diff options
50 files changed, 384 insertions, 304 deletions
diff --git a/.gitignore b/.gitignore index 1285dea92..5e26f1711 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -14,6 +14,7 @@ firejail-*.tar.xz | |||
14 | firejail-login.5 | 14 | firejail-login.5 |
15 | firejail-profile.5 | 15 | firejail-profile.5 |
16 | firejail-config.5 | 16 | firejail-config.5 |
17 | firejail-users.5 | ||
17 | firejail.1 | 18 | firejail.1 |
18 | firemon.1 | 19 | firemon.1 |
19 | firecfg.1 | 20 | firecfg.1 |
@@ -1,6 +1,8 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: --force depercated | 3 | * modif: --force depercated |
4 | * modif: --csg, --zsh deprecated | ||
5 | * modif: --debug-check-filename deprecated | ||
4 | * modif: --git-install and --git-uninstall deprecated | 6 | * modif: --git-install and --git-uninstall deprecated |
5 | * modif: support for private-bin, private-lib and shell none has been | 7 | * modif: support for private-bin, private-lib and shell none has been |
6 | disabled while running AppImage archives in order to be able to use | 8 | disabled while running AppImage archives in order to be able to use |
diff --git a/etc/arduino.profile b/etc/arduino.profile index e7d0d68dd..14741c964 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -9,6 +9,12 @@ noblacklist ${HOME}/.arduino15 | |||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
11 | 11 | ||
12 | # Allow access to java | ||
13 | noblacklist ${PATH}/java | ||
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | |||
12 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 20 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b6baa66bc..1cd5d6a69 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -28,7 +28,6 @@ seccomp | |||
28 | disable-mnt | 28 | disable-mnt |
29 | private | 29 | private |
30 | private-dev | 30 | private-dev |
31 | private-dev | ||
32 | private-tmp | 31 | private-tmp |
33 | read-write /var/lib/bitlbee | 32 | read-write /var/lib/bitlbee |
34 | 33 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ff5dc7b6b..7bc66b1e9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__* | |||
116 | # blacklist /tmp/ksocket-*/kdeinit4__* | 116 | # blacklist /tmp/ksocket-*/kdeinit4__* |
117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 |
118 | 118 | ||
119 | # gnome | ||
120 | # contains extensions, last used times of applications, and notifications | ||
121 | blacklist ${HOME}/.local/share/gnome-shell | ||
122 | |||
119 | # systemd | 123 | # systemd |
120 | blacklist ${HOME}/.config/systemd | 124 | blacklist ${HOME}/.config/systemd |
121 | blacklist ${HOME}/.local/share/systemd | 125 | blacklist ${HOME}/.local/share/systemd |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b68dde0c4..eddb12e08 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -429,6 +429,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
429 | blacklist ${HOME}/.local/share/terasology | 429 | blacklist ${HOME}/.local/share/terasology |
430 | blacklist ${HOME}/.local/share/torbrowser | 430 | blacklist ${HOME}/.local/share/torbrowser |
431 | blacklist ${HOME}/.local/share/totem | 431 | blacklist ${HOME}/.local/share/totem |
432 | blacklist ${HOME}/.local/share/uzbl | ||
432 | blacklist ${HOME}/.local/share/vlc | 433 | blacklist ${HOME}/.local/share/vlc |
433 | blacklist ${HOME}/.local/share/vpltd | 434 | blacklist ${HOME}/.local/share/vpltd |
434 | blacklist ${HOME}/.local/share/vulkan | 435 | blacklist ${HOME}/.local/share/vulkan |
diff --git a/etc/discord.profile b/etc/discord.profile new file mode 100644 index 000000000..bb59ed42d --- /dev/null +++ b/etc/discord.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for Discord | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/discord.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | mkdir ${HOME}/.config/discord | ||
14 | whitelist ${HOME}/.config/discord | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | seccomp | ||
26 | |||
27 | private-bin discord,sh,xdg-mime | ||
28 | private-dev | ||
29 | private-etc fonts | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index b237c3c05..333ebdaa2 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular | |||
16 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 16 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc |
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | 18 | noblacklist ${HOME}/.kde4/share/config/okularrc |
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/kget | 19 | noblacklist ${HOME}/.local/share/kget |
21 | noblacklist ${HOME}/.local/share/okular | 20 | noblacklist ${HOME}/.local/share/okular |
22 | noblacklist ${HOME}/.local/share/qpdfview | 21 | noblacklist ${HOME}/.local/share/qpdfview |
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc | |||
41 | whitelist ${HOME}/.kde4/share/config/okularrc | 40 | whitelist ${HOME}/.kde4/share/config/okularrc |
42 | whitelist ${HOME}/.keysnail.js | 41 | whitelist ${HOME}/.keysnail.js |
43 | whitelist ${HOME}/.lastpass | 42 | whitelist ${HOME}/.lastpass |
44 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
45 | whitelist ${HOME}/.local/share/kget | 43 | whitelist ${HOME}/.local/share/kget |
46 | whitelist ${HOME}/.local/share/okular | 44 | whitelist ${HOME}/.local/share/okular |
47 | whitelist ${HOME}/.local/share/qpdfview | 45 | whitelist ${HOME}/.local/share/qpdfview |
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight | |||
53 | whitelist ${HOME}/.wine-pipelight64 | 51 | whitelist ${HOME}/.wine-pipelight64 |
54 | whitelist ${HOME}/.zotero | 52 | whitelist ${HOME}/.zotero |
55 | whitelist ${HOME}/dwhelper | 53 | whitelist ${HOME}/dwhelper |
54 | |||
55 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) | ||
56 | noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
57 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
58 | ignore nodbus | ||
59 | noblacklist ${PATH}/python3* | ||
60 | noblacklist /usr/lib/python3* | ||
61 | |||
62 | # Flash plugin | ||
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | ||
64 | #private-etc adobe | ||
diff --git a/etc/firejail-default b/etc/firejail-default index ad3fdd718..2e48439f5 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -165,10 +165,10 @@ capability sys_time, | |||
165 | capability sys_tty_config, | 165 | capability sys_tty_config, |
166 | capability mknod, | 166 | capability mknod, |
167 | capability lease, | 167 | capability lease, |
168 | capability audit_write, | 168 | #capability audit_write, |
169 | capability audit_control, | 169 | #capability audit_control, |
170 | capability setfcap, | 170 | capability setfcap, |
171 | capability mac_override, | 171 | #capability mac_override, |
172 | #capability mac_admin, | 172 | #capability mac_admin, |
173 | 173 | ||
174 | ########## | 174 | ########## |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index bad8538cf..e06107f0f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/flowblade | 8 | noblacklist ${HOME}/.config/flowblade |
