diff options
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | Makefile.in | 10 | ||||
-rw-r--r-- | README.md | 9 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 44 | ||||
-rw-r--r-- | src/firejail/preproc.c | 84 | ||||
-rw-r--r-- | src/firejail/profile.c | 23 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 24 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/fseccomp/seccomp_print.c | 4 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 6 | ||||
-rw-r--r-- | src/include/seccomp.h | 58 | ||||
-rw-r--r-- | src/man/firejail.txt | 13 | ||||
-rwxr-xr-x | test/filters/seccomp-debug-32.exp | 16 | ||||
-rwxr-xr-x | test/filters/seccomp-debug.exp | 28 | ||||
-rwxr-xr-x | test/profiles/test-profile.exp | 1 |
19 files changed, 281 insertions, 65 deletions
diff --git a/.gitignore b/.gitignore index 30793847c..554d1985b 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -28,7 +28,7 @@ src/fldd/fldd | |||
28 | uids.h | 28 | uids.h |
29 | seccomp | 29 | seccomp |
30 | seccomp.debug | 30 | seccomp.debug |
31 | seccomp.i386 | 31 | seccomp.32 |
32 | seccomp.amd64 | 32 | seccomp.64 |
33 | seccomp.block_secondary | 33 | seccomp.block_secondary |
34 | seccomp.mdwx | 34 | seccomp.mdwx |
diff --git a/Makefile.in b/Makefile.in index 9111a3c95..e20aa5b62 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -2,7 +2,7 @@ all: apps man filters | |||
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
8 | exec_prefix=@exec_prefix@ | 8 | exec_prefix=@exec_prefix@ |
@@ -43,8 +43,8 @@ filters: src/fseccomp | |||
43 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 43 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
44 | src/fseccomp/fseccomp default seccomp | 44 | src/fseccomp/fseccomp default seccomp |
45 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers | 45 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers |
46 | src/fseccomp/fseccomp secondary 32 seccomp.i386 | 46 | src/fseccomp/fseccomp secondary 32 seccomp.32 |
47 | src/fseccomp/fseccomp secondary 64 seccomp.amd64 | 47 | src/fseccomp/fseccomp secondary 64 seccomp.64 |
48 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 48 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
49 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 49 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
50 | endif | 50 | endif |
@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. | 103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. |
104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
105 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 105 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
106 | install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. | 106 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. |
107 | install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. | 107 | install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/. |
108 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. | 108 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. |
109 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. | 109 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. |
110 | endif | 110 | endif |
@@ -174,6 +174,15 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej | |||
174 | amd64, i386 and x32 system calls are blocked as well as chang‐ | 174 | amd64, i386 and x32 system calls are blocked as well as chang‐ |
175 | ing the execution domain with personality(2) system call. | 175 | ing the execution domain with personality(2) system call. |
176 | 176 | ||
177 | --profile.print=name|pid | ||
178 | Print the name of the profile file for the sandbox identified | ||
179 | by name or or PID. | ||
180 | |||
181 | Example: | ||
182 | $ firejail --profile.print=browser | ||
183 | /etc/firejail/firefox.profile | ||
184 | |||
185 | |||
177 | ````` | 186 | ````` |
178 | 187 | ||
179 | ## /etc/firejail/firejail.config | 188 | ## /etc/firejail/firejail.config |
@@ -6,6 +6,7 @@ firejail (0.9.50~rc1) baseline; urgency=low | |||
6 | * feature: private /lib directory (--private-lib) | 6 | * feature: private /lib directory (--private-lib) |
7 | * feature: disable CDROM/DVD drive (--nodvd) | 7 | * feature: disable CDROM/DVD drive (--nodvd) |
8 | * feature: disable DVB devices (--notv) | 8 | * feature: disable DVB devices (--notv) |
9 | * feature: --profile.print | ||
9 | * enhancement: print all seccomp filters under --debug | 10 | * enhancement: print all seccomp filters under --debug |
10 | * enhancement: /proc/sys mounting | 11 | * enhancement: /proc/sys mounting |
11 | * enhancement: rework IP address assingment for --net options | 12 | * enhancement: rework IP address assingment for --net options |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 505171d1c..7d817c7e2 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej | |||
36 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 36 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. |
