diff options
126 files changed, 2793 insertions, 37 deletions
diff --git a/.gitignore b/.gitignore index 554d1985b..0882eeecf 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -25,6 +25,7 @@ src/fnet/fnet | |||
25 | src/fseccomp/fseccomp | 25 | src/fseccomp/fseccomp |
26 | src/fcopy/fcopy | 26 | src/fcopy/fcopy |
27 | src/fldd/fldd | 27 | src/fldd/fldd |
28 | src/fbuilder/fbuilder | ||
28 | uids.h | 29 | uids.h |
29 | seccomp | 30 | seccomp |
30 | seccomp.debug | 31 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index e20aa5b62..be5ab837f 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
@@ -99,6 +99,7 @@ endif | |||
99 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. | 99 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. |
100 | install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. | 100 | install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. |
101 | install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. | 101 | install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. |
102 | install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. | ||
102 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 103 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. | 104 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. |
104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 105 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
@@ -169,6 +170,7 @@ install-strip: all | |||
169 | strip src/fseccomp/fseccomp | 170 | strip src/fseccomp/fseccomp |
170 | strip src/fcopy/fcopy | 171 | strip src/fcopy/fcopy |
171 | strip src/fldd/fldd | 172 | strip src/fldd/fldd |
173 | strip src/fbuilder/fbuilder | ||
172 | $(MAKE) realinstall | 174 | $(MAKE) realinstall |
173 | 175 | ||
174 | uninstall: | 176 | uninstall: |
@@ -112,6 +112,10 @@ creideiki (https://github.com/creideiki) | |||
112 | - make the sandbox process reap all children | 112 | - make the sandbox process reap all children |
113 | chiraag-nataraj (https://github.com/chiraag-nataraj) | 113 | chiraag-nataraj (https://github.com/chiraag-nataraj) |
114 | - support for newer Xpra versions (2.1+) | 114 | - support for newer Xpra versions (2.1+) |
115 | - added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles | ||
116 | - added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles | ||
117 | - added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles | ||
118 | - added tor, x-terminal-emulator, zart profiles | ||
115 | Christian Stadelmann (https://github.com/genodeftest) | 119 | Christian Stadelmann (https://github.com/genodeftest) |
116 | - profile fixes | 120 | - profile fixes |
117 | - evolution profile fix | 121 | - evolution profile fix |
@@ -241,12 +245,15 @@ Impyy (https://github.com/Impyy) | |||
241 | - added mumble profile | 245 | - added mumble profile |
242 | irregulator (https://github.com/irregulator) | 246 | irregulator (https://github.com/irregulator) |
243 | - thunderbird profile fixes for debian stretch | 247 | - thunderbird profile fixes for debian stretch |
248 | Irvine (https://github.com/Irvinehimself) | ||
249 | - added conky profile | ||
244 | Ivan Kozik (https://github.com/ivan) | 250 | Ivan Kozik (https://github.com/ivan) |
245 | - speed up sandbox exit | 251 | - speed up sandbox exit |
246 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | 252 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) |
247 | - cpio profile | 253 | - cpio profile |
248 | James Elford (https://github.com/jelford) | 254 | James Elford (https://github.com/jelford) |
249 | - pass password manager support | 255 | - pass password manager support |
256 | - removed shell none from ssh-agent configuration, fixing the infinit loop | ||
250 | Jericho (https://github.com/attritionorg) | 257 | Jericho (https://github.com/attritionorg) |
251 | - spelling | 258 | - spelling |
252 | Jesse Smith (https://github.com/slicer69) | 259 | Jesse Smith (https://github.com/slicer69) |
@@ -306,6 +313,8 @@ Mattias Wadman (https://github.com/wader) | |||
306 | - seccomp errno filter support | 313 | - seccomp errno filter support |
307 | Matthew Gyurgyik (https://github.com/pyther) | 314 | Matthew Gyurgyik (https://github.com/pyther) |
308 | - rpm spec and several fixes | 315 | - rpm spec and several fixes |
316 | melvinvermeeren (https://github.com/melvinvermeeren) | ||
317 | - added teamspeak3 profile | ||
309 | Michael Haas (https://github.com/mhaas) | 318 | Michael Haas (https://github.com/mhaas) |
310 | - bugfixes | 319 | - bugfixes |
311 | Mike Frysinger (vapier@gentoo.org) | 320 | Mike Frysinger (vapier@gentoo.org) |
@@ -319,6 +328,8 @@ n1trux (https://github.com/n1trux) | |||
319 | netblue30 (netblue30@yahoo.com) | 328 | netblue30 (netblue30@yahoo.com) |
320 | Niklas Haas (https://github.com/haasn) | 329 | Niklas Haas (https://github.com/haasn) |
321 | - blacklisting for keybase.io's client | 330 | - blacklisting for keybase.io's client |
331 | nyancat18 (https://github.com/nyancat18) | ||
332 | - added ardour4, dooble, karbon, krita profiles | ||
322 | Ondra Nekola (https://github.com/satai) | 333 | Ondra Nekola (https://github.com/satai) |
323 | - allow firefox theming with non-global themes | 334 | - allow firefox theming with non-global themes |
324 | Panzerfather (https://github.com/Panzerfather) | 335 | Panzerfather (https://github.com/Panzerfather) |
@@ -416,6 +427,7 @@ smithsohu (https://github.com/smitsohu) | |||
416 | - enhance mutt, goobox, baloo and clementine profiles | 427 | - enhance mutt, goobox, baloo and clementine profiles |
417 | soredake (https://github.com/soredake) | 428 | soredake (https://github.com/soredake) |
418 | - fix steam startup with >=llvm-4 | 429 | - fix steam startup with >=llvm-4 |
430 | - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile | ||
419 | SpotComms (https://github.com/SpotComms) | 431 | SpotComms (https://github.com/SpotComms) |
420 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | 432 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles |
421 | - added PDFSam, Pithos, and Xonotic profiles | 433 | - added PDFSam, Pithos, and Xonotic profiles |
@@ -507,6 +519,8 @@ Topi Miettinen (https://github.com/topimiettinen) | |||
507 | - seccomp default list update | 519 | - seccomp default list update |
508 | - improve loading of seccomp filter and memory-deny-write-execute feature | 520 | - improve loading of seccomp filter and memory-deny-write-execute feature |
509 | - private-lib feature | 521 | - private-lib feature |
522 | user1024 (user1024@tut.by) | ||
523 | - electron profile whitelisting | ||
510 | valoq (https://github.com/valoq) | 524 | valoq (https://github.com/valoq) |
511 | - lots of profile fixes | 525 | - lots of profile fixes |
512 | - added support for /srv in --whitelist feature | 526 | - added support for /srv in --whitelist feature |
@@ -98,6 +98,70 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | ## Whitelisting /var | ||
102 | |||
103 | Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working, | ||
104 | send a pull request. I did it so far for some more common applications like Firefox, Chromium etc. | ||
105 | |||
106 | ## Profile build tool | ||
107 | ````` | ||
108 | $ firejail --build appname | ||
109 | ````` | ||
110 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
111 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
112 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
113 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
114 | |||
115 | Example: | ||
116 | ````` | ||
117 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 | ||
118 | |||
119 | [...] | ||
120 | |||
121 | ############################################ | ||
122 | # /usr/bin/vlc profile | ||
123 | ############################################ | ||
124 | # Persistent global definitions | ||
125 | # include /etc/firejail/globals.local | ||