9 | noblacklist ${HOME}/.flowblade | 9 | noblacklist ${HOME}/.flowblade |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index f435b4ed7..9a325d18b 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | 10 | ||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/less.profile b/etc/less.profile index e2616ba4f..9b04329f2 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -20,7 +20,7 @@ shell none | |||
20 | tracelog | 20 | tracelog |
21 | writable-var-log | 21 | writable-var-log |
22 | 22 | ||
23 | # The user can have a custom coloring scritps configured in ${HOME}/.lessfilter. | 23 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
24 | # Enable private-bin and private-lib if you are not using any filter. | 24 | # Enable private-bin and private-lib if you are not using any filter. |
25 | # private-bin less | 25 | # private-bin less |
26 | # private-lib | 26 | # private-lib |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 114580f1e..832008564 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.openshot | 8 | noblacklist ${HOME}/.openshot |
9 | noblacklist ${HOME}/.openshot_qt | 9 | noblacklist ${HOME}/.openshot_qt |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index b5e508d06..bbb907577 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -9,6 +9,12 @@ noblacklist ${HOME}/snap | |||
9 | noblacklist ${HOME}/.PyCharmCE* | 9 | noblacklist ${HOME}/.PyCharmCE* |
10 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
11 | 11 | ||
12 | # Allow access to java | ||
13 | noblacklist ${PATH}/java | ||
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | |||
12 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 94b282669..ff65a057b 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/ranger | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | # Allow perl | ||
8 | # noblacklist ${PATH}/cpan* | 17 | # noblacklist ${PATH}/cpan* |
9 | noblacklist ${PATH}/perl | 18 | noblacklist ${PATH}/perl |
10 | noblacklist /usr/lib/perl* | 19 | noblacklist /usr/lib/perl* |
11 | noblacklist /usr/share/perl* | 20 | noblacklist /usr/share/perl* |
12 | noblacklist ${HOME}/.config/ranger | ||
13 | 21 | ||
14 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 23 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/steam.profile b/etc/steam.profile index e1e6fd0e1..7b3149843 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -24,6 +24,12 @@ noblacklist /usr/lib/llvm* | |||
24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
25 | noblacklist /sbin | 25 | noblacklist /sbin |
26 | 26 | ||
27 | # Allow access to java | ||
28 | noblacklist ${PATH}/java | ||
29 | noblacklist /usr/lib/java | ||
30 | noblacklist /etc/java | ||
31 | noblacklist /usr/share/java | ||
32 | |||
27 | include /etc/firejail/disable-common.inc | 33 | include /etc/firejail/disable-common.inc |
28 | include /etc/firejail/disable-devel.inc | 34 | include /etc/firejail/disable-devel.inc |
29 | include /etc/firejail/disable-interpreters.inc | 35 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 0a4067341..fa45eb880 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/terasology | 9 | noblacklist ${HOME}/.local/share/terasology |
10 | 10 | ||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 0a3549c97..b8a3fa497 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/uzbl | 8 | noblacklist ${HOME}/.config/uzbl |
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
10 | noblacklist ${HOME}/.local/share/uzbl | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
10 | 17 | ||
11 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 8e63014ce..66f91250d 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.ZAP | 9 | noblacklist ${HOME}/.ZAP |
10 | 10 | ||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index b47aeb0da..028e15ef5 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | machine-id | ||
18 | # net none | 19 | # net none |
19 | # nodbus | 20 | # nodbus |
20 | nodvd | 21 | nodvd |
@@ -29,7 +30,7 @@ shell none | |||
29 | 30 | ||
30 | private-bin zathura | 31 | private-bin zathura |
31 | private-dev | 32 | private-dev |
32 | private-etc fonts | 33 | private-etc fonts,machine-id |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
35 | read-only ${HOME}/ | 36 | read-only ${HOME}/ |
@@ -6,15 +6,15 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h | |||
6 | 6 | ||
7 | if [ -r /etc/login.defs ] | 7 | if [ -r /etc/login.defs ] |
8 | then | 8 | then |
9 | echo "// using values extracted from /etc/login.defs" >> uids.h | ||
10 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | 9 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` |
11 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | 10 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` |
12 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
13 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
14 | else | ||
15 | echo "// using default values" >> uids.h | ||
16 | echo "#define UID_MIN 1000" >> uids.h | ||
17 | echo "#define GID_MIN 1000" >> uids.h | ||
18 | fi | 11 | fi |
19 | 12 | ||
13 | # use default values if not found | ||
14 | [ -z "$UID_MIN" ] && UID_MIN="1000" | ||
15 | [ -z "$GID_MIN" ] && GID_MIN="1000" | ||
16 | |||
17 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
18 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
19 | |||
20 | echo "#endif" >> uids.h | 20 | echo "#endif" >> uids.h |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 49e58528c..eb3794d3f 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -163,8 +163,6 @@ void fix_desktop_files(char *homedir) { | |||
163 | // skip links | 163 | // skip links |
164 | if (is_link(filename)) | 164 | if (is_link(filename)) |
165 | continue; | 165 | continue; |
166 | if (stat(filename, &sb) == -1) | ||
167 | errExit("stat"); | ||
168 | 166 | ||
169 | // no profile in /etc/firejail, no desktop file fixing | 167 | // no profile in /etc/firejail, no desktop file fixing |
170 | if (!have_profile(filename, homedir)) | 168 | if (!have_profile(filename, homedir)) |
@@ -173,23 +171,33 @@ void fix_desktop_files(char *homedir) { | |||
173 | //**************************************************** | 171 | //**************************************************** |
174 | // load the file in memory and do some basic checking | 172 | // load the file in memory and do some basic checking |
175 | //**************************************************** | 173 | //**************************************************** |
176 | /* coverity[toctou] */ | 174 | FILE *fp = fopen(filename, "r"); |
177 | int fd = open(filename, O_RDONLY); | 175 | if (!fp) { |
178 | if (fd == -1) { | ||
179 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); | 176 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); |
180 | continue; | 177 | continue; |
181 | } | 178 | } |
182 | 179 | ||
183 | char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); | 180 | fseek(fp, 0, SEEK_END); |
184 | if (buf == MAP_FAILED) | 181 | size_t size = ftell(fp); |
185 | errExit("mmap"); | 182 | fseek(fp, 0, SEEK_SET); |
186 | close(fd); | 183 | char *buf = malloc(size + 1); |
184 | if (!buf) | ||
185 | errExit("malloc"); | ||
186 | |||
187 | size_t loaded = fread(buf, size, 1, fp); | ||
188 | fclose(fp); | ||
