert(homedir); |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f007638f8..abaec3036 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
| @@ -342,6 +342,9 @@ gnome-contacts | |||
| 342 | gnome-documents | 342 | gnome-documents |
| 343 | gnome-font-viewer | 343 | gnome-font-viewer |
| 344 | gnome-hexgl | 344 | gnome-hexgl |
| 345 | gnome-keyring | ||
| 346 | gnome-keyring-3 | ||
| 347 | gnome-keyring-daemon | ||
| 345 | gnome-klotski | 348 | gnome-klotski |
| 346 | gnome-latex | 349 | gnome-latex |
| 347 | gnome-logs | 350 | gnome-logs |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d76a6c0ee..2122649cf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -154,9 +154,10 @@ typedef struct landlock_entry_t { | |||
| 154 | struct landlock_entry_t *next; | 154 | struct landlock_entry_t *next; |
| 155 | #define LL_READ 0 | 155 | #define LL_READ 0 |
| 156 | #define LL_WRITE 1 | 156 | #define LL_WRITE 1 |
| 157 | #define LL_SPECIAL 2 | 157 | #define LL_MAKEIPC 2 |
| 158 | #define LL_EXEC 3 | 158 | #define LL_MAKEDEV 3 |
| 159 | #define LL_MAX 4 | 159 | #define LL_EXEC 4 |
| 160 | #define LL_MAX 5 | ||
| 160 | int type; | 161 | int type; |
| 161 | char *data; | 162 | char *data; |
| 162 | } LandlockEntry; | 163 | } LandlockEntry; |
| @@ -492,7 +493,7 @@ void tree(void); | |||
| 492 | void top(void); | 493 | void top(void); |
| 493 | 494 | ||
| 494 | // usage.c | 495 | // usage.c |
| 495 | void print_version(void); | 496 | void print_version(FILE *stream); |
| 496 | void print_version_full(void); | 497 | void print_version_full(void); |
| 497 | void usage(void); | 498 | void usage(void); |
| 498 | 499 | ||
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 77149a134..ce222624b 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -83,7 +83,7 @@ out: | |||
| 83 | } | 83 | } |
| 84 | 84 | ||
| 85 | static int ll_create_full_ruleset(void) { | 85 | static int ll_create_full_ruleset(void) { |
| 86 | struct landlock_ruleset_attr attr; | 86 | struct landlock_ruleset_attr attr = {0}; |
| 87 | attr.handled_access_fs = | 87 | attr.handled_access_fs = |
| 88 | LANDLOCK_ACCESS_FS_EXECUTE | | 88 | LANDLOCK_ACCESS_FS_EXECUTE | |
| 89 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | 89 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | |
| @@ -106,7 +106,7 @@ static int ll_create_full_ruleset(void) { | |||
| 106 | 106 | ||
| 107 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); | 107 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); |
| 108 | if (ruleset_fd < 0) { | 108 | if (ruleset_fd < 0) { |
| 109 | fprintf(stderr, "%s: Error: failed to create Landlock ruleset " | 109 | fprintf(stderr, "Error: %s: failed to create Landlock ruleset " |
| 110 | "(abi=%d fs=%llx): %s\n", | 110 | "(abi=%d fs=%llx): %s\n", |
| 111 | __func__, ll_abi, attr.handled_access_fs, | 111 | __func__, ll_abi, attr.handled_access_fs, |
| 112 | strerror(errno)); | 112 | strerror(errno)); |
| @@ -115,7 +115,7 @@ static int ll_create_full_ruleset(void) { | |||
| 115 | } | 115 | } |
| 116 | 116 | ||
| 117 | static void _ll_fs(const char *allowed_path, const __u64 allowed_access, | 117 | static void _ll_fs(const char *allowed_path, const __u64 allowed_access, |
| 118 | const char *caller) { | 118 | const char *caller) { |
| 119 | if (ll_ruleset_fd == -1) | 119 | if (ll_ruleset_fd == -1) |
| 120 | ll_ruleset_fd = ll_create_full_ruleset(); | 120 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 121 | 121 | ||
| @@ -133,7 +133,7 @@ static void _ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 133 | return; | 133 | return; |
| 134 | } | 134 | } |
| 135 | 135 | ||
| 136 | struct landlock_path_beneath_attr target; | 136 | struct landlock_path_beneath_attr target = {0}; |
| 137 | target.parent_fd = allowed_fd; | 137 | target.parent_fd = allowed_fd; |
| 138 | target.allowed_access = allowed_access; | 138 | target.allowed_access = allowed_access; |
| 139 | int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 139 | int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
| @@ -148,7 +148,7 @@ static void _ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 148 | } | 148 | } |
| 149 | 149 | ||
| 150 | static void ll_fs(const char *allowed_path, const __u64 allowed_access, | 150 | static void ll_fs(const char *allowed_path, const __u64 allowed_access, |