126 | |||
127 | ### basic blacklisting | ||
128 | include /etc/firejail/disable-common.inc | ||
129 | # include /etc/firejail/disable-devel.inc | ||
130 | include /etc/firejail/disable-passwdmgr.inc | ||
131 | # include /etc/firejail/disable-programs.inc | ||
132 | |||
133 | ### home directory whitelisting | ||
134 | whitelist ~/Videos | ||
135 | whitelist ~/.local/share/vlc | ||
136 | whitelist ~/.config/vlc | ||
137 | include /etc/firejail/whitelist-common.inc | ||
138 | |||
139 | ### filesystem | ||
140 | private-tmp | ||
141 | private-dev | ||
142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
143 | whitelist /var/lib/menu-xdg | ||
144 | # private-bin vlc, | ||
145 | |||
146 | ### security filters | ||
147 | caps.drop all | ||
148 | nonewprivs | ||
149 | seccomp | ||
150 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create | ||
151 | # 76 syscalls total | ||
152 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
153 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
154 | # running your sandbox. | ||
155 | |||
156 | ### network | ||
157 | protocol unix,netlink, | ||
158 | net none | ||
159 | |||
160 | ### environment | ||
161 | shell none | ||
162 | $ | ||
163 | ````` | ||
164 | |||
101 | ## New command line options | 165 | ## New command line options |
102 | ````` | 166 | ````` |
103 | --writable-run-user | 167 | --writable-run-user |
@@ -107,3 +171,13 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
107 | Example: | 171 | Example: |
108 | $ sudo firejail --writable-run-user | 172 | $ sudo firejail --writable-run-user |
109 | ````` | 173 | ````` |
174 | |||
175 | ## New profiles: | ||
176 | |||
177 | terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, | ||
178 | amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, | ||
179 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | ||
180 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | ||
181 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | ||
182 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, | ||
183 | conky | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * feature: --writable-run-user | 3 | * feature: --writable-run-user |
4 | * feature: profile build tool (--build) | ||
4 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | 5 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 |
5 | 6 | ||
6 | firejail (0.9.50~rc1) baseline; urgency=low | 7 | firejail (0.9.50~rc1) baseline; urgency=low |
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then | |||
3823 | sysconfdir="/etc" | 3823 | sysconfdir="/etc" |
3824 | fi | 3824 | fi |
3825 | 3825 | ||
3826 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" | 3826 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" |
3827 | 3827 | ||
3828 | cat >confcache <<\_ACEOF | 3828 | cat >confcache <<\_ACEOF |
3829 | # This file is a shell script that caches the results of configure | 3829 | # This file is a shell script that caches the results of configure |
@@ -4541,6 +4541,7 @@ do | |||
4541 | "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; | 4541 | "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; |
4542 | "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; | 4542 | "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; |
4543 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; | 4543 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; |
4544 | "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; | ||
4544 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 4545 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4545 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | 4546 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; |
4546 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; | 4547 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; |
diff --git a/configure.ac b/configure.ac index e06512665..900c8b959 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -176,7 +176,7 @@ if test "$prefix" = /usr; then | |||
176 | fi | 176 | fi |
177 | 177 | ||
178 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ | 178 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ |
179 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ | 179 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \ |
180 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) | 180 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) |
181 | 181 | ||
182 | echo | 182 | echo |
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 06cc69503..964a9e5fa 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nodvd | 20 | nodvd |
diff --git a/etc/Natron.profile b/etc/Natron.profile new file mode 100644 index 000000000..b21790fe4 --- /dev/null +++ b/etc/Natron.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/natron.profile | ||
diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..03e5f1086 --- /dev/null +++ b/etc/Viber.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Viber | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Viber.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ViberPC | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin sh,bash,dash,dig,awk,Viber | ||
34 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | mkfile ${HOME}/.config/akregatorrc | ||
17 | mkdir ${HOME}/.local/share/akregator | ||
18 | whitelist ${HOME}/.config/akregatorrc | ||
19 | whitelist ${HOME}/.local/share/akregator | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
16 | caps.drop all | 22 | caps.drop all |
17 | netfilter | 23 | netfilter |
18 | no3d | 24 | no3d |
@@ -27,6 +33,7 @@ seccomp | |||
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | disable-mnt | 35 | disable-mnt |
36 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
30 | private-dev | 37 | private-dev |
31 | private-tmp | 38 | private-tmp |
32 | 39 | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index 478d5285c..79343fcdf 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | nogroups | 18 | nogroups |
diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..98ec52015 --- /dev/null +++ b/etc/amule.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for amule | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/amule.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.aMule | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.aMule | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin amule | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/ardour4.profile b/etc/ardour4.profile new file mode 100644 index 000000000..7d1163174 --- /dev/null +++ b/etc/ardour4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/ardour5.profile | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..69b3dde46 --- /dev/null +++ b/etc/ardour5.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ardour5.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/ardour4 | ||
10 | noblacklist ${HOME}/.config/ardour5 | ||
11 | noblacklist ${HOME}/.lv2 | ||
12 | noblacklist ${HOME}/.vst | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | protocol unix | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | ||
32 | private-dev | ||
33 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index bd2367fe0..52e701821 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
18 | nogroups | ||
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | notv | 21 | notv |
diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..0a8c592a7 --- /dev/null +++ b/etc/brackets.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for brackets | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/brackets.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Brackets | ||
9 | noblacklist /opt/brackets/ | ||
10 | noblacklist /opt/google/ | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-dev | ||
