diff options
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 15 | ||||
-rw-r--r-- | etc/apparmor/firejail-default | 2 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 4 | ||||
-rw-r--r-- | etc/profile-a-l/gtk-lbry-viewer.profile | 12 | ||||
-rw-r--r-- | etc/profile-a-l/lbry-viewer.profile | 21 | ||||
-rw-r--r-- | etc/profile-m-z/man.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/tuir.profile | 23 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 17 | ||||
-rw-r--r-- | src/man/firemon.txt | 1 | ||||
-rw-r--r-- | src/man/jailcheck.txt | 1 |
15 files changed, 102 insertions, 12 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e5e86d8e0..66ca0d321 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -53,7 +53,7 @@ jobs: | |||
53 | 53 | ||
54 | # Initializes the CodeQL tools for scanning. | 54 | # Initializes the CodeQL tools for scanning. |
55 | - name: Initialize CodeQL | 55 | - name: Initialize CodeQL |
56 | uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 | 56 | uses: github/codeql-action/init@c7f292ea4f542c473194b33813ccd4c207a6c725 |
57 | with: | 57 | with: |
58 | languages: ${{ matrix.language }} | 58 | languages: ${{ matrix.language }} |
59 | # If you wish to specify custom queries, you can do so here or in a config file. | 59 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -64,7 +64,7 @@ jobs: | |||
64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
65 | # If this step fails, then you should remove it and run the build manually (see below) | 65 | # If this step fails, then you should remove it and run the build manually (see below) |
66 | - name: Autobuild | 66 | - name: Autobuild |
67 | uses: github/codeql-action/autobuild@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 | 67 | uses: github/codeql-action/autobuild@c7f292ea4f542c473194b33813ccd4c207a6c725 |
68 | 68 | ||
69 | # âšī¸ Command-line programs to run using the OS shell. | 69 | # âšī¸ Command-line programs to run using the OS shell. |
70 | # đ https://git.io/JvXDl | 70 | # đ https://git.io/JvXDl |
@@ -78,4 +78,4 @@ jobs: | |||
78 | # make release | 78 | # make release |
79 | 79 | ||
80 | - name: Perform CodeQL Analysis | 80 | - name: Perform CodeQL Analysis |
81 | uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 | 81 | uses: github/codeql-action/analyze@c7f292ea4f542c473194b33813ccd4c207a6c725 |
@@ -258,4 +258,4 @@ Stats: | |||
258 | 258 | ||
259 | ### New profiles: | 259 | ### New profiles: |
260 | 260 | ||
261 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb | 261 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, |
@@ -1,16 +1,23 @@ | |||
1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.71) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * feature: restrict namespaces (--restrict-namespaces) inplemented as | ||
4 | a seccomp filter for both 64 and 32 bit architectures | ||
5 | * feature: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: On failing to remount a fuse filesystem, give warning instead of |
6 | erroring out (#5240 #5242) | 4 | erroring out (#5240 #5242) |
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274) | 5 | * feature: restrict namespaces (--restrict-namespaces) implemented as |
8 | * build: deduplicate configure-time vars into new config files (#5140) | 6 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) |
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | ||
8 | #5317) | ||
9 | * bugfix: Flood of seccomp audit log entries (#5207) | ||
10 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | ||
9 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 11 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
10 | * build: reduce autoconf input files from 32 to 2 (#5219) | 12 | * build: reduce autoconf input files from 32 to 2 (#5219) |
11 | * build: add dist build directory to .gitignore (#5248) | 13 | * build: add dist build directory to .gitignore (#5248) |