189 | if (loaded != 1) { | ||
190 | fprintf(stderr, "Warning: cannot read /usr/share/applications/%s\n", filename); | ||
191 | free(buf); | ||
192 | continue; | ||
193 | } | ||
194 | buf[size] = '\0'; | ||
187 | 195 | ||
188 | // check format | 196 | // check format |
189 | if (strstr(buf, "[Desktop Entry]\n") == NULL) { | 197 | if (strstr(buf, "[Desktop Entry]\n") == NULL) { |
190 | if (arg_debug) | 198 | if (arg_debug) |
191 | printf(" %s - skipped: wrong format?\n", filename); | 199 | printf(" %s - skipped: wrong format?\n", filename); |
192 | munmap(buf, sb.st_size + 1); | 200 | free(buf); |
193 | continue; | 201 | continue; |
194 | } | 202 | } |
195 | 203 | ||
@@ -198,7 +206,7 @@ void fix_desktop_files(char *homedir) { | |||
198 | if (!ptr || strlen(ptr) < 7) { | 206 | if (!ptr || strlen(ptr) < 7) { |
199 | if (arg_debug) | 207 | if (arg_debug) |
200 | printf(" %s - skipped: wrong format?\n", filename); | 208 | printf(" %s - skipped: wrong format?\n", filename); |
201 | munmap(buf, sb.st_size + 1); | 209 | free(buf); |
202 | continue; | 210 | continue; |
203 | } | 211 | } |
204 | 212 | ||
@@ -207,7 +215,7 @@ void fix_desktop_files(char *homedir) { | |||
207 | if (execname[0] == '"') { | 215 | if (execname[0] == '"') { |
208 | if (arg_debug) | 216 | if (arg_debug) |
209 | printf(" %s - skipped: path quoting unsupported\n", filename); | 217 | printf(" %s - skipped: path quoting unsupported\n", filename); |
210 | munmap(buf, sb.st_size + 1); | 218 | free(buf); |
211 | continue; | 219 | continue; |
212 | } | 220 | } |
213 | 221 | ||
@@ -241,12 +249,9 @@ void fix_desktop_files(char *homedir) { | |||
241 | } | 249 | } |
242 | } | 250 | } |
243 | 251 | ||
244 | if (change_exec == NULL && change_dbus == 0) { | 252 | free(buf); |
245 | munmap(buf, sb.st_size + 1); | 253 | if (change_exec == NULL && change_dbus == 0) |
246 | continue; | 254 | continue; |
247 | } | ||
248 | |||
249 | munmap(buf, sb.st_size + 1); | ||
250 | 255 | ||
251 | //**************************************************** | 256 | //**************************************************** |
252 | // generate output file | 257 | // generate output file |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 48d985d73..d0f43041c 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -2,7 +2,7 @@ all: firejail | |||
2 | 2 | ||
3 | include ../common.mk | 3 | include ../common.mk |
4 | 4 | ||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o | 8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7b0ae30b6..f8094e893 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -166,10 +166,6 @@ int checkcfg(int val) { | |||
166 | else | 166 | else |
167 | goto errout; | 167 | goto errout; |
168 | } | 168 | } |
169 | // follow symlink in private-bin command | ||
170 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { | ||
171 | fwarning("follow-symlink-private-bin from firejail.config was deprecated\n"); | ||
172 | } | ||
173 | // nonewprivs | 169 | // nonewprivs |
174 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 170 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
175 | if (strcmp(ptr + 17, "yes") == 0) | 171 | if (strcmp(ptr + 17, "yes") == 0) |
@@ -311,9 +307,6 @@ int checkcfg(int val) { | |||
311 | else | 307 | else |
312 | goto errout; | 308 | goto errout; |
313 | } | 309 | } |
314 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { | ||
315 | fwarning("remount-proc-sys from firejail.config was deprecated\n"); | ||
316 | } | ||
317 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | 310 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { |
318 | if (strcmp(ptr + 10, "yes") == 0) | 311 | if (strcmp(ptr + 10, "yes") == 0) |
319 | cfg_val[CFG_OVERLAYFS] = 1; | 312 | cfg_val[CFG_OVERLAYFS] = 1; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4fd11ab4f..2746deea1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) { | |||
309 | extern int arg_private; // mount private /home | 309 | extern int arg_private; // mount private /home |
310 | extern int arg_private_template; // private /home template | 310 | extern int arg_private_template; // private /home template |
311 | extern int arg_debug; // print debug messages | 311 | extern int arg_debug; // print debug messages |
312 | extern int arg_debug_check_filename; // print debug messages for filename checking | ||
313 | extern int arg_debug_blacklists; // print debug messages for blacklists | 312 | extern int arg_debug_blacklists; // print debug messages for blacklists |
314 | extern int arg_debug_whitelists; // print debug messages for whitelists | 313 | extern int arg_debug_whitelists; // print debug messages for whitelists |
315 | extern int arg_debug_private_lib; // print debug messages for private-lib | 314 | extern int arg_debug_private_lib; // print debug messages for private-lib |
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist); | |||
577 | void caps_print_filter(pid_t pid); | 576 | void caps_print_filter(pid_t pid); |
578 | void caps_drop_dac_override(void); | 577 | void caps_drop_dac_override(void); |
579 | 578 | ||
580 | // syscall.c | ||
581 | const char *syscall_find_nr(int nr); | ||
582 | |||
583 | // fs_trace.c | 579 | // fs_trace.c |
584 | void fs_trace_preload(void); | 580 | void fs_trace_preload(void); |
585 | void fs_trace(void); | 581 | void fs_trace(void); |
@@ -647,12 +643,6 @@ void env_ibus_load(void); | |||
647 | // fs_whitelist.c | 643 | // fs_whitelist.c |
648 | void fs_whitelist(void); | 644 | void fs_whitelist(void); |
649 | 645 | ||
650 | // errno.c | ||
651 | int errno_highest_nr(void); | ||
652 | int errno_find_name(const char *name); | ||
653 | char *errno_find_nr(int nr); | ||
654 | void errno_print(void); | ||
655 | |||
656 | // pulseaudio.c | 646 | // pulseaudio.c |
657 | void pulseaudio_init(void); | 647 | void pulseaudio_init(void); |
658 | void pulseaudio_disable(void); | 648 | void pulseaudio_disable(void); |
@@ -795,10 +785,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
795 | // run sbox | 785 | // run sbox |
796 | int sbox_run(unsigned filter, int num, ...); | 786 | int sbox_run(unsigned filter, int num, ...); |
797 | 787 | ||
798 | // git.c | ||
799 | void git_install(); | ||
800 | void git_uninstall(); | ||
801 | |||
802 | // run_files.c | 788 | // run_files.c |
803 | void delete_run_files(pid_t pid); | 789 | void delete_run_files(pid_t pid); |
804 | void delete_bandwidth_run_file(pid_t pid); | 790 | void delete_bandwidth_run_file(pid_t pid); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e676bbd7c..2d8af7f41 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -47,7 +47,6 @@ Config cfg; // configuration | |||
47 | int arg_private = 0; // mount private /home and /tmp directoryu | 47 | int arg_private = 0; // mount private /home and /tmp directoryu |
48 | int arg_private_template = 0; // mount private /home using a template | 48 | int arg_private_template = 0; // mount private /home using a template |
49 | int arg_debug = 0; // print debug messages | 49 | int arg_debug = 0; // print debug messages |
50 | int arg_debug_check_filename = 0; // print debug messages for filename checking | ||