diff --git a/etc/calibre.profile b/etc/calibre.profile index aa0de473c..844231032 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-common.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | no3d | 20 | no3d |
diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..e90c8efe8 --- /dev/null +++ b/etc/calligra.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/calligra.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | caps.drop all | ||
14 | ipc-namespace | ||
15 | nodvd | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | ||
26 | private-dev | ||
27 | |||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraauthor.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraconverter.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraflow.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplanwork.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrasheets.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrastage.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrawords.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile index 498f3b6ee..5fc585d90 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local | |||
8 | # We can't blacklist much since catfish | 8 | # We can't blacklist much since catfish |
9 | # is for finding files/content | 9 | # is for finding files/content |
10 | noblacklist ~/.config/catfish | 10 | noblacklist ~/.config/catfish |
11 | include /etc/firejail/disable-common.inc | ||
12 | # include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
11 | 15 | ||
12 | include /etc/firejail/disable-devel.inc | 16 | whitelist /var/lib/mlocate |
17 | include /etc/firejail/whitelist-var-common.inc | ||
13 | 18 | ||
14 | caps.drop all | 19 | caps.drop all |
15 | net none | 20 | net none |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium | |||
23 | whitelist ~/.config/chromium-flags.conf | 23 | whitelist ~/.config/chromium-flags.conf |
24 | whitelist ~/.pki | 24 | whitelist ~/.pki |
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | include /etc/firejail/whitelist-var-common.inc | ||
26 | 27 | ||
27 | caps.keep sys_chroot,sys_admin | 28 | caps.keep sys_chroot,sys_admin |
28 | netfilter | 29 | netfilter |
diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..eeeda476f --- /dev/null +++ b/etc/cin.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cin.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.bcast5 | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | notv | ||
22 | noroot | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin cin | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/clamav.profile b/etc/clamav.profile new file mode 100644 index 000000000..a5aacc1d5 --- /dev/null +++ b/etc/clamav.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamav.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | caps.drop all | ||
11 | ipc-namespace | ||
12 | net none | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | tracelog | ||
25 | x11 none | ||
26 | |||
27 | private-dev | ||
28 | read-only ${HOME} | ||
29 | |||
30 | memory-deny-write-execute | ||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdscan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdtop.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/clamscan.profile b/etc/clamscan.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamscan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/conky.profile b/etc/conky.profile new file mode 100644 index 000000000..4ee25f099 --- /dev/null +++ b/etc/conky.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for conky | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/conky.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | netfilter | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | memory-deny-write-execute | ||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -26,6 +26,7 @@ protocol unix,inet,inet6 | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin darktable | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -27,6 +27,7 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | #private-bin dia | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index 43191ec06..ef518470e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | netfilter | 20 | netfilter |
19 | nodvd | 21 | nodvd |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 5dd3dfd30..ca6ba9710 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -2,13 +2,15 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-common.local | 3 | include /etc/firejail/disable-common.local |
4 | 4 | ||
5 | # History files in $HOME | 5 | # History files and clipboard managers in $HOME |
6 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
7 | blacklist-nolog ${HOME}/.adobe | 7 | blacklist-nolog ${HOME}/.adobe |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.bash_history |
9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
11 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
12 | blacklist-nolog /tmp/clipmenu* | ||
13 | blacklist-nolog ${HOME}/.cache/greenclip* | ||
12 | 14 | ||
13 | # X11 session autostart | 15 | # X11 session autostart |
14 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 16 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7e44d582e..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam | |||
17 | blacklist ${HOME}/.Steampath | 17 | blacklist ${HOME}/.Steampath |
18 | blacklist ${HOME}/.Steampid | 18 | blacklist ${HOME}/.Steampid |
19 | blacklist ${HOME}/.TelegramDesktop | 19 | blacklist ${HOME}/.TelegramDesktop |
20 | blacklist ${HOME}/.ViberPC | ||
20 | blacklist ${HOME}/.VirtualBox | 21 | blacklist ${HOME}/.VirtualBox |
21 | blacklist ${HOME}/.Wolfram Research | 22 | blacklist ${HOME}/.Wolfram Research |
23 | blacklist ${HOME}/.aMule | ||
22 | blacklist ${HOME}/.android | 24 | blacklist ${HOME}/.android |
23 | blacklist ${HOME}/.arduino15 | 25 | blacklist ${HOME}/.arduino15 |
24 | blacklist ${HOME}/.atom | 26 | blacklist ${HOME}/.atom |
@@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets | |||
35 | blacklist ${HOME}/.config/Clementine | 37 | blacklist ${HOME}/.config/Clementine |
36 | blacklist ${HOME}/.config/Cryptocat | 38 | blacklist ${HOME}/.config/Cryptocat |
37 | blacklist ${HOME}/.config/Franz | 39 | blacklist ${HOME}/.config/Franz |
40 | blacklist ${HOME}/.config/FreeCAD | ||
38 | blacklist ${HOME}/.config/Gitter | 41 | blacklist ${HOME}/.config/Gitter |
39 | blacklist ${HOME}/.config/Google | 42 | blacklist ${HOME}/.config/Google |
40 | blacklist ${HOME}/.config/Gpredict | 43 | blacklist ${HOME}/.config/Gpredict |
@@ -51,6 +54,7 @@ blacklist ${HOME}/.config/Qlipper | |||
51 | blacklist ${HOME}/.config/QuiteRss | 54 | blacklist ${HOME}/.config/QuiteRss |
52 | blacklist ${HOME}/.config/QuiteRssrc | 55 | blacklist ${HOME}/.config/QuiteRssrc |
53 | blacklist ${HOME}/.config/Riot | 56 | blacklist ${HOME}/.config/Riot |
57 | blacklist ${HOME}/.config/Rocket.Chat | ||
54 | blacklist ${HOME}/.config/Slack | 58 | blacklist ${HOME}/.config/Slack |
55 | blacklist ${HOME}/.config/Thunar | 59 | blacklist ${HOME}/.config/Thunar |
56 | blacklist ${HOME}/.config/VirtualBox | 60 | blacklist ${HOME}/.config/VirtualBox |
@@ -123,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt | |||
123 | blacklist ${HOME}/.config/mate-calc | 127 | blacklist ${HOME}/.config/mate-calc |
124 | blacklist ${HOME}/.config/mate/eom | 128 | blacklist ${HOME}/.config/mate/eom |
125 | blacklist ${HOME}/.config/mate/mate-dictionary | 129 | blacklist ${HOME}/.config/mate/mate-dictionary |
130 | blacklist ${HOME}/.config/mfusion | ||
126 | blacklist ${HOME}/.config/midori | 131 | blacklist ${HOME}/.config/midori |
127 | blacklist ${HOME}/.config/mpv | 132 | blacklist ${HOME}/.config/mpv |
128 | blacklist ${HOME}/.config/mupen64plus | 133 | blacklist ${HOME}/.config/mupen64plus |
@@ -187,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org | |||
187 | blacklist ${HOME}/.curlrc | 192 | blacklist ${HOME}/.curlrc |