37 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. | 37 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. |
38 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. | 38 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. |
39 | install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/. | 39 | install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/. |
40 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. | 40 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. |
41 | install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/. | 41 | install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/. |
42 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. | 42 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. |
43 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. | 43 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. |
44 | 44 | ||
@@ -492,9 +492,9 @@ rm -rf %{buildroot} | |||
492 | /usr/lib/firejail/fnet | 492 | /usr/lib/firejail/fnet |
493 | /usr/lib/firejail/fseccomp | 493 | /usr/lib/firejail/fseccomp |
494 | /usr/lib/firejail/seccomp | 494 | /usr/lib/firejail/seccomp |
495 | /usr/lib/firejail/seccomp.amd64 | 495 | /usr/lib/firejail/seccomp.64 |
496 | /usr/lib/firejail/seccomp.debug | 496 | /usr/lib/firejail/seccomp.debug |
497 | /usr/lib/firejail/seccomp.i386 | 497 | /usr/lib/firejail/seccomp.32 |
498 | /usr/lib/firejail/seccomp.block_secondary | 498 | /usr/lib/firejail/seccomp.block_secondary |
499 | /usr/lib/firejail/seccomp.mdwx | 499 | /usr/lib/firejail/seccomp.mdwx |
500 | 500 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..75450fe0f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -34,6 +34,7 @@ | |||
34 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 34 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
35 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 35 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
36 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 36 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
37 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" | ||
37 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 38 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" |
38 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | 39 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
39 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | 40 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" |
@@ -54,15 +55,15 @@ | |||
54 | 55 | ||
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 56 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 57 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
57 | #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures | 58 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures |
58 | #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures | 59 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 60 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 61 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 62 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 63 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 64 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
64 | #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make | 65 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make |
65 | #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make | 66 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 67 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 68 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
68 | 69 | ||
@@ -410,6 +411,7 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); | |||
410 | // preproc.c | 411 | // preproc.c |
411 | void preproc_build_firejail_dir(void); | 412 | void preproc_build_firejail_dir(void); |
412 | void preproc_mount_mnt_dir(void); | 413 | void preproc_mount_mnt_dir(void); |
414 | void preproc_clean_run(void); | ||
413 | 415 | ||
414 | // fs.c | 416 | // fs.c |
415 | // blacklist files or directoies by mounting empty files on top of them | 417 | // blacklist files or directoies by mounting empty files on top of them |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3f805a7e0..c317aa477 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -130,15 +130,22 @@ unsigned long long start_timestamp; | |||
130 | 130 | ||
131 | static void set_name_file(pid_t pid); | 131 | static void set_name_file(pid_t pid); |
132 | static void delete_name_file(pid_t pid); | 132 | static void delete_name_file(pid_t pid); |
133 | static void delete_profile_file(pid_t pid); | ||
133 | static void delete_x11_file(pid_t pid); | 134 | static void delete_x11_file(pid_t pid); |
134 | 135 | ||
135 | void clear_run_files(pid_t pid) { | 136 | void clear_run_files(pid_t pid) { |
136 | bandwidth_del_run_file(pid); // bandwidth file | 137 | bandwidth_del_run_file(pid); // bandwidth file |