51 | int arg_debug_blacklists = 0; // print debug messages for blacklists | 50 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
52 | int arg_debug_whitelists = 0; // print debug messages for whitelists | 51 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
53 | int arg_debug_private_lib = 0; // print debug messages for private-lib | 52 | int arg_debug_private_lib = 0; // print debug messages for private-lib |
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) { | |||
1051 | 1050 | ||
1052 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) | 1051 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) |
1053 | arg_debug = 1; | 1052 | arg_debug = 1; |
1054 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | ||
1055 | arg_debug_check_filename = 1; | ||
1056 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 1053 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
1057 | arg_debug_blacklists = 1; | 1054 | arg_debug_blacklists = 1; |
1058 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1055 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) { | |||
1439 | custom_profile = 1; | 1436 | custom_profile = 1; |
1440 | free(ppath); | 1437 | free(ppath); |
1441 | } | 1438 | } |
1442 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | ||
1443 | fwarning("--profile-path has been deprecated\n"); | ||
1444 | } | ||
1445 | else if (strcmp(argv[i], "--noprofile") == 0) { | 1439 | else if (strcmp(argv[i], "--noprofile") == 0) { |
1446 | if (custom_profile) { | 1440 | if (custom_profile) { |
1447 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); | 1441 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); |
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) { | |||
1541 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1535 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1542 | arg_machineid = 1; | 1536 | arg_machineid = 1; |
1543 | } | 1537 | } |
1544 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1545 | fwarning("--allow-private-blacklist was deprecated\n"); | ||
1546 | } | ||
1547 | else if (strcmp(argv[i], "--private") == 0) { | 1538 | else if (strcmp(argv[i], "--private") == 0) { |
1548 | arg_private = 1; | 1539 | arg_private = 1; |
1549 | } | 1540 | } |
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) { | |||
2117 | } | 2108 | } |
2118 | else if (strcmp(argv[i], "--appimage") == 0) | 2109 | else if (strcmp(argv[i], "--appimage") == 0) |
2119 | arg_appimage = 1; | 2110 | arg_appimage = 1; |
2120 | else if (strcmp(argv[i], "--csh") == 0) { | ||
2121 | if (arg_shell_none) { | ||
2122 | |||
2123 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
2124 | return 1; | ||
2125 | } | ||
2126 | if (cfg.shell) { | ||
2127 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
2128 | return 1; | ||
2129 | } | ||
2130 | cfg.shell = "/bin/csh"; | ||
2131 | } | ||
2132 | else if (strcmp(argv[i], "--zsh") == 0) { | ||
2133 | if (arg_shell_none) { | ||
2134 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
2135 | return 1; | ||
2136 | } | ||
2137 | if (cfg.shell) { | ||
2138 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
2139 | return 1; | ||
2140 | } | ||
2141 | cfg.shell = "/bin/zsh"; | ||
2142 | } | ||
2143 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2111 | else if (strcmp(argv[i], "--shell=none") == 0) { |
2144 | arg_shell_none = 1; | 2112 | arg_shell_none = 1; |
2145 | if (cfg.shell) { | 2113 | if (cfg.shell) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index ba955bcca..5bd3f7e09 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
167 | for (i = 0; i < argc; i++) { | 167 | for (i = 0; i < argc; i++) { |
168 | if (strcmp(argv[i], "--debug") == 0) | 168 | if (strcmp(argv[i], "--debug") == 0) |
169 | arg_debug = 1; | 169 | arg_debug = 1; |
170 | else if (strcmp(argv[i], "--csh") == 0 || | 170 | else if (strcmp(argv[i], "--shell=none") == 0 || |
171 | strcmp(argv[i], "--zsh") == 0 || | ||
172 | strcmp(argv[i], "--shell=none") == 0 || | ||
173 | strncmp(argv[i], "--shell=", 8) == 0) | 171 | strncmp(argv[i], "--shell=", 8) == 0) |
174 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); | 172 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); |
175 | } | 173 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3ef9a1856..156ffa24a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
257 | arg_nodbus = 1; | 257 | arg_nodbus = 1; |
258 | return 0; | 258 | return 0; |
259 | } | 259 | } |
260 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | ||
261 | fmessage("--allow-private-blacklist was deprecated\n"); | ||
262 | return 0; | ||
263 | } | ||
264 | else if (strcmp(ptr, "netfilter") == 0) { | 260 | else if (strcmp(ptr, "netfilter") == 0) { |
265 | #ifdef HAVE_NETWORK | 261 | #ifdef HAVE_NETWORK |
266 | if (checkcfg(CFG_NETWORK)) | 262 | if (checkcfg(CFG_NETWORK)) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 709ce96b6..e0cecda1b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) { | |||
997 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter | 997 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
998 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG | 998 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG |
999 | } | 999 | } |
1000 | else { | ||
1001 | int rv = unlink(RUN_SECCOMP_PROTOCOL); | ||
1002 | (void) rv; | ||
1003 | } | ||
1000 | #endif | 1004 | #endif |
1001 | 1005 | ||
1002 | // if a keep list is available, disregard the drop list | 1006 | // if a keep list is available, disregard the drop list |
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) { | |||
1005 | seccomp_filter_keep(); | 1009 | seccomp_filter_keep(); |
1006 | else | 1010 | else |
1007 | seccomp_filter_drop(); | 1011 | seccomp_filter_drop(); |
1008 | } | ||
1009 | 1012 | ||
1010 | if (arg_debug) { | 1013 | // clean unused filters |
1011 | printf("\nSeccomp files:\n"); | 1014 | #if defined(__LP64__) |
1012 | int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); | 1015 | int rv = unlink(RUN_SECCOMP_64); |
1016 | #endif | ||
1017 | #if defined(__ILP32__) | ||
1018 | int rv = unlink(RUN_SECCOMP_32); | ||
1019 | #endif | ||
1020 | (void) rv; | ||
1021 | } | ||
1022 | else { // clean seccomp files under /run/firejail/mnt | ||
1023 | int rv = unlink(RUN_SECCOMP_CFG); | ||
1024 | rv |= unlink(RUN_SECCOMP_64); | ||
1025 | rv |= unlink(RUN_SECCOMP_32); | ||
1013 | (void) rv; | 1026 | (void) rv; |
1014 | printf("\n"); | ||
1015 | } | 1027 | } |
1016 | 1028 | ||
1017 | if (arg_memory_deny_write_execute) { | 1029 | if (arg_memory_deny_write_execute) { |
@@ -1019,6 +1031,10 @@ int sandbox(void* sandbox_arg) { | |||
1019 | printf("Install memory write&execute filter\n"); | 1031 | printf("Install memory write&execute filter\n"); |
1020 | seccomp_load(RUN_SECCOMP_MDWX); // install filter | 1032 | seccomp_load(RUN_SECCOMP_MDWX); // install filter |
1021 | } | 1033 | } |
1034 | else { | ||
1035 | int rv = unlink(RUN_SECCOMP_MDWX); | ||
1036 | (void) rv; | ||
1037 | } | ||
1022 | #endif | 1038 | #endif |
1023 | 1039 | ||