12 | * build: add autoconf auto-generation comment to input files (#5251) | 14 | * build: add autoconf auto-generation comment to input files (#5251) |
15 | * build: Add files make uninstall forgot to remove (#5283) | ||
16 | * build: add and use TARNAME instead of NAME for paths (#5310) | ||
13 | * ci: ignore git-related paths and the project license (#5249) | 17 | * ci: ignore git-related paths and the project license (#5249) |
18 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 | ||
19 | #5290) | ||
20 | * docs: set vim filetype on man pages for syntax highlighting (#5296) | ||
14 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 21 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
15 | 22 | ||
16 | firejail (0.9.70) baseline; urgency=low | 23 | firejail (0.9.70) baseline; urgency=low |
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index b4e7f642a..3cc771ed7 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, | |||
33 | #ptrace, | 33 | #ptrace, |
34 | # Allow obtaining some process information, but not ptrace(2) | 34 | # Allow obtaining some process information, but not ptrace(2) |
35 | ptrace (read,readby) peer=@{profile_name}, | 35 | ptrace (read,readby) peer=@{profile_name}, |
36 | ptrace (read,readby) peer=@{profile_name}//&unconfined, | ||
36 | 37 | ||
37 | ########## | 38 | ########## |
38 | # Allow read access to whole filesystem and control it from firejail. | 39 | # Allow read access to whole filesystem and control it from firejail. |
@@ -123,6 +124,7 @@ network packet, | |||
123 | ########## | 124 | ########## |
124 | # There is no equivalent in Firejail for filtering signals. | 125 | # There is no equivalent in Firejail for filtering signals. |
125 | ########## | 126 | ########## |
127 | signal (send) peer=@{profile_name}//&unconfined, | ||
126 | signal (send) peer=@{profile_name}, | 128 | signal (send) peer=@{profile_name}, |
127 | signal (receive), | 129 | signal (receive), |
128 | 130 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 2802d11be..7ad491460 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -149,6 +149,7 @@ blacklist ${HOME}/.cache/ksmserver-logout-greeter | |||
149 | blacklist ${HOME}/.cache/ksplashqml | 149 | blacklist ${HOME}/.cache/ksplashqml |
150 | blacklist ${HOME}/.cache/kube | 150 | blacklist ${HOME}/.cache/kube |
151 | blacklist ${HOME}/.cache/kwin | 151 | blacklist ${HOME}/.cache/kwin |
152 | blacklist ${HOME}/.cache/lbry-viewer | ||
152 | blacklist ${HOME}/.cache/libgweather | 153 | blacklist ${HOME}/.cache/libgweather |
153 | blacklist ${HOME}/.cache/librewolf | 154 | blacklist ${HOME}/.cache/librewolf |
154 | blacklist ${HOME}/.cache/liferea | 155 | blacklist ${HOME}/.cache/liferea |
@@ -503,6 +504,7 @@ blacklist ${HOME}/.config/ktorrentrc | |||
503 | blacklist ${HOME}/.config/ktouch2rc | 504 | blacklist ${HOME}/.config/ktouch2rc |
504 | blacklist ${HOME}/.config/kube | 505 | blacklist ${HOME}/.config/kube |
505 | blacklist ${HOME}/.config/kwriterc | 506 | blacklist ${HOME}/.config/kwriterc |
507 | blacklist ${HOME}/.config/lbry-viewer | ||
506 | blacklist ${HOME}/.config/leafpad | 508 | blacklist ${HOME}/.config/leafpad |
507 | blacklist ${HOME}/.config/libreoffice | 509 | blacklist ${HOME}/.config/libreoffice |
508 | blacklist ${HOME}/.config/liferea | 510 | blacklist ${HOME}/.config/liferea |
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox | |||
622 | blacklist ${HOME}/.config/transgui | 624 | blacklist ${HOME}/.config/transgui |
623 | blacklist ${HOME}/.config/transmission | 625 | blacklist ${HOME}/.config/transmission |
624 | blacklist ${HOME}/.config/truecraft | 626 | blacklist ${HOME}/.config/truecraft |
627 | blacklist ${HOME}/.config/tuir | ||
625 | blacklist ${HOME}/.config/tuta_integration | 628 | blacklist ${HOME}/.config/tuta_integration |
626 | blacklist ${HOME}/.config/tutanota-desktop | 629 | blacklist ${HOME}/.config/tutanota-desktop |
627 | blacklist ${HOME}/.config/tvbrowser | 630 | blacklist ${HOME}/.config/tvbrowser |