137 | network_del_run_file(pid); // network map file | 138 | network_del_run_file(pid); // network map file |
138 | delete_name_file(pid); | 139 | delete_name_file(pid); |
140 | delete_profile_file(pid); | ||
139 | delete_x11_file(pid); | 141 | delete_x11_file(pid); |
140 | } | 142 | } |
141 | 143 | ||
144 | static void clear_atexit(void) { | ||
145 | EUID_ROOT(); | ||
146 | clear_run_files(getpid()); | ||
147 | } | ||
148 | |||
142 | static void myexit(int rv) { | 149 | static void myexit(int rv) { |
143 | logmsg("exiting..."); | 150 | logmsg("exiting..."); |
144 | if (!arg_command && !arg_quiet) | 151 | if (!arg_command && !arg_quiet) |
@@ -465,6 +472,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
465 | exit(0); | 472 | exit(0); |
466 | } | 473 | } |
467 | #endif | 474 | #endif |
475 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { | ||
476 | pid_t pid = read_pid(argv[i] + 16); | ||
477 | |||
478 | // print /run/firejail/profile/<PID> file | ||
479 | char *fname; | ||
480 | if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) | ||
481 | errExit("asprintf"); | ||
482 | FILE *fp = fopen(fname, "r"); | ||
483 | if (!fp) { | ||
484 | fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); | ||
485 | exit(1); | ||
486 | } | ||
487 | #define MAXBUF 4096 | ||
488 | char buf[MAXBUF]; | ||
489 | if (fgets(buf, MAXBUF, fp)) | ||
490 | printf("%s", buf); | ||
491 | fclose(fp); | ||
492 | exit(0); | ||
493 | |||
494 | } | ||
468 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | 495 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { |
469 | // join sandbox by pid or by name | 496 | // join sandbox by pid or by name |
470 | pid_t pid = read_pid(argv[i] + 12); | 497 | pid_t pid = read_pid(argv[i] + 12); |
@@ -738,6 +765,15 @@ static void delete_name_file(pid_t pid) { | |||
738 | free(fname); | 765 | free(fname); |
739 | } | 766 | } |
740 | 767 | ||
768 | static void delete_profile_file(pid_t pid) { | ||
769 | char *fname; | ||
770 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1) | ||
771 | errExit("asprintf"); | ||
772 | int rv = unlink(fname); | ||
773 | (void) rv; | ||
774 | free(fname); | ||
775 | } | ||
776 | |||
741 | void set_x11_file(pid_t pid, int display) { | 777 | void set_x11_file(pid_t pid, int display) { |
742 | char *fname; | 778 | char *fname; |
743 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | 779 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) |
@@ -825,12 +861,14 @@ int main(int argc, char **argv) { | |||
825 | char *custom_profile_dir = NULL; // custom profile directory | 861 | char *custom_profile_dir = NULL; // custom profile directory |
826 | 862 | ||
827 | 863 | ||
864 | atexit(clear_atexit); | ||
865 | |||
828 | // get starting timestamp | 866 | // get starting timestamp |
829 | start_timestamp = getticks(); | 867 | start_timestamp = getticks(); |
830 | 868 | ||
831 | |||
832 | // build /run/firejail directory structure | 869 | // build /run/firejail directory structure |
833 | preproc_build_firejail_dir(); | 870 | preproc_build_firejail_dir(); |
871 | preproc_clean_run(); | ||
834 | 872 | ||
835 | if (check_arg(argc, argv, "--quiet")) | 873 | if (check_arg(argc, argv, "--quiet")) |
836 | arg_quiet = 1; | 874 | arg_quiet = 1; |
@@ -2554,14 +2592,10 @@ int main(int argc, char **argv) { | |||
2554 | close(lockfd); | 2592 | close(lockfd); |
2555 | } | 2593 | } |
2556 | 2594 | ||
2557 | // create name file under /run/firejail | ||
2558 | |||
2559 | |||
2560 | // handle CTRL-C in parent | 2595 | // handle CTRL-C in parent |
2561 | signal (SIGINT, my_handler); | 2596 | signal (SIGINT, my_handler); |
2562 | signal (SIGTERM, my_handler); | 2597 | signal (SIGTERM, my_handler); |
2563 | 2598 | ||
2564 | |||
2565 | // wait for the child to finish | 2599 | // wait for the child to finish |
2566 | EUID_USER(); | 2600 | EUID_USER(); |
2567 | int status = 0; | 2601 | int status = 0; |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..42502008e 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -20,6 +20,8 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/types.h> | ||
24 | #include <dirent.h> | ||
23 | 25 | ||
24 | static int tmpfs_mounted = 0; | 26 | static int tmpfs_mounted = 0; |
25 | 27 | ||
@@ -48,6 +50,10 @@ void preproc_build_firejail_dir(void) { | |||
48 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | 50 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |
49 | } | 51 | } |
50 | 52 | ||
53 | if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) { | ||
54 | create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); | ||
55 | } | ||
56 | |||
51 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { | 57 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { |
52 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); | 58 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); |
53 | } | 59 | } |
@@ -79,8 +85,8 @@ void preproc_mount_mnt_dir(void) { | |||