1024 | //**************************************** | 1040 | //**************************************** |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index fed1f7ba7..53df20a54 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -153,12 +153,6 @@ int sbox_run(unsigned filter, int num, ...) { | |||
153 | for (i = 3; i < max; i++) | 153 | for (i = 3; i < max; i++) |
154 | close(i); // close open files | 154 | close(i); // close open files |
155 | 155 | ||
156 | if (arg_debug) { | ||
157 | printf("sbox file descriptors:\n"); | ||
158 | int rv = system("ls -l /proc/self/fd"); | ||
159 | (void) rv; | ||
160 | } | ||
161 | |||
162 | umask(027); | 156 | umask(027); |
163 | 157 | ||
164 | // apply filters | 158 | // apply filters |
@@ -215,12 +209,5 @@ int sbox_run(unsigned filter, int num, ...) { | |||
215 | exit(1); | 209 | exit(1); |
216 | } | 210 | } |
217 | 211 | ||
218 | #if 0 | ||
219 | printf("** sbox run out *********************************\n"); | ||
220 | system("ls -l /run/firejail/mnt\n"); | ||
221 | system("ls -l /proc/self/fd"); | ||
222 | printf("** sbox run out *********************************\n"); | ||
223 | #endif | ||
224 | |||
225 | return status; | 212 | return status; |
226 | } | 213 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index effbf3751..742fc0465 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -29,8 +29,6 @@ static char *usage_str = | |||
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allow-private-blacklist - allow blacklisting files in private\n" | ||
33 | "\thome directories.\n" | ||
34 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
35 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
36 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
@@ -58,11 +56,9 @@ static char *usage_str = | |||
58 | #endif | 56 | #endif |
59 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 57 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
60 | " --cpu.print=name|pid - print the cpus in use.\n" | 58 | " --cpu.print=name|pid - print the cpus in use.\n" |
61 | " --csh - use /bin/csh as default shell.\n" | ||
62 | " --debug - print sandbox debug messages.\n" | 59 | " --debug - print sandbox debug messages.\n" |
63 | " --debug-blacklists - debug blacklisting.\n" | 60 | " --debug-blacklists - debug blacklisting.\n" |
64 | " --debug-caps - print all recognized capabilities.\n" | 61 | " --debug-caps - print all recognized capabilities.\n" |
65 | " --debug-check-filename - debug filename checking.\n" | ||
66 | " --debug-errnos - print all recognized error numbers.\n" | 62 | " --debug-errnos - print all recognized error numbers.\n" |
67 | " --debug-private-lib - debug for --private-lib option.\n" | 63 | " --debug-private-lib - debug for --private-lib option.\n" |
68 | " --debug-protocols - print all recognized protocols.\n" | 64 | " --debug-protocols - print all recognized protocols.\n" |
@@ -77,7 +73,9 @@ static char *usage_str = | |||
77 | " --dns.print=name|pid - print DNS configuration.\n" | 73 | " --dns.print=name|pid - print DNS configuration.\n" |
78 | " --env=name=value - set environment variable.\n" | 74 | " --env=name=value - set environment variable.\n" |
79 | " --fs.print=name|pid - print the filesystem log.\n" | 75 | " --fs.print=name|pid - print the filesystem log.\n" |
76 | #ifdef HAVE_FILE_TRANSFER | ||
80 | " --get=name|pid filename - get a file from sandbox container.\n" | 77 | " --get=name|pid filename - get a file from sandbox container.\n" |
78 | #endif | ||
81 | " --help, -? - this help screen.\n" | 79 | " --help, -? - this help screen.\n" |
82 | " --hostname=name - set sandbox hostname.\n" | 80 | " --hostname=name - set sandbox hostname.\n" |
83 | " --hosts-file=file - use file as /etc/hosts.\n" | 81 | " --hosts-file=file - use file as /etc/hosts.\n" |
@@ -97,7 +95,9 @@ static char *usage_str = | |||
97 | #endif | 95 | #endif |
98 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 96 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
99 | " --list - list all sandboxes.\n" | 97 | " --list - list all sandboxes.\n" |
98 | #ifdef HAVE_FILE_TRANSFER | ||
100 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" | 99 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
100 | #endif | ||
101 | #ifdef HAVE_NETWORK | 101 | #ifdef HAVE_NETWORK |
102 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" | 102 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
103 | #endif | 103 | #endif |
@@ -159,13 +159,16 @@ static char *usage_str = | |||
159 | "\tfilesystem, and copy the files and directories in the list.\n" | 159 | "\tfilesystem, and copy the files and directories in the list.\n" |
160 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 160 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
161 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 161 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
162 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | ||
162 | " --profile=filename - use a custom profile.\n" | 163 | " --profile=filename - use a custom profile.\n" |
163 | " --profile.print=name|pid - print the name of profile file.\n" | 164 | " --profile.print=name|pid - print the name of profile file.\n" |
164 | " --profile-path=directory - use this directory to look for profile files.\n" | 165 | " --profile-path=directory - use this directory to look for profile files.\n" |
165 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 166 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
166 | " --protocol.print=name|pid - print the protocol filter.\n" | 167 | " --protocol.print=name|pid - print the protocol filter.\n" |
168 | #ifdef HAVE_FILE_TRANSFER | ||
167 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" | 169 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" |
168 | "\tcontainer.\n" | 170 | "\tcontainer.\n" |
171 | #endif | ||
169 | " --quiet - turn off Firejail's output.\n" | 172 | " --quiet - turn off Firejail's output.\n" |
170 | " --read-only=filename - set directory or file read-only..\n" | 173 | " --read-only=filename - set directory or file read-only..\n" |
171 | " --read-write=filename - set directory or file read-write.\n" | 174 | " --read-write=filename - set directory or file read-write.\n" |
@@ -230,7 +233,6 @@ static char *usage_str = | |||
230 | " --x11=xvfb - enable Xvfb X11 server.\n" | 233 | " --x11=xvfb - enable Xvfb X11 server.\n" |
231 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" | 234 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" |
232 | #endif | 235 | #endif |
233 | " --zsh - use /usr/bin/zsh as default shell.\n" | ||
234 | "\n" | 236 | "\n" |
235 | "Examples:\n" | 237 | "Examples:\n" |
236 | " $ firejail firefox\n" | 238 | " $ firejail firefox\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3437d495f..a44e52e98 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) { | |||
800 | assert(fname); | 800 | assert(fname); |
801 | const char *ptr = fname; | 801 | const char *ptr = fname; |
802 | 802 | ||
803 | if (arg_debug_check_filename) | ||
804 | printf("Checking filename %s\n", fname); | ||
805 | |||