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
995 | blacklist ${HOME}/.local/share/terasology | 998 | blacklist ${HOME}/.local/share/terasology |
996 | blacklist ${HOME}/.local/share/torbrowser | 999 | blacklist ${HOME}/.local/share/torbrowser |
997 | blacklist ${HOME}/.local/share/totem | 1000 | blacklist ${HOME}/.local/share/totem |
1001 | blacklist ${HOME}/.local/share/tuir | ||
998 | blacklist ${HOME}/.local/share/uzbl | 1002 | blacklist ${HOME}/.local/share/uzbl |
999 | blacklist ${HOME}/.local/share/vlc | 1003 | blacklist ${HOME}/.local/share/vlc |
1000 | blacklist ${HOME}/.local/share/vpltd | 1004 | blacklist ${HOME}/.local/share/vpltd |
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile new file mode 100644 index 000000000..e1fb53b16 --- /dev/null +++ b/etc/profile-a-l/gtk-lbry-viewer.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gtk-lbry-viewer | ||
2 | # Description: Gtk front-end to lbry-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-lbry-viewer.local | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | # Redirect | ||
12 | include lbry-viewer.profile | ||
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile new file mode 100644 index 000000000..f6a02ac83 --- /dev/null +++ b/etc/profile-a-l/lbry-viewer.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for lbry-viewer | ||
2 | # Description:CLI for searching and playing videos from LBRY, with the Librarian frontend | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lbry-viewer.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.cache/lbry-viewer | ||
11 | noblacklist ${HOME}/.config/lbry-viewer | ||
12 | |||
13 | mkdir ${HOME}/.config/lbry-viewer | ||
14 | mkdir ${HOME}/.cache/lbry-viewer | ||
15 | whitelist ${HOME}/.cache/lbry-viewer | ||
16 | whitelist ${HOME}/.config/lbry-viewer | ||
17 | |||
18 | private-bin gtk-lbry-viewer,lbry-viewer | ||
19 | |||
20 | # Redirect | ||
21 | include youtube-viewers-common.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index bdc6e3451..b8d221dc3 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 56 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 59 | private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg |
60 | #private-tmp | 60 | #private-tmp |
61 | 61 | ||
62 | dbus-user none | 62 | dbus-user none |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 30f9aafcb..5e5a8e9bb 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink | |||
156 | # seccomp sometimes causes issues (see #2951, #3267). | 156 | # seccomp sometimes causes issues (see #2951, #3267). |
157 | # Add 'ignore seccomp' to your steam.local if you experience this. | 157 | # Add 'ignore seccomp' to your steam.local if you experience this. |
158 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 158 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
159 | # (see #4366). | ||
159 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 160 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 |
161 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | ||
162 | seccomp.32 !process_vm_readv | ||
160 | # tracelog breaks integrated browser | 163 | # tracelog breaks integrated browser |
161 | #tracelog | 164 | #tracelog |
162 | 165 | ||
diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile new file mode 100644 index 000000000..b441503c6 --- /dev/null +++ b/etc/profile-m-z/tuir.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for tuir | ||
2 | # Description: Browse Reddit from your terminal (rtv fork) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tuir.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | ignore mkdir ${HOME}/.config/rtv | ||
10 | ignore mkdir ${HOME}/.local/share/rtv | ||
11 | |||
12 | noblacklist ${HOME}/.config/tuir | ||
13 | noblacklist ${HOME}/.local/share/tuir | ||
14 | |||
15 | mkdir ${HOME}/.config/tuir | ||
16 | mkdir ${HOME}/.local/share/tuir | ||