79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 85 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
80 | else { | 86 | else { |
81 | //copy default seccomp files | 87 | //copy default seccomp files |
82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 88 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 89 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed |
84 | } | 90 | } |
85 | if (arg_allow_debuggers) | 91 | if (arg_allow_debuggers) |
86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
@@ -98,3 +104,77 @@ void preproc_mount_mnt_dir(void) { | |||
98 | errExit("set_perms"); | 104 | errExit("set_perms"); |
99 | } | 105 | } |
100 | } | 106 | } |
107 | |||
108 | // clean run directory | ||
109 | void preproc_clean_run(void) { | ||
110 | int max_pids=32769; | ||
111 | int start_pid = 100; | ||
112 | // extract real max_pids | ||
113 | FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); | ||
114 | if (fp) { | ||
115 | int val; | ||
116 | if (fscanf(fp, "%d", &val) == 1) { | ||
117 | if (val >= max_pids) | ||
118 | max_pids = val + 1; | ||
119 | } | ||
120 | fclose(fp); | ||
121 | } | ||
122 | int *pidarr = malloc(max_pids * sizeof(int)); | ||
123 | if (!pidarr) | ||
124 | errExit("malloc"); | ||
125 | |||
126 | memset(pidarr, 0, max_pids * sizeof(int)); | ||
127 | |||
128 | // open /proc directory | ||
129 | DIR *dir; | ||
130 | if (!(dir = opendir("/proc"))) { | ||
131 | // sleep 2 seconds and try again | ||
132 | sleep(2); | ||
133 | if (!(dir = opendir("/proc"))) { | ||
134 | fprintf(stderr, "Error: cannot open /proc directory\n"); | ||
135 | exit(1); | ||
136 | } | ||
137 | } | ||
138 | |||
139 | // read /proc and populate pidarr with all active processes | ||
140 | struct dirent *entry; | ||
141 | char *end; | ||
142 | while ((entry = readdir(dir)) != NULL) { | ||
143 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
144 | pid %= max_pids; | ||
145 | if (end == entry->d_name || *end) | ||
146 | continue; | ||
147 | |||
148 | if (pid < start_pid) | ||
149 | continue; | ||
150 | pidarr[pid] = 1; | ||
151 | } | ||
152 | closedir(dir); | ||
153 | |||
154 | // open /run/firejail/profile directory | ||
155 | if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) { | ||
156 | // sleep 2 seconds and try again | ||
157 | sleep(2); | ||
158 | if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) { | ||
159 | fprintf(stderr, "Error: cannot open %s directory\n", RUN_FIREJAIL_PROFILE_DIR); | ||
160 | exit(1); | ||
161 | } | ||
162 | } | ||
163 | |||
164 | // read /run/firejail/profile directory and clean leftover files | ||
165 | while ((entry = readdir(dir)) != NULL) { | ||
166 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
167 | pid %= max_pids; | ||
168 | if (end == entry->d_name || *end) | ||
169 | continue; | ||
170 | |||
171 | if (pid < start_pid) | ||
172 | continue; | ||
173 | if (pidarr[pid] == 0) | ||
174 | clear_run_files(pid); | ||
175 | } | ||
176 | closedir(dir); | ||
177 | |||
178 | free(pidarr); | ||
179 | } | ||
180 | |||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index fc390c83a..e61f59f46 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1193,6 +1193,29 @@ void profile_read(const char *fname) { | |||
1193 | exit(1); | 1193 | exit(1); |
1194 | } | 1194 | } |
1195 | 1195 | ||
1196 | // save the name of the file for --profile.print option | ||
1197 | if (include_level == 0) { | ||
1198 | char *runfile; | ||
1199 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, getpid()) == -1) | ||
1200 | errExit("asprintf"); | ||
1201 | |||
1202 | EUID_ROOT(); | ||
1203 | // the file is deleted first | ||
1204 | FILE *fp = fopen(runfile, "w"); | ||
1205 | if (!fp) { | ||
1206 | fprintf(stderr, "Error: cannot create %s\n", runfile); | ||
1207 | exit(1); | ||
1208 | } | ||
1209 | fprintf(fp, "%s\n", fname); | ||
1210 | |||
1211 | // mode and ownership | ||
1212 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
1213 | fclose(fp); | ||
1214 | EUID_USER(); | ||
1215 | free(runfile); | ||
1216 | } | ||
1217 | |||
1218 | |||
1196 | int msg_printed = 0; | 1219 | int msg_printed = 0; |
1197 | 1220 | ||
1198 | // read the file line by line | 1221 | // read the file line by line |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -137,22 +137,22 @@ errexit: | |||
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | 139 | ||
140 | // i386 filter installed on amd64 architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | 141 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 142 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
144 | if (arg_debug) | 144 | if (arg_debug) |
145 | printf("Dual i386/amd64 seccomp filter configured\n"); | 145 | printf("Dual 32/64 bit seccomp filter configured\n"); |
146 | } | 146 | } |
147 | } | 147 | } |
148 | #endif | 148 | #endif |
149 | 149 | ||
150 | // amd64 filter installed on i386 architectures | 150 | // 64 bit arch filter installed on 32 bit architectures |