806 | if (strncmp(ptr, "${HOME}", 7) == 0) | 803 | if (strncmp(ptr, "${HOME}", 7) == 0) |
807 | ptr = fname + 7; | 804 | ptr = fname + 7; |
808 | else if (strncmp(ptr, "${PATH}", 7) == 0) | 805 | else if (strncmp(ptr, "${PATH}", 7) == 0) |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 3903b4709..7040dea18 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -347,12 +347,6 @@ void x11_start_xvfb(int argc, char **argv) { | |||
347 | } | 347 | } |
348 | free(fname); | 348 | free(fname); |
349 | 349 | ||
350 | if (arg_debug) { | ||
351 | printf("X11 sockets: "); fflush(0); | ||
352 | int rv = system("ls /tmp/.X11-unix"); | ||
353 | (void) rv; | ||
354 | } | ||
355 | |||
356 | assert(display_str); | 350 | assert(display_str); |
357 | setenv("DISPLAY", display_str, 1); | 351 | setenv("DISPLAY", display_str, 1); |
358 | // run attach command | 352 | // run attach command |
@@ -582,12 +576,6 @@ void x11_start_xephyr(int argc, char **argv) { | |||
582 | } | 576 | } |
583 | free(fname); | 577 | free(fname); |
584 | 578 | ||
585 | if (arg_debug) { | ||
586 | printf("X11 sockets: "); fflush(0); | ||
587 | int rv = system("ls /tmp/.X11-unix"); | ||
588 | (void) rv; | ||
589 | } | ||
590 | |||
591 | assert(display_str); | 579 | assert(display_str); |
592 | setenv("DISPLAY", display_str, 1); | 580 | setenv("DISPLAY", display_str, 1); |
593 | // run attach command | 581 | // run attach command |
@@ -755,12 +743,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
755 | } | 743 | } |
756 | free(fname); | 744 | free(fname); |
757 | 745 | ||
758 | if (arg_debug) { | ||
759 | printf("X11 sockets: "); fflush(0); | ||
760 | int rv = system("ls /tmp/.X11-unix"); | ||
761 | (void) rv; | ||
762 | } | ||
763 | |||
764 | // build attach command | 746 | // build attach command |
765 | char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL }; | 747 | char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL }; |
766 | 748 | ||
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 37bd4e874..a4d642d66 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -43,6 +43,7 @@ static char *help_str = | |||
43 | "\t--tree - print a tree of all sandboxed processes.\n\n" | 43 | "\t--tree - print a tree of all sandboxed processes.\n\n" |
44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" | 44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" |
45 | "\t--version - print program version and exit.\n\n" | 45 | "\t--version - print program version and exit.\n\n" |
46 | "\t--x11 - print X11 display number.\n\n" | ||
46 | 47 | ||
47 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" | 48 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" |
48 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" | 49 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 5d92aa133..7d9784392 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) { | |||
45 | if (strcmp(name, "root") == 0) | 45 | if (strcmp(name, "root") == 0) |
46 | return 1; | 46 | return 1; |
47 | 47 | ||
48 | // user nobody disabled by default | ||
49 | if (strcmp(name, "nobody") == 0) { | ||
50 | fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n"); | ||
51 | exit(1); | ||
52 | } | ||
53 | |||
48 | // check file existence | 54 | // check file existence |
49 | char *fname = get_fname(); | 55 | char *fname = get_fname(); |
50 | if (access(fname, F_OK)) { | 56 | if (access(fname, F_OK)) { |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index fcc0f914b..ec91e495c 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database | |||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | If the file is not present in the system, all users are allowed to use the sandbox. |
8 | root user is allowed by default. | 8 | root user is allowed by default, user nobody is denied access by default. |
9 | 9 | ||
10 | Example: | 10 | Example: |
11 | 11 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6e8e4eb2c..2e410061d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -314,15 +314,6 @@ $ firejail \-\-list | |||
314 | $ firejail \-\-cpu.print=3272 | 314 | $ firejail \-\-cpu.print=3272 |
315 | 315 | ||
316 | .TP | 316 | .TP |
317 | \fB\-\-csh | ||
318 | Use /bin/csh as default user shell. | ||
319 | .br | ||
320 | |||
321 | .br | ||
322 | Example: | ||
323 | .br | ||
324 | $ firejail \-\-csh | ||
325 | .TP | ||
326 | \fB\-\-debug\fR | 317 | \fB\-\-debug\fR |
327 | Print debug messages. | 318 | Print debug messages. |
328 | .br | 319 | .br |
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi | |||
351 | Example: | 342 | Example: |
352 | .br | 343 | .br |
353 | $ firejail \-\-debug-caps | 344 | $ firejail \-\-debug-caps |
354 | .TP | ||
355 | \fB\-\-debug-check-filename\fR | ||
356 | Debug filename checking. | ||
357 | .br | ||
358 | |||
359 | .br | ||
360 | Example: | ||
361 | .br | ||
362 | $ firejail \-\-debug-check-filename firefox | ||
363 | 345 | ||
364 | .TP | 346 | .TP |
365 | \fB\-\-debug-errnos | 347 | \fB\-\-debug-errnos |
@@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh | |||
1949 | \fB\-\-shell=program | 1931 | \fB\-\-shell=program |
1950 | Set default user shell. Use this shell to run the application using \-c shell option. | 1932 | Set default user shell. Use this shell to run the application using \-c shell option. |
1951 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". | 1933 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". |
1952 | By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default | 1934 | By default Bash shell (/bin/bash) is used. |
1953 | shell. | ||
1954 | .br | 1935 | .br |
1955 | 1936 | ||
1956 | .br | 1937 | .br |
@@ -2324,16 +2305,6 @@ Example: | |||
2324 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | 2305 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox |
2325 | .br | 2306 | .br |
2326 | 2307 | ||
2327 | .TP | ||
2328 | \fB\-\-zsh | ||
2329 | Use /usr/bin/zsh as default user shell. | ||
2330 | .br | ||
2331 | |||
2332 | .br | ||
2333 | Example: | ||
2334 | .br | ||
2335 | $ firejail \-\-zsh | ||
2336 | |||
2337 | .SH DESKTOP INTEGRATION | 2308 | .SH DESKTOP INTEGRATION |
2338 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2309 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2339 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2310 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index dcf16452f..0ec07c1ad 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -56,7 +56,7 @@ expect { | |||
56 | sleep 2 | 56 | sleep 2 |
57 | 57 | ||
58 | spawn $env(SHELL) | 58 | spawn $env(SHELL) |
59 | send -- "firemon --seccomp\r" | 59 | send -- "firemon --seccomp --nowrap\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 8\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -71,7 +71,7 @@ expect { | |||
71 | "name=blablabla" | 71 | "name=blablabla" |
72 | } | 72 | } |
73 | after 100 | 73 | after 100 |
74 | send -- "firemon --caps\r" | 74 | send -- "firemon --caps --nowrap\r" |
75 | expect { | 75 | expect { |
76 | timeout {puts "TESTING ERROR 11\n";exit} | 76 | timeout {puts "TESTING ERROR 11\n";exit} |
77 | "appimage Leafpad" | 77 | "appimage Leafpad" |