| 151 | const char *caller) { | 151 | const char *caller) { |
| 152 | char *expanded_path; | 152 | char *expanded_path; |
| 153 | 153 | ||
| 154 | // ${PATH} macro is not included by default in expand_macros() | 154 | // ${PATH} macro is not included by default in expand_macros() |
| @@ -194,16 +194,22 @@ static void ll_write(const char *allowed_path) { | |||
| 194 | ll_fs(allowed_path, allowed_access, __func__); | 194 | ll_fs(allowed_path, allowed_access, __func__); |
| 195 | } | 195 | } |
| 196 | 196 | ||
| 197 | static void ll_special(const char *allowed_path) { | 197 | static void ll_makeipc(const char *allowed_path) { |
| 198 | __u64 allowed_access = | 198 | __u64 allowed_access = |
| 199 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | ||
| 200 | LANDLOCK_ACCESS_FS_MAKE_CHAR | | ||
| 201 | LANDLOCK_ACCESS_FS_MAKE_FIFO | | 199 | LANDLOCK_ACCESS_FS_MAKE_FIFO | |
| 202 | LANDLOCK_ACCESS_FS_MAKE_SOCK; | 200 | LANDLOCK_ACCESS_FS_MAKE_SOCK; |
| 203 | 201 | ||
| 204 | ll_fs(allowed_path, allowed_access, __func__); | 202 | ll_fs(allowed_path, allowed_access, __func__); |
| 205 | } | 203 | } |
| 206 | 204 | ||
| 205 | static void ll_makedev(const char *allowed_path) { | ||
| 206 | __u64 allowed_access = | ||
| 207 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | ||
| 208 | LANDLOCK_ACCESS_FS_MAKE_CHAR; | ||
| 209 | |||
| 210 | ll_fs(allowed_path, allowed_access, __func__); | ||
| 211 | } | ||
| 212 | |||
| 207 | static void ll_exec(const char *allowed_path) { | 213 | static void ll_exec(const char *allowed_path) { |
| 208 | __u64 allowed_access = | 214 | __u64 allowed_access = |
| 209 | LANDLOCK_ACCESS_FS_EXECUTE; | 215 | LANDLOCK_ACCESS_FS_EXECUTE; |
| @@ -223,7 +229,8 @@ int ll_restrict(uint32_t flags) { | |||
| 223 | void (*fnc[])(const char *) = { | 229 | void (*fnc[])(const char *) = { |
| 224 | ll_read, | 230 | ll_read, |
| 225 | ll_write, | 231 | ll_write, |
| 226 | ll_special, | 232 | ll_makeipc, |
| 233 | ll_makedev, | ||
| 227 | ll_exec, | 234 | ll_exec, |
| 228 | NULL | 235 | NULL |
| 229 | }; | 236 | }; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index cc5345ee0..4d8ea20c3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1509,8 +1509,10 @@ int main(int argc, char **argv, char **envp) { | |||
| 1509 | ll_add_profile(LL_READ, argv[i] + 16); | 1509 | ll_add_profile(LL_READ, argv[i] + 16); |
| 1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
| 1511 | ll_add_profile(LL_WRITE, argv[i] + 17); | 1511 | ll_add_profile(LL_WRITE, argv[i] + 17); |
| 1512 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) | 1512 | else if (strncmp(argv[i], "--landlock.makeipc=", 19) == 0) |
| 1513 | ll_add_profile(LL_SPECIAL, argv[i] + 19); | 1513 | ll_add_profile(LL_MAKEIPC, argv[i] + 19); |
| 1514 | else if (strncmp(argv[i], "--landlock.makedev=", 19) == 0) | ||
| 1515 | ll_add_profile(LL_MAKEDEV, argv[i] + 19); | ||
| 1514 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1516 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) |
| 1515 | ll_add_profile(LL_EXEC, argv[i] + 19); | 1517 | ll_add_profile(LL_EXEC, argv[i] + 19); |
| 1516 | #endif | 1518 | #endif |
| @@ -2957,10 +2959,10 @@ int main(int argc, char **argv, char **envp) { | |||
| 2957 | } | 2959 | } |
| 2958 | EUID_ASSERT(); | 2960 | EUID_ASSERT(); |
| 2959 | 2961 | ||
| 2960 | // Note: Only attempt to print non-debug information to stdout after | 2962 | // Note: Only attempt to print non-debug information after all profiles |
| 2961 | // all profiles have been loaded (because a profile may set arg_quiet) | 2963 | // have been loaded (because a profile may set arg_quiet) |
| 2962 | if (!arg_quiet) | 2964 | if (!arg_quiet) |
| 2963 | print_version(); | 2965 | print_version(stderr); |
| 2964 | 2966 | ||
| 2965 | // block X11 sockets | 2967 | // block X11 sockets |
| 2966 | if (arg_x11_block) | 2968 | if (arg_x11_block) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c0abc3398..a5a8393e9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1086,8 +1086,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1086 | ll_add_profile(LL_WRITE, ptr + 15); | 1086 | ll_add_profile(LL_WRITE, ptr + 15); |
| 1087 | return 0; | 1087 | return 0; |
| 1088 | } | 1088 | } |