151 | #if defined(__i386__) | 151 | #if defined(__ILP32__) |
152 | static void seccomp_filter_64(void) { | 152 | static void seccomp_filter_64(void) { |
153 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | printf("Dual i386/amd64 seccomp filter configured\n"); | 155 | printf("Dual 32/64 bit seccomp filter configured\n"); |
156 | } | 156 | } |
157 | } | 157 | } |
158 | #endif | 158 | #endif |
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 177 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 178 | seccomp_filter_block_secondary(); |
179 | else { | 179 | else { |
180 | #if defined(__x86_64__) | 180 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 181 | seccomp_filter_32(); |
182 | #endif | 182 | #endif |
183 | #if defined(__i386__) | 183 | #if defined(__ILP32__) |
184 | seccomp_filter_64(); | 184 | seccomp_filter_64(); |
185 | #endif | 185 | #endif |
186 | } | 186 | } |
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 190 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 191 | seccomp_filter_block_secondary(); |
192 | else { | 192 | else { |
193 | #if defined(__x86_64__) | 193 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 194 | seccomp_filter_32(); |
195 | #endif | 195 | #endif |
196 | #if defined(__i386__) | 196 | #if defined(__ILP32__) |
197 | seccomp_filter_64(); | 197 | seccomp_filter_64(); |
198 | #endif | 198 | #endif |
199 | } | 199 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 10e6ab687..fc7dbd69c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -159,6 +159,7 @@ void usage(void) { | |||
159 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); | 159 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); |
160 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); | 160 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); |
161 | printf(" --profile=filename - use a custom profile.\n"); | 161 | printf(" --profile=filename - use a custom profile.\n"); |
162 | printf(" --profile.print=name|pid - print the name of profile file.\n"); | ||
162 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); | 163 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); |
163 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 164 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); |
164 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); | 165 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 3793e125d..e8df2bda5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -90,7 +90,7 @@ static int detect_filter_type(void) { | |||
90 | } | 90 | } |
91 | 91 | ||
92 | 92 | ||
93 | // testing for secondare amd64 filter | 93 | // testing for secondary 64 bit filter |
94 | const struct sock_filter start_secondary_64[] = { | 94 | const struct sock_filter start_secondary_64[] = { |
95 | VALIDATE_ARCHITECTURE_64, | 95 | VALIDATE_ARCHITECTURE_64, |
96 | EXAMINE_SYSCALL, | 96 | EXAMINE_SYSCALL, |
@@ -102,7 +102,7 @@ static int detect_filter_type(void) { | |||
102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); |
103 | } | 103 | } |
104 | 104 | ||
105 | // testing for secondare i386 filter | 105 | // testing for secondary 32 bit filter |
106 | const struct sock_filter start_secondary_32[] = { | 106 | const struct sock_filter start_secondary_32[] = { |
107 | VALIDATE_ARCHITECTURE_32, | 107 | VALIDATE_ARCHITECTURE_32, |
108 | EXAMINE_SYSCALL, | 108 | EXAMINE_SYSCALL, |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index dd69b58cc..da6a693e6 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) { | |||
108 | write_filter(fname, sizeof(filter), filter); | 108 | write_filter(fname, sizeof(filter), filter); |
109 | } | 109 | } |
110 | 110 | ||
111 | // i386 filter installed on amd64 architectures | 111 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 112 | void seccomp_secondary_32(const char *fname) { |
113 | // hardcoded syscall values | 113 | // hardcoded syscall values |
114 | struct sock_filter filter[] = { | 114 | struct sock_filter filter[] = { |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index d5b40cf8e..abdedb957 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -83,6 +83,9 @@ static const SyscallGroupList sysgroups[] = { | |||
83 | #ifdef SYS_vm86old | 83 | #ifdef SYS_vm86old |
84 | "vm86old" | 84 | "vm86old" |
85 | #endif | 85 | #endif |
86 | #if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old) | ||
87 | "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed | ||
88 | #endif | ||
86 | }, | 89 | }, |
87 | { .name = "@debug", .list = | 90 | { .name = "@debug", .list = |
88 | #ifdef SYS_lookup_dcookie | 91 | #ifdef SYS_lookup_dcookie |
@@ -103,9 +106,6 @@ static const SyscallGroupList sysgroups[] = { | |||
103 | #ifdef SYS_sys_debug_setcontext | 106 | #ifdef SYS_sys_debug_setcontext |
104 | "sys_debug_setcontext," | 107 | "sys_debug_setcontext," |
105 | #endif | 108 | #endif |