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 073c32dab..90b13b9ff 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -44,7 +44,7 @@ expect { | |||
44 | sleep 2 | 44 | sleep 2 |
45 | 45 | ||
46 | spawn $env(SHELL) | 46 | spawn $env(SHELL) |
47 | send -- "firemon --seccomp\r" | 47 | send -- "firemon --seccomp --nowrap\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 5\n";exit} | 49 | timeout {puts "TESTING ERROR 5\n";exit} |
50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -59,7 +59,7 @@ expect { | |||
59 | "name=blablabla" | 59 | "name=blablabla" |
60 | } | 60 | } |
61 | after 100 | 61 | after 100 |
62 | send -- "firemon --caps\r" | 62 | send -- "firemon --caps --nowrap\r" |
63 | expect { | 63 | expect { |
64 | timeout {puts "TESTING ERROR 6\n";exit} | 64 | timeout {puts "TESTING ERROR 6\n";exit} |
65 | "appimage Leafpad" | 65 | "appimage Leafpad" |
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp index 359f94db1..f92ec5ddf 100755 --- a/test/environment/allow-debuggers.exp +++ b/test/environment/allow-debuggers.exp | |||
@@ -5,36 +5,27 @@ cd /home | |||
5 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
6 | match_max 100000 | 6 | match_max 100000 |
7 | 7 | ||
8 | send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r" | 8 | send -- "firejail --allow-debuggers\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "Child process initialized" { puts "\n"} | 11 | "Child process initialized" { puts "\n"} |
12 | "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit } | 12 | "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit } |
13 | } | 13 | } |
14 | expect { | ||
15 | timeout {puts "TESTING ERROR 1\n";exit} | ||
16 | "ioctl" | ||
17 | } | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "exit_group" | ||
21 | } | ||
22 | after 100 | 14 | after 100 |
23 | 15 | ||
24 | send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r" | 16 | send -- "strace ls\r" |
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "Child process initialized" | ||
28 | } | ||
29 | expect { | 17 | expect { |
30 | timeout {puts "TESTING ERROR 4\n";exit} | 18 | timeout {puts "TESTING ERROR 1\n";exit} |
31 | "ioctl" | 19 | "open" |
32 | } | 20 | } |
33 | expect { | 21 | expect { |
34 | timeout {puts "TESTING ERROR 5\n";exit} | 22 | timeout {puts "TESTING ERROR 2\n";exit} |
35 | "exit_group" | 23 | "exit_group" |
36 | } | 24 | } |
37 | after 100 | 25 | after 100 |
26 | send -- "exit\r" | ||
27 | sleep 1 | ||
28 | |||
38 | 29 | ||
39 | 30 | ||
40 | puts "\nall done\n" | 31 | puts "\nall done\n" |
diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 10a278ebc..7b5ab9b33 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp | |||
@@ -1,49 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | 2 | ||
6 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
7 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
8 | match_max 100000 | 6 | match_max 100000 |
9 | 7 | ||
10 | send -- "firejail --private --tracelog --csh\r" | 8 | send -- "firejail --private --shell=/bin/csh\r" |
11 | expect { | 9 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 11 | "Child process initialized" |
14 | } | 12 | } |
15 | sleep 1 | 13 | sleep 1 |
16 | 14 | ||
17 | send -- "find ~\r" | 15 | send -- "env | grep SHELL;pwd\r" |
18 | expect { | 16 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | ".cshrc" | 18 | "SHELL" |
21 | } | ||
22 | |||
23 | send -- "env | grep SHELL\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "SHELL" | ||
27 | } | 19 | } |
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "/bin/csh" | 22 | "/bin/csh" |
31 | } | 23 | } |
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --shell=none --csh\r" | ||
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "shell=none was already specified" | 26 | "home" |
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "firejail --csh --shell=none\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "a shell was already specified" | ||
46 | } | 27 | } |
28 | send -- "exit\r" | ||
47 | after 100 | 29 | after 100 |
48 | 30 | ||
49 | puts "\n" | 31 | puts "\nall done\n" |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index b6688d484..364a4b65b 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -68,9 +68,6 @@ fi | |||
68 | echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" | 68 | echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" |
69 | ./firejail-in-firejail.exp | 69 | ./firejail-in-firejail.exp |
70 | 70 | ||
71 | echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)" | ||
72 | ./firejail-in-firejail2.exp | ||
73 | |||
74 | which aplay | 71 | which aplay |
75 | if [ "$?" -eq 0 ]; | 72 | if [ "$?" -eq 0 ]; |
76 | then | 73 | then |
diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp deleted file mode 100755 index 6528e45cd..000000000 --- a/test/environment/firejail-in-firejail2.exp +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --noprofile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "firejail\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "Warning: an existing sandbox was detected" | ||
21 | } | ||
22 | after 100 | ||
23 | |||
24 | send -- "exit\r" | ||
25 | after 100 | ||
26 | |||
27 | send -- "firejail --force\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 3\n";exit} | ||
30 | "Child process initialized" | ||
31 | } | ||
32 | after 100 | ||
33 | |||
34 | send -- "exit\r" | ||
35 | after 100 | ||
36 | |||
37 | send -- "firejail --version\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 4\n";exit} | ||
40 | "firejail version" | ||
41 | } | ||
42 | after 100 | ||
43 | |||
44 | send -- "firejail --version --force\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5\n";exit} | ||
47 | "firejail version" | ||
48 | } | ||
49 | after 100 | ||
50 | |||
51 | puts "\nall done\n" | ||
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index e7f610e98..a1b94a326 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -1,49 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | 2 | ||
6 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
7 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
8 | match_max 100000 | 6 | match_max 100000 |
9 | 7 | ||
10 | send -- "firejail --private --tracelog --zsh\r" | 8 | send -- "firejail --private --shell=/bin/zsh\r" |
11 | expect { | 9 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 11 | "Child process initialized" |
14 | } | 12 | } |
15 | sleep 1 | 13 | sleep 1 |
16 | 14 | ||
17 | send -- "find ~\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | ".zshrc" | ||
21 | } | ||
22 | |||
23 | send -- "env | grep SHELL;pwd\r" | 15 | send -- "env | grep SHELL;pwd\r" |
24 | expect { | 16 | expect { |
25 | timeout {puts "TESTING ERROR 2\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
26 | "SHELL" | 18 | "SHELL" |
27 | } | 19 | } |
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "/bin/zsh" | 22 | "/bin/zsh" |
31 | } | 23 | } |
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --shell=none --zsh\r" | ||
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "shell=none was already specified" | 26 | "home" |