188 | blacklist ${HOME}/.dia | 193 | blacklist ${HOME}/.dia |
189 | blacklist ${HOME}/.dillo | 194 | blacklist ${HOME}/.dillo |
195 | blacklist ${HOME}/.dooble | ||
190 | blacklist ${HOME}/.dosbox | 196 | blacklist ${HOME}/.dosbox |
191 | blacklist ${HOME}/.dropbox-dist | 197 | blacklist ${HOME}/.dropbox-dist |
192 | blacklist ${HOME}/.electrum* | 198 | blacklist ${HOME}/.electrum* |
@@ -211,6 +217,7 @@ blacklist ${HOME}/.guayadeque | |||
211 | blacklist ${HOME}/.hedgewars | 217 | blacklist ${HOME}/.hedgewars |
212 | blacklist ${HOME}/.hugin | 218 | blacklist ${HOME}/.hugin |
213 | blacklist ${HOME}/.icedove | 219 | blacklist ${HOME}/.icedove |
220 | blacklist ${HOME}/.imagej | ||
214 | blacklist ${HOME}/.inkscape | 221 | blacklist ${HOME}/.inkscape |
215 | blacklist ${HOME}/.java | 222 | blacklist ${HOME}/.java |
216 | blacklist ${HOME}/.jitsi | 223 | blacklist ${HOME}/.jitsi |
@@ -318,6 +325,7 @@ blacklist ${HOME}/.local/share/spotify | |||
318 | blacklist ${HOME}/.local/share/steam | 325 | blacklist ${HOME}/.local/share/steam |
319 | blacklist ${HOME}/.local/share/supertux2 | 326 | blacklist ${HOME}/.local/share/supertux2 |
320 | blacklist ${HOME}/.local/share/telepathy | 327 | blacklist ${HOME}/.local/share/telepathy |
328 | blacklist ${HOME}/.local/share/terasology | ||
321 | blacklist ${HOME}/.local/share/torbrowser | 329 | blacklist ${HOME}/.local/share/torbrowser |
322 | blacklist ${HOME}/.local/share/totem | 330 | blacklist ${HOME}/.local/share/totem |
323 | blacklist ${HOME}/.local/share/vpltd | 331 | blacklist ${HOME}/.local/share/vpltd |
@@ -360,6 +368,7 @@ blacklist ${HOME}/.steampath | |||
360 | blacklist ${HOME}/.steampid | 368 | blacklist ${HOME}/.steampid |
361 | blacklist ${HOME}/.stellarium | 369 | blacklist ${HOME}/.stellarium |
362 | blacklist ${HOME}/.subversion | 370 | blacklist ${HOME}/.subversion |
371 | blacklist ${HOME}/.surf | ||
363 | blacklist ${HOME}/.sword | 372 | blacklist ${HOME}/.sword |
364 | blacklist ${HOME}/.sylpheed-2.0 | 373 | blacklist ${HOME}/.sylpheed-2.0 |
365 | blacklist ${HOME}/.synfig | 374 | blacklist ${HOME}/.synfig |
@@ -407,6 +416,7 @@ blacklist ${HOME}/.cache/google-chrome | |||
407 | blacklist ${HOME}/.cache/google-chrome-beta | 416 | blacklist ${HOME}/.cache/google-chrome-beta |
408 | blacklist ${HOME}/.cache/google-chrome-unstable | 417 | blacklist ${HOME}/.cache/google-chrome-unstable |
409 | blacklist ${HOME}/.cache/icedove | 418 | blacklist ${HOME}/.cache/icedove |
419 | blacklist ${HOME}/.cache/INRIA/Natron | ||
410 | blacklist ${HOME}/.cache/inox | 420 | blacklist ${HOME}/.cache/inox |
411 | blacklist ${HOME}/.cache/libgweather | 421 | blacklist ${HOME}/.cache/libgweather |
412 | blacklist ${HOME}/.cache/midori | 422 | blacklist ${HOME}/.cache/midori |
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile new file mode 100644 index 000000000..4e1227a0f --- /dev/null +++ b/etc/dooble-qt4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/dooble.profile | ||
diff --git a/smtube.profile b/etc/dooble.profile index 2694dd5b0..2a57b0ef3 100644 --- a/smtube.profile +++ b/etc/dooble.profile | |||
@@ -1,35 +1,37 @@ | |||
1 | # Firejail profile for smtube | 1 | # Firejail profile for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/smtube.local | 4 | include /etc/firejail/dooble-qt4.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/smplayer | 8 | |
9 | noblacklist ${HOME}/.config/smtube | 9 | noblacklist ${HOME}/.dooble |
10 | noblacklist ${HOME}/.config/mpv | ||
11 | noblacklist ${HOME}/.mplayer | ||
12 | noblacklist ${HOME}/.config/vlc | ||
13 | noblacklist ${HOME}/.local/share/vlc | ||
14 | 10 | ||
15 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
19 | 15 | ||
16 | mkdir ${HOME}/.dooble | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.dooble | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
20 | caps.drop all | 21 | caps.drop all |
21 | netfilter | 22 | netfilter |
22 | nodvd | 23 | nodvd |
23 | notv | ||
24 | novideo | ||
25 | nogroups | 24 | nogroups |
26 | nonewprivs | 25 | nonewprivs |
27 | noroot | 26 | noroot |
27 | notv | ||
28 | novideo | ||
28 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
32 | tracelog | ||
31 | 33 | ||
32 | #no private-bin because users can add their own players to smtube and that would prevent that | 34 | disable-mnt |
33 | private-dev | 35 | private-dev |
34 | private-tmp | 36 | private-tmp |
35 | 37 | ||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index fa9b26e82..a64578e5c 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 211c2432f..c37f81ac9 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/electron.profile b/etc/electron.profile index 9b21c1bfd..91e5cd3df 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
@@ -5,11 +5,12 @@ include /etc/firejail/electron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
12 | 11 | ||
12 | whitelist ${DOWNLOADS} | ||
13 | |||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
15 | nodvd | 16 | nodvd |
diff --git a/etc/evince.profile b/etc/evince.profile index 5c6215bb2..f503b9a8e 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..3fd7f3d75 --- /dev/null +++ b/etc/fetchmail.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for fetchmail | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/fetchmail.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin fetchmail,procmail,bash,chmod | ||
29 | private-dev | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 85201b021..1f4a8e3f6 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64 | |||
59 | whitelist ~/.zotero | 59 | whitelist ~/.zotero |
60 | whitelist ~/dwhelper | 60 | whitelist ~/dwhelper |
61 | include /etc/firejail/whitelist-common.inc | 61 | include /etc/firejail/whitelist-common.inc |
62 | include /etc/firejail/whitelist-var-common.inc | ||
62 | 63 | ||
63 | caps.drop all | 64 | caps.drop all |
64 | netfilter | 65 | netfilter |
diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..4fde66839 --- /dev/null +++ b/etc/freecad.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/freecad.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/FreeCAD | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin freecad,freecadcmd | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..f8bbff593 --- /dev/null +++ b/etc/freecadcmd.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/freecad.profile | ||
diff --git a/etc/freshclam.profile b/etc/freshclam.profile new file mode 100644 index 000000000..08eac5595 --- /dev/null +++ b/etc/freshclam.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for freshclam | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamav.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | caps.keep setgid,setuid | ||
11 | ipc-namespace | ||
12 | netfilter | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | disable-mnt | ||
26 | private | ||
27 | private-dev | ||
28 | private-tmp | ||
29 | writable-var | ||
30 | writable-var-log | ||
31 | |||
32 | memory-deny-write-execute | ||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | mkdir ~/.config/galculator | 15 | mkdir ~/.config/galculator |
16 | whitelist ~/.config/galculator | 16 | whitelist ~/.config/galculator |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | net none | 21 | net none |
diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | nodvd | 18 | nodvd |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6547c73df..326222426 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
14 | include /etc/firejail/whitelist-var-common.inc | ||
14 | 15 | ||
15 | caps.drop all | 16 | caps.drop all |
16 | netfilter | 17 | netfilter |
diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..b60f5b3a5 --- /dev/null +++ b/etc/google-earth.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/google-earth.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Google | ||
9 | noblacklist ${HOME}/.googleearth/Cache/ | ||