| 1089 | if (strncmp(ptr, "landlock.special ", 17) == 0) { | 1089 | if (strncmp(ptr, "landlock.makeipc ", 17) == 0) { |
| 1090 | ll_add_profile(LL_SPECIAL, ptr + 17); | 1090 | ll_add_profile(LL_MAKEIPC, ptr + 17); |
| 1091 | return 0; | ||
| 1092 | } | ||
| 1093 | if (strncmp(ptr, "landlock.makedev ", 17) == 0) { | ||
| 1094 | ll_add_profile(LL_MAKEDEV, ptr + 17); | ||
| 1091 | return 0; | 1095 | return 0; |
| 1092 | } | 1096 | } |
| 1093 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1097 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 741e908ed..e258f6204 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -210,9 +210,9 @@ static void sanitize_passwd(void) { | |||
| 210 | goto errout; | 210 | goto errout; |
| 211 | 211 | ||
| 212 | // process uid | 212 | // process uid |
| 213 | int uid; | 213 | int uid = -1; |
| 214 | int rv = sscanf(ptr, "%d:", &uid); | 214 | int rv = sscanf(ptr, "%d:", &uid); |
| 215 | if (rv == 0 || uid < 0) | 215 | if (rv != 1 || uid < 0) |
| 216 | goto errout; | 216 | goto errout; |
| 217 | assert(uid_min); | 217 | assert(uid_min); |
| 218 | if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534 | 218 | if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534 |
| @@ -349,9 +349,9 @@ static void sanitize_group(void) { | |||
| 349 | goto errout; | 349 | goto errout; |
| 350 | 350 | ||
| 351 | // process uid | 351 | // process uid |
| 352 | int gid; | 352 | int gid = -1; |
| 353 | int rv = sscanf(ptr, "%d:", &gid); | 353 | int rv = sscanf(ptr, "%d:", &gid); |
| 354 | if (rv == 0 || gid < 0) | 354 | if (rv != 1 || gid < 0) |
| 355 | goto errout; | 355 | goto errout; |
| 356 | assert(gid_min); | 356 | assert(gid_min); |
| 357 | if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup | 357 | if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index beedb3ce2..c62e8c369 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -137,7 +137,8 @@ static const char *const usage_str = | |||
| 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" | 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" |
| 138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | 138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" |
| 139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | 139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" |
| 140 | " --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n" | 140 | " --landlock.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" |
| 141 | " --landlock.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" | ||
| 141 | " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" | 142 | " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" |
| 142 | #endif | 143 | #endif |
| 143 | " --list - list all sandboxes.\n" | 144 | " --list - list all sandboxes.\n" |
| @@ -320,16 +321,16 @@ static const char *const usage_str = | |||
| 320 | "License GPL version 2 or later\n" | 321 | "License GPL version 2 or later\n" |
| 321 | "Homepage: https://firejail.wordpress.com\n"; | 322 | "Homepage: https://firejail.wordpress.com\n"; |
| 322 | 323 | ||
| 323 | void print_version(void) { | 324 | void print_version(FILE *stream) { |
| 324 | printf("firejail version %s\n\n", VERSION); | 325 | fprintf(stream, "firejail version %s\n\n", VERSION); |
| 325 | } | 326 | } |
| 326 | 327 | ||
| 327 | void print_version_full(void) { | 328 | void print_version_full(void) { |
| 328 | print_version(); | 329 | print_version(stdout); |
| 329 | print_compiletime_support(); | 330 | print_compiletime_support(); |
| 330 | } | 331 | } |
| 331 | 332 | ||
| 332 | void usage(void) { | 333 | void usage(void) { |
| 333 | print_version(); | 334 | print_version(stdout); |
| 334 | puts(usage_str); | 335 | puts(usage_str); |
| 335 | } | 336 | } |
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile index 2ad296d1d..1c62f43bc 100644 --- a/src/fnettrace/Makefile +++ b/src/fnettrace/Makefile | |||
| @@ -7,8 +7,10 @@ MOD_DIR = $(ROOT)/src/$(MOD) | |||
| 7 | PROG = $(MOD_DIR)/$(MOD) | 7 | PROG = $(MOD_DIR)/$(MOD) |
| 8 | TARGET = $(PROG) | 8 | TARGET = $(PROG) |
| 9 | 9 | ||
| 10 | CLEANFILES += static-ip-map | ||
| 11 | |||
| 10 | include $(ROOT)/src/prog.mk | 12 | include $(ROOT)/src/prog.mk |
| 11 | 13 | ||
| 12 | all: $(TARGET) static-ip-map | 14 | all: $(TARGET) static-ip-map |
| 13 | static-ip-map: static-ip-map.txt $(PROG) | 15 | static-ip-map: static-ip-map.txt $(PROG) |