106 | #if !defined(SYS_lookup_dcookie) && !defined(SYS_perf_event_open) && !defined(SYS_process_vm_writev) && !defined(SYS_rtas) && !defined(SYS_s390_runtime_instr) && !defined(SYS_sys_debug_setcontext) | ||
107 | "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed | ||
108 | #endif | ||
109 | }, | 109 | }, |
110 | { .name = "@default", .list = | 110 | { .name = "@default", .list = |
111 | "@cpu-emulation," | 111 | "@cpu-emulation," |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -91,10 +91,64 @@ struct seccomp_data { | |||
91 | 91 | ||
92 | #if defined(__i386__) | 92 | #if defined(__i386__) |
93 | # define ARCH_NR AUDIT_ARCH_I386 | 93 | # define ARCH_NR AUDIT_ARCH_I386 |
94 | # define ARCH_32 AUDIT_ARCH_I386 | ||
95 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
94 | #elif defined(__x86_64__) | 96 | #elif defined(__x86_64__) |
95 | # define ARCH_NR AUDIT_ARCH_X86_64 | 97 | # define ARCH_NR AUDIT_ARCH_X86_64 |
98 | # define ARCH_32 AUDIT_ARCH_I386 | ||
99 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
100 | #elif defined(__aarch64__) | ||
101 | # define ARCH_NR AUDIT_ARCH_AARCH64 | ||
102 | # define ARCH_32 AUDIT_ARCH_ARM | ||
103 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
96 | #elif defined(__arm__) | 104 | #elif defined(__arm__) |
97 | # define ARCH_NR AUDIT_ARCH_ARM | 105 | # define ARCH_NR AUDIT_ARCH_ARM |
106 | # define ARCH_32 AUDIT_ARCH_ARM | ||
107 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
108 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
109 | # define ARCH_NR AUDIT_ARCH_MIPS | ||
110 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
111 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
112 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
113 | # define ARCH_NR AUDIT_ARCH_MIPSEL | ||
114 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
115 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
116 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
117 | # define ARCH_NR AUDIT_ARCH_MIPS64 | ||
118 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
119 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
120 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
121 | # define ARCH_NR AUDIT_ARCH_MIPSEL64 | ||
122 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
123 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
124 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
125 | # define ARCH_NR AUDIT_ARCH_MIPS64N32 | ||
126 | # define ARCH_32 AUDIT_ARCH_MIPS64N32 | ||
127 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
128 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
129 | # define ARCH_NR AUDIT_ARCH_MIPSEL64N32 | ||
130 | # define ARCH_32 AUDIT_ARCH_MIPSEL64N32 | ||
131 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
132 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
133 | # define ARCH_NR AUDIT_ARCH_PPC64 | ||
134 | # define ARCH_32 AUDIT_ARCH_PPC | ||
135 | # define ARCH_64 AUDIT_ARCH_PPC64 | ||
136 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
137 | # define ARCH_NR AUDIT_ARCH_PPC64LE | ||
138 | # define ARCH_32 AUDIT_ARCH_PPC | ||
139 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
140 | #elif defined(__powerpc__) | ||
141 | # define ARCH_NR AUDIT_ARCH_PPC | ||
142 | # define ARCH_32 AUDIT_ARCH_PPC | ||
143 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
144 | #elif defined(__s390x__) | ||
145 | # define ARCH_NR AUDIT_ARCH_S390X | ||
146 | # define ARCH_32 AUDIT_ARCH_S390 | ||
147 | # define ARCH_64 AUDIT_ARCH_S390X | ||
148 | #elif defined(__s390__) | ||
149 | # define ARCH_NR AUDIT_ARCH_S390 | ||
150 | # define ARCH_32 AUDIT_ARCH_S390 | ||
151 | # define ARCH_64 AUDIT_ARCH_S390X | ||
98 | #else | 152 | #else |
99 | # warning "Platform does not support seccomp filter yet" | 153 | # warning "Platform does not support seccomp filter yet" |
100 | # define ARCH_NR 0 | 154 | # define ARCH_NR 0 |
@@ -112,12 +166,12 @@ struct seccomp_data { | |||
112 | 166 | ||
113 | #define VALIDATE_ARCHITECTURE_64 \ | 167 | #define VALIDATE_ARCHITECTURE_64 \ |
114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 168 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 169 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 170 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
117 | 171 | ||
118 | #define VALIDATE_ARCHITECTURE_32 \ | 172 | #define VALIDATE_ARCHITECTURE_32 \ |
119 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 173 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
120 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 174 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
121 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 175 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
122 | 176 | ||
123 | #if defined(__x86_64__) | 177 | #if defined(__x86_64__) |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9ae5d6782..a70f662fd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1424,6 +1424,19 @@ Example: | |||
1424 | $ firejail \-\-profile=myprofile | 1424 | $ firejail \-\-profile=myprofile |