10 | noblacklist ${HOME}/.googleearth/Temp/ | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Google | ||
20 | mkdir ${HOME}/.googleearth/Cache/ | ||
21 | mkdir ${HOME}/.googleearth/Temp/ | ||
22 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
23 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
24 | whitelist ${HOME}/.config/Google | ||
25 | whitelist ${HOME}/.googleearth/Cache/ | ||
26 | whitelist ${HOME}/.googleearth/Temp/ | ||
27 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
28 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname | ||
45 | private-dev | ||
46 | |||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 26bc589ee..1842c9cb1 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | net none | 18 | net none |
17 | nodvd | 19 | nodvd |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 2b33051e2..f5e7bc329 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nogroups | 19 | nogroups |
diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -25,6 +25,7 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..88a56c706 --- /dev/null +++ b/etc/imagej.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for imagej | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/imagej.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.imagej | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
@@ -25,6 +27,7 @@ protocol unix | |||
25 | seccomp | 27 | seccomp |
26 | shell none | 28 | shell none |
27 | 29 | ||
30 | #private-bin inkscape | ||
28 | private-dev | 31 | private-dev |
29 | private-tmp | 32 | private-tmp |
30 | 33 | ||
diff --git a/etc/k3b.profile b/etc/k3b.profile index ca190ecb9..58623d823 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | no3d | 20 | no3d |
19 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/karbon.profile b/etc/karbon.profile new file mode 100644 index 000000000..3525a3e06 --- /dev/null +++ b/etc/karbon.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/krita.profile | ||
diff --git a/etc/kate.profile b/etc/kate.profile index ec5d09ce2..69100d49d 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index f334c4c72..0de23f106 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | no3d | 18 | no3d |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..a1a5f957c --- /dev/null +++ b/etc/kdenlive.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for kdenlive | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kdenlive.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | nodvd | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
26 | private-dev | ||
27 | #private-etc fonts,alternatives,X11,pulse,passwd | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/krita.profile b/etc/krita.profile new file mode 100644 index 000000000..e91f5b242 --- /dev/null +++ b/etc/krita.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/krita.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 6ba076dc0..6b458ede3 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index ec7356002..8d05a557c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | netfilter | 20 | netfilter |
19 | nodvd | 21 | nodvd |
diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..41f9245a2 --- /dev/null +++ b/etc/linphone.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for linphone | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/linphone.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.linphone-history.db | ||
9 | noblacklist ${HOME}/.linphonerc | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkfile ${HOME}/.linphone-history.db | ||
17 | mkfile ${HOME}/.linphonerc | ||
18 | whitelist ${HOME}/.linphone-history.db | ||
19 | whitelist ${HOME}/.linphonerc | ||
20 | whitelist ${HOME}/Downloads | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..29ed235c6 --- /dev/null +++ b/etc/lmms.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for lmms | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lmms.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.lmmsrc.xml | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -26,6 +26,7 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..be66cf6ee --- /dev/null +++ b/etc/macrofusion.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for macrofusion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/macrofusion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/mfusion | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..7bfa47d77 --- /dev/null +++ b/etc/mpd.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for mpd | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mpd.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.mpdconf | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | no3d | ||
19 | nodvd | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin mpd,bash | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nogroups | 20 | nogroups |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 3b5a0b13c..b039d07b2 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -19,6 +19,7 @@ caps.drop all | |||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | notv | 25 | notv |
diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..d77539d83 --- /dev/null +++ b/etc/natron.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/natron.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.Natron | ||
10 | noblacklist ${HOME}/.cache/INRIA/Natron | ||
11 | noblacklist ${HOME}/.config/INRIA | ||
12 | noblacklist /opt/natron | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin natron,Natron,NatronRenderer | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 5a704ad26..94736fbae 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -20,6 +20,8 @@ include /etc/firejail/disable-devel.inc | |||
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include /etc/firejail/disable-programs.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
23 | caps.drop all | 25 | caps.drop all |
24 | netfilter | 26 | netfilter |
25 | nodvd | 27 | nodvd |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -27,3 +27,6 @@ tracelog | |||
27 | private-bin pidgin | 27 | private-bin pidgin |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..6da0e21d5 --- /dev/null +++ b/etc/ricochet.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for ricochet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ricochet.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.local/share/Ricochet | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-bin ricochet,tor | ||
36 | private-dev | ||
37 | #private-etc fonts,tor,X11,alternatives | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index c714652df..06dbbe9d9 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
@@ -5,9 +5,9 @@ include /etc/firejail/riot-web.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ~/.config/Riot | 8 | noblacklist ${HOME}/.config/Riot |
9 | 9 | ||
10 | whitelist ~/.config/Riot | 10 | whitelist ${HOME}/.config/Riot |
11 | include /etc/firejail/whitelist-common.inc | 11 | include /etc/firejail/whitelist-common.inc |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile new file mode 100644 index 000000000..da92cd938 --- /dev/null +++ b/etc/rocketchat.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for rocketchat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/rocketchat.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Rocket.Chat | ||
9 | |||
10 | whitelist ${HOME}/.config/Rocket.Chat | ||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | # Redirect | ||
14 | include /etc/firejail/electron.profile | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -38,5 +38,6 @@ protocol unix | |||
38 | seccomp | 38 | seccomp |
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | #private-bin scribus,gs | ||
41 | private-dev | 42 | private-dev |