| 14 | ./$(PROG) --squash-map=static-ip-map.txt > static-ip-map | 16 | ./$(PROG) --squash-map=static-ip-map.txt 2>&1 >static-ip-map |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index e1d7fde94..b6672c16b 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
| @@ -522,10 +522,15 @@ rule for path. | |||
| 522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
| 523 | rule for path. | 523 | rule for path. |
| 524 | .TP | 524 | .TP |
| 525 | \fBlandlock.special path | 525 | \fBlandlock.makeipc path |
| 526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
| 527 | allows the creation of block devices, character devices, named pipes (FIFOs) | 527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
| 528 | and Unix domain sockets beneath given path. | 528 | the given path. |
| 529 | .TP | ||
| 530 | \fBlandlock.makedev path | ||
| 531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
| 532 | allows the creation of block devices and character devices beneath the given | ||
| 533 | path. | ||
| 529 | .TP | 534 | .TP |
| 530 | \fBlandlock.execute path | 535 | \fBlandlock.execute path |
| 531 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index ccc9a50a5..6548b8e5d 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
| @@ -1249,10 +1249,15 @@ rule for path. | |||
| 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
| 1250 | rule for path. | 1250 | rule for path. |
| 1251 | .TP | 1251 | .TP |
| 1252 | \fB\-\-landlock.special=path | 1252 | \fB\-\-landlock.makeipc=path |
| 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
| 1254 | allows the creation of block devices, character devices, named pipes (FIFOs) | 1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
| 1255 | and Unix domain sockets beneath given path. | 1255 | the given path. |
| 1256 | .TP | ||
| 1257 | \fB\-\-landlock.makedev=path | ||
| 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
| 1259 | allows the creation of block devices and character devices beneath the given | ||
| 1260 | path. | ||
| 1256 | .TP | 1261 | .TP |
| 1257 | \fB\-\-landlock.execute=path | 1262 | \fB\-\-landlock.execute=path |
| 1258 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
| @@ -1264,7 +1269,6 @@ Example: | |||
| 1264 | .br | 1269 | .br |
| 1265 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home | 1270 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home |
| 1266 | \-\-landlock.execute=/usr \-\-landlock.enforce | 1271 | \-\-landlock.execute=/usr \-\-landlock.enforce |
| 1267 | .PP | ||
| 1268 | #endif | 1272 | #endif |
| 1269 | .TP | 1273 | .TP |
| 1270 | \fB\-\-list | 1274 | \fB\-\-list |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index c4056b902..45f24d5f3 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
| @@ -110,7 +110,8 @@ _firejail_args=( | |||
| 110 | '--landlock.enforce[enforce the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
| 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
| 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
| 113 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' | 113 | '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' |
| 114 | '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' | ||
| 114 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' | 115 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' |
| 115 | #endif | 116 | #endif |
| 116 | '--machine-id[spoof /etc/machine-id with a random id]' | 117 | '--machine-id[spoof /etc/machine-id with a random id]' |
diff --git a/test/Makefile b/test/Makefile index d7b1bac7a..52fada86c 100644 --- a/test/Makefile +++ b/test/Makefile | |||
| @@ -12,3 +12,13 @@ $(TESTS): | |||
| 12 | .PHONY: clean | 12 | .PHONY: clean |
| 13 | clean: | 13 | clean: |
| 14 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | 14 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done |
| 15 | rm -fr environment/-testdir | ||
| 16 | rm -f environment/index.html* | ||
| 17 | rm -f environment/logfile* | ||
| 18 | rm -f environment/wget-log* | ||
| 19 | rm -f sysutils/firejail_t* | ||
| 20 | rm -f utils/firejail-test-file* | ||
| 21 | rm -f utils/index.html* | ||
| 22 | rm -f utils/lstesting | ||
| 23 | rm -f utils/wget-log | ||
| 24 | cd compile && (./compile.sh --clean || true) | ||