1425 | 1425 | ||
1426 | .TP | 1426 | .TP |
1427 | \fB\-\-profile.print=name|pid | ||
1428 | Print the name of the profile file for the sandbox identified by name or or PID. | ||
1429 | .br | ||
1430 | |||
1431 | .br | ||
1432 | Example: | ||
1433 | .br | ||
1434 | $ firejail \-\-profile.print=browser | ||
1435 | .br | ||
1436 | /etc/firejail/firefox.profile | ||
1437 | .br | ||
1438 | |||
1439 | .TP | ||
1427 | \fB\-\-profile-path=directory | 1440 | \fB\-\-profile-path=directory |
1428 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. | 1441 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. |
1429 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in | 1442 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in |
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp index 6983758c3..098b309f5 100755 --- a/test/filters/seccomp-debug-32.exp +++ b/test/filters/seccomp-debug-32.exp | |||
@@ -43,7 +43,7 @@ expect { | |||
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" | 46 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 9\n";exit} | 49 | timeout {puts "TESTING ERROR 9\n";exit} |
@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | |||
56 | expect { | 56 | expect { |
57 | timeout {puts "TESTING ERROR 10\n";exit} | 57 | timeout {puts "TESTING ERROR 10\n";exit} |
58 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 58 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
59 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 59 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
60 | "Child process initialized" | 60 | "Child process initialized" |
61 | } | 61 | } |
62 | expect { | 62 | expect { |
63 | timeout {puts "TESTING ERROR 13\n";exit} | 63 | timeout {puts "TESTING ERROR 13\n";exit} |
64 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 64 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
65 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 65 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
66 | "done" | 66 | "done" |
67 | } | 67 | } |
68 | after 100 | 68 | after 100 |
@@ -82,7 +82,7 @@ expect { | |||
82 | expect { | 82 | expect { |
83 | timeout {puts "TESTING ERROR 21\n";exit} | 83 | timeout {puts "TESTING ERROR 21\n";exit} |
84 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 84 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
85 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" | 85 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" |
86 | } | 86 | } |
87 | expect { | 87 | expect { |
88 | timeout {puts "TESTING ERROR 23\n";exit} | 88 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -110,12 +110,12 @@ expect { | |||
110 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 110 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
111 | expect { | 111 | expect { |
112 | timeout {puts "TESTING ERROR 27\n";exit} | 112 | timeout {puts "TESTING ERROR 27\n";exit} |
113 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 113 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
114 | "Child process initialized" | 114 | "Child process initialized" |
115 | } | 115 | } |
116 | expect { | 116 | expect { |
117 | timeout {puts "TESTING ERROR 29\n";exit} | 117 | timeout {puts "TESTING ERROR 29\n";exit} |
118 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 118 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
119 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 119 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
120 | } | 120 | } |
121 | expect { | 121 | expect { |
@@ -128,12 +128,12 @@ after 100 | |||
128 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 128 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
129 | expect { | 129 | expect { |
130 | timeout {puts "TESTING ERROR 33\n";exit} | 130 | timeout {puts "TESTING ERROR 33\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 131 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
132 | "Child process initialized" | 132 | "Child process initialized" |
133 | } | 133 | } |
134 | expect { | 134 | expect { |
135 | timeout {puts "TESTING ERROR 35\n";exit} | 135 | timeout {puts "TESTING ERROR 35\n";exit} |
136 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 136 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
137 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 137 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
138 | } | 138 | } |
139 | expect { | 139 | expect { |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index 7a4a13991..4986a6bf6 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -31,7 +31,7 @@ expect { | |||
31 | after 100 | 31 | after 100 |
32 | 32 | ||
33 | 33 | ||
34 | # amd64 architecture | 34 | # 64 bit architecture |
35 | send -- "firejail --debug sleep 1; echo done\r" | 35 | send -- "firejail --debug sleep 1; echo done\r" |
36 | expect { | 36 | expect { |
37 | timeout {puts "TESTING ERROR 5\n";exit} | 37 | timeout {puts "TESTING ERROR 5\n";exit} |