42 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..e30bc1f46 --- /dev/null +++ b/etc/shotcut.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for shotcut | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/shotcut.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/Meltytech | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin shotcut,melt,qmelt,nice | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index abc68a499..977cfea99 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | nodvd | 18 | nodvd |
@@ -28,6 +30,7 @@ disable-mnt | |||
28 | private | 30 | private |
29 | # private-bin silentarmy,sa-solver,python3 | 31 | # private-bin silentarmy,sa-solver,python3 |
30 | private-dev | 32 | private-dev |
33 | private-opt none | ||
31 | private-tmp | 34 | private-tmp |
32 | 35 | ||
33 | noexec ${HOME} | 36 | noexec ${HOME} |
diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -24,6 +24,7 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | #private-bin skype,bash | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | 30 | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 7e9d34c92..fa5728d9b 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/disable-common.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | shell none | ||
19 | caps.drop all | 20 | caps.drop all |
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
diff --git a/etc/steam.profile b/etc/steam.profile index 227162e1f..b4b9ede70 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -21,6 +21,8 @@ noblacklist ${HOME}/.steampath | |||
21 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
22 | # with >=llvm-4 mesa drivers need llvm stuff | 22 | # with >=llvm-4 mesa drivers need llvm stuff |
23 | noblacklist /usr/lib/llvm* | 23 | noblacklist /usr/lib/llvm* |
24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | ||
25 | noblacklist /sbin | ||
24 | 26 | ||
25 | include /etc/firejail/disable-common.inc | 27 | include /etc/firejail/disable-common.inc |
26 | include /etc/firejail/disable-devel.inc | 28 | include /etc/firejail/disable-devel.inc |
@@ -44,5 +46,5 @@ shell none | |||
44 | 46 | ||
45 | # private-dev should be commented for controllers | 47 | # private-dev should be commented for controllers |
46 | private-dev | 48 | private-dev |
47 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | 49 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl |
48 | private-tmp | 50 | private-tmp |
diff --git a/etc/surf.profile b/etc/surf.profile new file mode 100644 index 000000000..251331902 --- /dev/null +++ b/etc/surf.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for surf | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/surf.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ~/.surf | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ~/.surf | ||
15 | whitelist ${DOWNLOADS} | ||
16 | include /etc/firejail/whitelist-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nodvd | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | seccomp | ||
26 | shell none | ||
27 | tracelog | ||
28 | |||
29 | private-bin ls,surf,sh,dash,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop | ||
30 | private-dev | ||
31 | private-etc passwd,group,hosts,resolv.conf,fonts,ssl | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -26,6 +26,7 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin synfigstudio | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile new file mode 100644 index 000000000..86f96ba50 --- /dev/null +++ b/etc/teamspeak3.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for teamspeak3 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/teamspeak3.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.ts3client | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.ts3client | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ts3client | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/terasology.profile b/etc/terasology.profile new file mode 100644 index 000000000..ca580c0d0 --- /dev/null +++ b/etc/terasology.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for terasology | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/default.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.local/share/terasology | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.java | ||
18 | mkdir ${HOME}/.local/share/terasology | ||
19 | whitelist ${HOME}/.java | ||
20 | whitelist ${HOME}/.local/share/terasology | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-dev | ||
39 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk | ||
40 | private-tmp | ||
41 | |||
42 | noexec ${HOME} | ||
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..bf3a80139 --- /dev/null +++ b/etc/tor-browser-en.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/torbrowser-launcher.profile | ||
diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..fcb123eef --- /dev/null +++ b/etc/tor.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for tor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tor.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # How to use: | ||
9 | # Create a script called anything (e.g. mytor) | ||
10 | # with the following contents: | ||
11 | |||
12 | # #!/bin/bash | ||
13 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | ||
14 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | ||
15 | |||
16 | # You'll also likely want to disable the system service (if it exists) | ||
17 | # Run mytor (or whatever you called the script above) whenever you want to start tor | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | caps.keep setuid,setgid,net_bind_service,dac_read_search | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | writable-var | ||
38 | |||
39 | disable-mnt | ||
40 | private | ||
41 | private-bin tor,bash | ||
42 | private-dev | ||
43 | private-etc tor,passwd | ||
44 | private-tmp | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | noblacklist ~/.tor-browser-en | |
9 | noblacklist ~/.config/torbrowser | 9 | noblacklist ~/.config/torbrowser |
10 | whitelist ~/.config/torbrowser | ||
11 | noblacklist ~/.local/share/torbrowser | 10 | noblacklist ~/.local/share/torbrowser |
12 | whitelist ~/.local/share/torbrowser | ||
13 | 11 | ||
14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
18 | 16 | ||
17 | whitelist ~/.tor-browser-en | ||
18 | whitelist ~/.config/torbrowser | ||
19 | whitelist ~/.local/share/torbrowser | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
19 | caps.drop all | 22 | caps.drop all |
20 | netfilter | 23 | netfilter |
21 | nodvd | 24 | nodvd |
@@ -29,7 +32,7 @@ seccomp | |||
29 | shell none | 32 | shell none |
30 | tracelog | 33 | tracelog |
31 | 34 | ||
32 | private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 35 | private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher |
33 | private-dev | 36 | private-dev |
34 | private-etc fonts | 37 | private-etc fonts |
35 | private-tmp | 38 | private-tmp |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 5b6a257f6..fbc198cc3 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | netfilter | 17 | netfilter |
18 | no3d | 18 | no3d |
19 | nodvd | 19 | nodvd |
20 | nogroups | ||
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | notv | 23 | notv |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 6e153d559..b01e6d144 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -20,7 +20,9 @@ mkdir ~/.config/VirtualBox | |||
20 | mkdir ~/VirtualBox VMs | 20 | mkdir ~/VirtualBox VMs |
21 | whitelist ~/.config/VirtualBox | 21 | whitelist ~/.config/VirtualBox |
22 | whitelist ~/VirtualBox VMs | 22 | whitelist ~/VirtualBox VMs |
23 | whitelist ${DOWNLOADS} | ||
23 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
25 | include /etc/firejail/whitelist-var-common.inc | ||
24 | 26 | ||
25 | caps.drop all | 27 | caps.drop all |
26 | netfilter | 28 | netfilter |
diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | # nogroups | 19 | # nogroups |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ba4b91451..310149ecd 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -16,6 +16,7 @@ whitelist ~/.drirc | |||
16 | whitelist ~/.mime.types | 16 | whitelist ~/.mime.types |
17 | whitelist ~/.local/share/applications | 17 | whitelist ~/.local/share/applications |
18 | read-only ~/.local/share/applications | 18 | read-only ~/.local/share/applications |
19 | whitelist ~/.config/ibus | ||
19 | 20 | ||
20 | # fonts | 21 | # fonts |
21 | whitelist ~/.fonts | 22 | whitelist ~/.fonts |
@@ -34,10 +35,14 @@ whitelist ~/.gtkrc-2.0 | |||
34 | whitelist ~/.gtk-2.0 | 35 | whitelist ~/.gtk-2.0 |
35 | whitelist ~/.config/gtk-2.0 | 36 | whitelist ~/.config/gtk-2.0 |
36 | whitelist ~/.config/gtk-3.0 | 37 | whitelist ~/.config/gtk-3.0 |
38 | whitelist ~/.config/gtkrc | ||
39 | whitelist ~/.config/gtkrc-2.0 | ||
37 | whitelist ~/.themes | 40 | whitelist ~/.themes |
38 | whitelist ~/.local/share/themes | 41 | whitelist ~/.local/share/themes |
39 | whitelist ~/.kde/share/config/gtkrc | 42 | whitelist ~/.kde/share/config/gtkrc |
40 | whitelist ~/.kde/share/config/gtkrc-2.0 | 43 | whitelist ~/.kde/share/config/gtkrc-2.0 |
44 | whitelist ~/.kde4/share/config/gtkrc | ||
45 | whitelist ~/.kde4/share/config/gtkrc-2.0 | ||
41 | whitelist ~/.gnome2 | 46 | whitelist ~/.gnome2 |
42 | whitelist ~/.gnome2-private | 47 | whitelist ~/.gnome2-private |
43 | 48 | ||
@@ -50,3 +55,6 @@ whitelist ~/.config/kdeglobals | |||
50 | whitelist ~/.kde/share/config/oxygenrc | 55 | whitelist ~/.kde/share/config/oxygenrc |
51 | whitelist ~/.kde/share/config/kdeglobals | 56 | whitelist ~/.kde/share/config/kdeglobals |
52 | whitelist ~/.kde/share/icons | 57 | whitelist ~/.kde/share/icons |
58 | whitelist ~/.kde4/share/config/oxygenrc | ||
59 | whitelist ~/.kde4/share/config/kdeglobals | ||
60 | whitelist ~/.kde4/share/icons | ||
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..024995f20 --- /dev/null +++ b/etc/whitelist-var-common.inc | |||
@@ -0,0 +1,11 @@ | |||
1 | # Local customizations come here | ||
2 | include /etc/firejail/whitelist-var-common.local | ||
3 | |||
4 | # common /var whitelist for all profiles | ||
5 | |||
6 | whitelist /var/lib/dbus | ||
7 | whitelist /var/lib/menu-xdg | ||
8 | whitelist /var/cache/fontconfig | ||
9 | whitelist /var/tmp | ||
10 | whitelist /var/run | ||
11 | whitelist /var/lock | ||
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..1395b81c9 --- /dev/null +++ b/etc/x-terminal-emulator.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for x-terminal-emulator | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/x-terminal-emulator.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | caps.drop all | ||
10 | ipc-namespace | ||
11 | net none | ||
12 | netfilter | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | |||
18 | private-dev | ||
19 | |||
20 | noexec /tmp | ||
diff --git a/etc/xmr-stak-cpu.profile b/etc/xmr-stak-cpu.profile new file mode 100644 index 000000000..9cc6e0c1f --- /dev/null +++ b/etc/xmr-stak-cpu.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for xmr-stak-cpu | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xmr-stak-cpu.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | netfilter | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private | ||
33 | private-bin xmr-stak-cpu | ||
34 | private-dev | ||
35 | private-etc xmr-stak-cpu.json | ||
36 | private-lib | ||
37 | private-opt none | ||
38 | private-tmp | ||
39 | |||
40 | memory-deny-write-execute | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index e20fb3e99..d41591fd6 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | ipc-namespace | 19 | ipc-namespace |
18 | netfilter | 20 | netfilter |
diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..6e136d0c9 --- /dev/null +++ b/etc/zart.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for zart | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/zart.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | ||
27 | private-dev | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d0e236e61..af6547f7f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -357,3 +357,4 @@ | |||
357 | /etc/firejail/zoom.profile | 357 | /etc/firejail/zoom.profile |
358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
359 | /etc/firejail/itch.profile | 359 | /etc/firejail/itch.profile |
360 | /etc/firejail/whitelist-var-common.inc | ||
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in new file mode 100644 index 000000000..dd8e2ce6e --- /dev/null +++ b/src/fbuilder/Makefile.in | |||
@@ -0,0 +1,45 @@ | |||
1 | all: fbuilder | ||
2 | |||
3 | CC=@CC@ | ||
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | |||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | ||
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
38 | |||
39 | fbuilder: $(OBJS) | ||
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
41 | |||
42 | clean:; rm -f *.o fbuilder *.gcov *.gcda *.gcno | ||
43 | |||
44 | distclean: clean | ||
45 | rm -fr Makefile | ||
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c new file mode 100644 index 000000000..7d0e2cb7c --- /dev/null +++ b/src/fbuilder/build_bin.c | |||
@@ -0,0 +1,121 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fbuilder.h" | ||
21 | |||
22 | static FileDB *bin_out = NULL; | ||
23 | |||
24 | static void process_bin(const char *fname) { | ||
25 | assert(fname); | ||
26 | |||
27 | // process trace file | ||
28 | FILE *fp = fopen(fname, "r"); | ||
29 | if (!fp) { | ||
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
31 | exit(1); | ||
32 | } | ||
33 | |||
34 | char buf[MAX_BUF]; | ||
35 | while (fgets(buf, MAX_BUF, fp)) { | ||
36 | // remove \n | ||
37 | char *ptr = strchr(buf, '\n'); | ||
38 | if (ptr) | ||
39 | *ptr = '\0'; | ||
40 | |||
41 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
42 | // number followed by : | ||
43 | ptr = buf; | ||
44 | if (!isdigit(*ptr)) | ||
45 | continue; | ||
46 | while (isdigit(*ptr)) | ||
47 | ptr++; | ||
48 | if (*ptr != ':') | ||
49 | continue; | ||
50 | ptr++; | ||
51 | |||
52 | // next : | ||
53 | ptr = strchr(ptr, ':'); | ||
54 | if (!ptr) | ||
55 | continue; | ||
56 | ptr++; | ||
57 | if (strncmp(ptr, "exec ", 5) == 0) | ||
58 | ptr += 5; | ||
59 | else | ||
60 | continue; | ||
61 | if (strncmp(ptr, "/bin/", 5) == 0) | ||
62 | ptr += 5; | ||
63 | else if (strncmp(ptr, "/sbin/", 6) == 0) | ||
64 | ptr += 6; | ||
65 | else if (strncmp(ptr, "/usr/bin/", 9) == 0) | ||
66 | ptr += 9; | ||
67 | else if (strncmp(ptr, "/usr/sbin/", 10) == 0) | ||
68 | ptr += 10; | ||
69 | else if (strncmp(ptr, "/usr/local/bin/", 15) == 0) | ||
70 | ptr += 15; | ||
71 | else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) | ||
72 | ptr += 16; | ||
73 | else if (strncmp(ptr, "/usr/games/", 11) == 0) | ||
74 | ptr += 12; | ||
75 | else if (strncmp(ptr, "/usr/local/games/", 17) == 0) | ||
76 | ptr += 17; | ||
77 | else | ||
78 | continue; | ||
79 | |||
80 | // end of filename | ||
81 | char *ptr2 = strchr(ptr, ':'); | ||
82 | if (!ptr2) | ||
83 | continue; | ||
84 | *ptr2 = '\0'; | ||
85 | |||
86 | bin_out = filedb_add(bin_out, ptr); | ||
87 | } | ||
88 | |||
89 | fclose(fp); | ||
90 | } | ||
91 | |||
92 | |||
93 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
94 | void build_bin(const char *fname) { | ||
95 | assert(fname); | ||
96 | |||
97 | // run fname | ||
98 | process_bin(fname); | ||
99 | |||
100 | // run all the rest | ||
101 | struct stat s; | ||
102 | int i; | ||
103 | for (i = 1; i <= 5; i++) { | ||
104 | char *newname; | ||
105 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
106 | errExit("asprintf"); | ||
107 | if (stat(newname, &s) == 0) | ||
108 | process_bin(newname); | ||
109 | free(newname); | ||
110 | } | ||
111 | |||
112 | if (bin_out) { | ||
113 | printf("# private-bin "); | ||
114 | FileDB *ptr = bin_out; | ||
115 | while (ptr) { | ||