17 | whitelist ${HOME}/.config/tuir | ||
18 | whitelist ${HOME}/.local/share/tuir | ||
19 | |||
20 | private-bin tuir | ||
21 | |||
22 | # Redirect | ||
23 | include rtv.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1e10258d5..1de107a03 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -373,6 +373,7 @@ gravity-beams-and-evaporating-stars | |||
373 | gthumb | 373 | gthumb |
374 | gtk2-youtube-viewer | 374 | gtk2-youtube-viewer |
375 | gtk3-youtube-viewer | 375 | gtk3-youtube-viewer |
376 | gtk-lbry-viewer | ||
376 | gtk-pipe-viewer | 377 | gtk-pipe-viewer |
377 | gtk-straw-viewer | 378 | gtk-straw-viewer |
378 | gtk-youtube-viewer | 379 | gtk-youtube-viewer |
@@ -458,6 +459,7 @@ ktouch | |||
458 | kube | 459 | kube |
459 | # kwin_x11 | 460 | # kwin_x11 |
460 | kwrite | 461 | kwrite |
462 | lbry-viewer | ||
461 | leafpad | 463 | leafpad |
462 | # less - breaks man | 464 | # less - breaks man |
463 | librecad | 465 | librecad |
@@ -841,6 +843,7 @@ tremulous | |||
841 | trojita | 843 | trojita |
842 | truecraft | 844 | truecraft |
843 | tshark | 845 | tshark |
846 | tuir | ||
844 | tutanota-desktop | 847 | tutanota-desktop |
845 | tuxguitar | 848 | tuxguitar |
846 | tvbrowser | 849 | tvbrowser |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2969db85b..9a2f8c82c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -943,7 +943,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
943 | #endif | 943 | #endif |
944 | return 0; | 944 | return 0; |
945 | } | 945 | } |
946 | 946 | ||
947 | if (strncmp(ptr, "apparmor ", 9) == 0) { | 947 | if (strncmp(ptr, "apparmor ", 9) == 0) { |
948 | #ifdef HAVE_APPARMOR | 948 | #ifdef HAVE_APPARMOR |
949 | arg_apparmor = 1; | 949 | arg_apparmor = 1; |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7922a53d0..0b78203d7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -191,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
191 | .br | 191 | .br |
192 | 192 | ||
193 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | ||
195 | blacklist the path that it points to. | ||
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | ||
197 | be blacklisted. | ||
198 | .br | ||
199 | |||
200 | .br | ||
194 | Example: | 201 | Example: |
195 | .br | 202 | .br |
196 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | 203 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin |
@@ -2958,8 +2965,14 @@ all directories in /usr. | |||
2958 | .br | 2965 | .br |
2959 | 2966 | ||
2960 | .br | 2967 | .br |
2961 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 2968 | Symbolic link handling: Whitelisting a path that is a symbolic link will also |
2962 | the same top directory. For user home, both the link and the real file should be owned by the user. | 2969 | whitelist the path that it points to. |
2970 | For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will | ||
2971 | also be whitelisted. | ||
2972 | Restrictions: With the exception of the user home directory, both the link and | ||
2973 | the real file should be in the same top directory. | ||
2974 | For symbolic links in the user home directory, both the link and the real file | ||
2975 | should be owned by the user. | ||
2963 | .br | 2976 | .br |
2964 | 2977 | ||
2965 | .br | 2978 | .br |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index fd58a7168..9d0785a4a 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com | |||
118 | .BR firejail-login (5), | 118 | .BR firejail-login (5), |
119 | .BR firejail-users (5), | 119 | .BR firejail-users (5), |
120 | .BR jailcheck (1) | 120 | .BR jailcheck (1) |
121 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index 483f47fb9..e889ea91b 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com | |||
115 | .BR firejail-profile (5), | 115 | .BR firejail-profile (5), |
116 | .BR firejail-login (5), | 116 | .BR firejail-login (5), |
117 | .BR firejail-users (5), | 117 | .BR firejail-users (5), |
118 | .\" vim: set filetype=groff : | ||