@@ -43,7 +43,7 @@ expect { | |||
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | 46 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 8\n";exit} | 49 | timeout {puts "TESTING ERROR 8\n";exit} |
@@ -55,18 +55,18 @@ expect { | |||
55 | } | 55 | } |
56 | after 100 | 56 | after 100 |
57 | 57 | ||
58 | # amd64 architecture - ignore seccomp | 58 | # 64 bit architecture - ignore seccomp |
59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | 59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 10\n";exit} | 61 | timeout {puts "TESTING ERROR 10\n";exit} |
62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
63 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 63 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
64 | "Child process initialized" | 64 | "Child process initialized" |
65 | } | 65 | } |
66 | expect { | 66 | expect { |
67 | timeout {puts "TESTING ERROR 13\n";exit} | 67 | timeout {puts "TESTING ERROR 13\n";exit} |
68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
69 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 69 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" |
71 | } | 71 | } |
72 | expect { | 72 | expect { |
@@ -75,7 +75,7 @@ expect { | |||
75 | } | 75 | } |
76 | after 100 | 76 | after 100 |
77 | 77 | ||
78 | # amd64 architecture - ignore protocol | 78 | # 64 bit architecture - ignore protocol |
79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" | 79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" |
80 | expect { | 80 | expect { |
81 | timeout {puts "TESTING ERROR 17\n";exit} | 81 | timeout {puts "TESTING ERROR 17\n";exit} |
@@ -90,7 +90,7 @@ expect { | |||
90 | expect { | 90 | expect { |
91 | timeout {puts "TESTING ERROR 21\n";exit} | 91 | timeout {puts "TESTING ERROR 21\n";exit} |
92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
93 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | 93 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" |
94 | } | 94 | } |
95 | expect { | 95 | expect { |
96 | timeout {puts "TESTING ERROR 23\n";exit} | 96 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -114,21 +114,21 @@ expect { | |||
114 | } | 114 | } |
115 | 115 | ||
116 | 116 | ||
117 | # amd64 architecture - seccomp.block-secondary | 117 | # 64 bit architecture - seccomp.block-secondary |
118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
119 | expect { | 119 | expect { |
120 | timeout {puts "TESTING ERROR 27\n";exit} | 120 | timeout {puts "TESTING ERROR 27\n";exit} |
121 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 121 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
122 | "Child process initialized" | 122 | "Child process initialized" |
123 | } | 123 | } |
124 | expect { | 124 | expect { |
125 | timeout {puts "TESTING ERROR 29\n";exit} | 125 | timeout {puts "TESTING ERROR 29\n";exit} |
126 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 126 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
127 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 127 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
128 | } | 128 | } |
129 | expect { | 129 | expect { |
130 | timeout {puts "TESTING ERROR 31\n";exit} | 130 | timeout {puts "TESTING ERROR 31\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit} | 131 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} |
132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" |
133 | } | 133 | } |
134 | expect { | 134 | expect { |
@@ -137,16 +137,16 @@ expect { | |||
137 | } | 137 | } |
138 | after 100 | 138 | after 100 |
139 | 139 | ||
140 | # amd64 architecture - seccomp.block-secondary, profile | 140 | # 64 bit architecture - seccomp.block-secondary, profile |
141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
142 | expect { | 142 | expect { |
143 | timeout {puts "TESTING ERROR 33\n";exit} | 143 | timeout {puts "TESTING ERROR 33\n";exit} |
144 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 144 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
145 | "Child process initialized" | 145 | "Child process initialized" |
146 | } | 146 | } |
147 | expect { | 147 | expect { |
148 | timeout {puts "TESTING ERROR 35\n";exit} | 148 | timeout {puts "TESTING ERROR 35\n";exit} |
149 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 149 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
150 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 150 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
151 | } | 151 | } |
152 | expect { | 152 | expect { |
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index 6bc47f33f..63fb3a150 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp | |||
@@ -18,6 +18,5 @@ expect { | |||
18 | timeout {puts "TESTING ERROR 0\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
19 | "done" | 19 | "done" |
20 | } | 20 | } |
21 | send -- "exit\r" | ||
22 | after 100 | 21 | after 100 |
23 | puts "\n" | 22 | puts "\n" |