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "firejail --zsh --shell=none\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "a shell was already specified" | ||
46 | } | 27 | } |
28 | send -- "exit\r" | ||
47 | after 100 | 29 | after 100 |
48 | 30 | ||
49 | puts "\nall done\n" | 31 | puts "\nall done\n" |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 45b1d0459..97ecc8be0 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -28,6 +28,12 @@ fi | |||
28 | echo "TESTING: debug options (test/filters/debug.exp)" | 28 | echo "TESTING: debug options (test/filters/debug.exp)" |
29 | ./debug.exp | 29 | ./debug.exp |
30 | 30 | ||
31 | echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)" | ||
32 | ./seccomp-run-files.exp | ||
33 | |||
34 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" | ||
35 | ./seccomp-postexec.exp | ||
36 | |||
31 | echo "TESTING: noroot (test/filters/noroot.exp)" | 37 | echo "TESTING: noroot (test/filters/noroot.exp)" |
32 | ./noroot.exp | 38 | ./noroot.exp |
33 | 39 | ||
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp new file mode 100755 index 000000000..4302aec5e --- /dev/null +++ b/test/filters/seccomp-postexec.exp | |||
@@ -0,0 +1,33 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --debug --seccomp=execve\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "configuring postexec seccomp filter in" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "data.architecture" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "monitoring pid" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Sandbox monitor: waitpid" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "Parent is shutting down" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | puts "all done\n" | ||
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp new file mode 100755 index 000000000..a72b9aef7 --- /dev/null +++ b/test/filters/seccomp-run-files.exp | |||
@@ -0,0 +1,98 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --debug\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "/run/firejail/mnt/seccomp seccomp filter" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "/run/firejail/mnt/seccomp.32 seccomp filter" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | ||
22 | } | ||
23 | after 100 | ||
24 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "4" | ||
28 | } | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | send -- "firejail --ignore=seccomp --debug\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4\n";exit} | ||
35 | "/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit} | ||
36 | "/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit} | ||
37 | "/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit} | ||
38 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | ||
39 | } | ||
40 | after 100 | ||
41 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 8\n";exit} | ||
44 | "1" | ||
45 | } | ||
46 | send -- "exit\r" | ||
47 | sleep 1 | ||
48 | |||
49 | send -- "firejail --ignore=protocol --debug\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 9\n";exit} | ||
52 | "/run/firejail/mnt/seccomp seccomp filter" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10\n";exit} | ||
56 | "/run/firejail/mnt/seccomp.32 seccomp filter" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 11\n";exit} | ||
60 | "/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit} | ||
61 | "monitoring" | ||
62 | } | ||
63 | after 100 | ||
64 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 13\n";exit} | ||
67 | "3" | ||
68 | } | ||
69 | send -- "exit\r" | ||
70 | sleep 1 | ||
71 | |||
72 | send -- "firejail --memory-deny-write-execute --debug\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 14\n";exit} | ||
75 | "/run/firejail/mnt/seccomp.mdwx seccomp filter" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 15\n";exit} | ||
79 | "/run/firejail/mnt/seccomp seccomp filter" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 16\n";exit} | ||
83 | "/run/firejail/mnt/seccomp.32 seccomp filter" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 17\n";exit} | ||
87 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | ||
88 | } | ||
89 | after 100 | ||
90 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
91 | expect { | ||
92 | timeout {puts "TESTING ERROR 18\n";exit} | ||
93 | "5" | ||
94 | } | ||
95 | send -- "exit\r" | ||
96 | sleep 1 | ||
97 | |||
98 | puts "all done\n" | ||
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp index 4c24b370f..8406160e3 100755 --- a/test/fnetfilter/default.exp +++ b/test/fnetfilter/default.exp | |||
@@ -31,7 +31,7 @@ after 100 | |||
31 | send -- "fnetfilter test1.net,33\r" | 31 | send -- "fnetfilter test1.net,33\r" |
32 | expect { | 32 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 33 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "invalid destination file in netfilter command" | 34 | "cannot open test1.net,33" |
35 | } | 35 | } |
36 | after 100 | 36 | after 100 |
37 | send -- "rm outfile\r" | 37 | send -- "rm outfile\r" |
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp index b63a2d4c9..5b84166d8 100755 --- a/test/fnetfilter/template.exp +++ b/test/fnetfilter/template.exp | |||
@@ -66,7 +66,7 @@ after 100 | |||
66 | send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r" | 66 | send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r" |
67 | expect { | 67 | expect { |
68 | timeout {puts "TESTING ERROR 12\n";exit} | 68 | timeout {puts "TESTING ERROR 12\n";exit} |
69 | "invalid destination file in netfilter command" | 69 | "cannot open test2.net," |
70 | } | 70 | } |
71 | after 100 | 71 | after 100 |
72 | 72 | ||
diff --git a/test/root/private.exp b/test/root/private.exp index 784761fc8..e3d3245ae 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -54,6 +54,21 @@ expect { | |||
54 | after 100 | 54 | after 100 |
55 | send -- "exit\r" | 55 | send -- "exit\r" |
56 | sleep 1 | 56 | sleep 1 |
57 | send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
60 | "Child process initialized" | ||
61 | } | ||
62 | sleep 1 | ||
63 | |||
64 | send -- "find /opt | wc -l\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
67 | "4" | ||
68 | } | ||
69 | after 100 | ||
70 | send -- "exit\r" | ||
71 | sleep 1 | ||
57 | 72 | ||
58 | 73 | ||
59 | send -- "touch /srv/firejail-test-file\r" | 74 | send -- "touch /srv/firejail-test-file\r" |
@@ -77,14 +92,20 @@ expect { | |||
77 | after 100 | 92 | after 100 |
78 | send -- "exit\r" | 93 | send -- "exit\r" |
79 | sleep 1 | 94 | sleep 1 |
95 | send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" | ||
96 | expect { | ||
97 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
98 | "Child process initialized" | ||
99 | } | ||
100 | sleep 1 | ||
80 | 101 | ||
81 | 102 | send -- "find /srv | wc -l\r" | |
82 | 103 | expect { | |
83 | 104 | timeout {puts "TESTING ERROR 6.1\n";exit} | |
84 | 105 | "4" | |
85 | 106 | } | |
86 | 107 | after 100 | |
87 | 108 | send -- "exit\r" | |
88 | 109 | sleep 1 | |
89 | 110 | ||
90 | puts "\nall done\n" | 111 | puts "\nall done\n" |