116 | printf("%s,", ptr->fname); | ||
117 | ptr = ptr->next; | ||
118 | } | ||
119 | printf("\n"); | ||
120 | } | ||
121 | } | ||
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c new file mode 100644 index 000000000..dcd86e069 --- /dev/null +++ b/src/fbuilder/build_fs.c | |||
@@ -0,0 +1,280 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | // common file processing function, using the callback for each line in the file | ||
24 | static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { | ||
25 | assert(fname); | ||
26 | assert(dir); | ||
27 | assert(callback); | ||
28 | |||
29 | int dir_len = strlen(dir); | ||
30 | |||
31 | // process trace file | ||
32 | FILE *fp = fopen(fname, "r"); | ||
33 | if (!fp) { | ||
34 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
35 | exit(1); | ||
36 | } | ||
37 | |||
38 | char buf[MAX_BUF]; | ||
39 | while (fgets(buf, MAX_BUF, fp)) { | ||
40 | // remove \n | ||
41 | char *ptr = strchr(buf, '\n'); | ||
42 | if (ptr) | ||
43 | *ptr = '\0'; | ||
44 | |||
45 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
46 | // number followed by : | ||
47 | ptr = buf; | ||
48 | if (!isdigit(*ptr)) | ||
49 | continue; | ||
50 | while (isdigit(*ptr)) | ||
51 | ptr++; | ||
52 | if (*ptr != ':') | ||
53 | continue; | ||
54 | ptr++; | ||
55 | |||
56 | // next : | ||
57 | ptr = strchr(ptr, ':'); | ||
58 | if (!ptr) | ||
59 | continue; | ||
60 | ptr++; | ||
61 | if (strncmp(ptr, "access ", 7) == 0) | ||
62 | ptr += 7; | ||
63 | else if (strncmp(ptr, "fopen ", 6) == 0) | ||
64 | ptr += 6; | ||
65 | else if (strncmp(ptr, "fopen64 ", 8) == 0) | ||
66 | ptr += 8; | ||
67 | else if (strncmp(ptr, "open64 ", 7) == 0) | ||
68 | ptr += 7; | ||
69 | else if (strncmp(ptr, "open ", 5) == 0) | ||
70 | ptr += 5; | ||
71 | else | ||
72 | continue; | ||
73 | if (strncmp(ptr, dir, dir_len) != 0) | ||
74 | continue; | ||
75 | |||
76 | // end of filename | ||
77 | char *ptr2 = strchr(ptr, ':'); | ||
78 | if (!ptr2) | ||
79 | continue; | ||
80 | *ptr2 = '\0'; | ||
81 | |||
82 | callback(ptr); | ||
83 | } | ||
84 | |||
85 | fclose(fp); | ||
86 | } | ||
87 | |||
88 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
89 | static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { | ||
90 | assert(fname); | ||
91 | assert(dir); | ||
92 | assert(callback); | ||
93 | |||
94 | // run fname | ||
95 | process_file(fname, dir, callback); | ||
96 | |||
97 | // run all the rest | ||
98 | struct stat s; | ||
99 | int i; | ||
100 | for (i = 1; i <= 5; i++) { | ||
101 | char *newname; | ||
102 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
103 | errExit("asprintf"); | ||
104 | if (stat(newname, &s) == 0) | ||
105 | process_file(newname, dir, callback); | ||
106 | free(newname); | ||
107 | } | ||
108 | } | ||
109 | |||
110 | //******************************************* | ||
111 | // etc directory | ||
112 | //******************************************* | ||
113 | static FileDB *etc_out = NULL; | ||
114 | |||
115 | static void etc_callback(char *ptr) { | ||
116 | // skip firejail directory | ||
117 | if (strncmp(ptr, "/etc/firejail", 13) == 0) | ||
118 | return; | ||
119 | |||
120 | // add only top files and directories | ||
121 | ptr += 5; // skip "/etc/" | ||
122 | char *end = strchr(ptr, '/'); | ||
123 | if (end) | ||
124 | *end = '\0'; | ||
125 | etc_out = filedb_add(etc_out, ptr); | ||
126 | } | ||
127 | |||
128 | void build_etc(const char *fname) { | ||
129 | assert(fname); | ||
130 | |||
131 | process_files(fname, "/etc", etc_callback); | ||
132 | |||
133 | printf("private-etc "); | ||
134 | if (etc_out == NULL) | ||
135 | printf("none\n"); | ||
136 | else { | ||
137 | FileDB *ptr = etc_out; | ||
138 | while (ptr) { | ||
139 | printf("%s,", ptr->fname); | ||
140 | ptr = ptr->next; | ||
141 | } | ||
142 | printf("\n"); | ||
143 | } | ||
144 | } | ||
145 | |||
146 | //******************************************* | ||
147 | // var directory | ||
148 | //******************************************* | ||
149 | static FileDB *var_out = NULL; | ||
150 | static void var_callback(char *ptr) { | ||
151 | if (strcmp(ptr, "/var/lib") == 0) | ||
152 | ; | ||
153 | else if (strcmp(ptr, "/var/cache") == 0) | ||
154 | ; | ||
155 | else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | ||
156 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); | ||
157 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) | ||
158 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); | ||
159 | else | ||
160 | var_out = filedb_add(var_out, ptr); | ||
161 | } | ||
162 | |||
163 | void build_var(const char *fname) { | ||
164 | assert(fname); | ||
165 | |||
166 | process_files(fname, "/var", var_callback); | ||
167 | |||
168 | if (var_out == NULL) | ||
169 | printf("blacklist /var\n"); | ||
170 | else | ||
171 | filedb_print(var_out, "whitelist "); | ||
172 | } | ||
173 | |||
174 | //******************************************* | ||
175 | // tmp directory | ||
176 | //******************************************* | ||
177 | static FileDB *tmp_out = NULL; | ||
178 | static void tmp_callback(char *ptr) { | ||
179 | filedb_add(tmp_out, ptr); | ||
180 | } | ||
181 | |||
182 | void build_tmp(const char *fname) { | ||
183 | assert(fname); | ||
184 | |||
185 | process_files(fname, "/tmp", tmp_callback); | ||
186 | |||
187 | if (tmp_out == NULL) | ||
188 | printf("private-tmp\n"); | ||
189 | else { | ||
190 | printf("\n"); | ||
191 | printf("# private-tmp\n"); | ||
192 | printf("# File accessed in /tmp directory:\n"); | ||
193 | printf("# "); | ||
194 | FileDB *ptr = tmp_out; | ||
195 | while (ptr) { | ||
196 | printf("%s,", ptr->fname); | ||
197 | ptr = ptr->next; | ||
198 | } | ||
199 | printf("\n"); | ||
200 | } | ||
201 | } | ||
202 | |||
203 | //******************************************* | ||
204 | // dev directory | ||
205 | //******************************************* | ||
206 | static char *dev_skip[] = { | ||
207 | "/dev/zero", | ||
208 | "/dev/null", | ||
209 | "/dev/full", | ||
210 | "/dev/random", | ||
211 | "/dev/urandom", | ||
212 | "/dev/tty", | ||
213 | "/dev/snd", | ||
214 | "/dev/dri", | ||
215 | "/dev/pts", | ||
216 | "/dev/nvidia0", | ||
217 | "/dev/nvidia1", | ||
218 | "/dev/nvidia2", | ||
219 | "/dev/nvidia3", | ||
220 | "/dev/nvidia4", | ||
221 | "/dev/nvidia5", | ||
222 | "/dev/nvidia6", | ||
223 | "/dev/nvidia7", | ||
224 | "/dev/nvidia8", | ||
225 | "/dev/nvidia9", | ||
226 | "/dev/nvidiactl", | ||
227 | "/dev/nvidia-modeset", | ||
228 | "/dev/nvidia-uvm", | ||
229 | "/dev/video0", | ||
230 | "/dev/video1", | ||
231 | "/dev/video2", | ||
232 | "/dev/video3", | ||
233 | "/dev/video4", | ||
234 | "/dev/video5", | ||
235 | "/dev/video6", | ||
236 | "/dev/video7", | ||
237 | "/dev/video8", | ||
238 | "/dev/video9", | ||
239 | "/dev/dvb", | ||
240 | "/dev/sr0", | ||
241 | NULL | ||
242 | }; | ||
243 | |||
244 | static FileDB *dev_out = NULL; | ||
245 | static void dev_callback(char *ptr) { | ||
246 | // skip private-dev devices | ||
247 | int i = 0; | ||
248 | int found = 0; | ||
249 | while (dev_skip[i]) { | ||
250 | if (strcmp(ptr, dev_skip[i]) == 0) { | ||
251 | found = 1; | ||
252 | break; | ||
253 | } | ||
254 | i++; | ||
255 | } | ||
256 | if (!found) | ||
257 | filedb_add(dev_out, ptr); | ||
258 | } | ||
259 | |||
260 | void build_dev(const char *fname) { | ||
261 | assert(fname); | ||
262 | |||
263 | process_files(fname, "/tmp", tmp_callback); | ||
264 | |||
265 | if (dev_out == NULL) | ||
266 | printf("private-dev\n"); | ||
267 | else { | ||
268 | printf("\n"); | ||
269 | printf("# private-dev\n"); | ||
270 | printf("# This is the list of devices accessed (on top of regular private-dev devices:\n"); | ||
271 | printf("# "); | ||
272 | FileDB *ptr = dev_out; | ||
273 | while (ptr) { | ||
274 | printf("%s,", ptr->fname); | ||
275 | ptr = ptr->next; | ||
276 | } | ||
277 | printf("\n"); | ||
278 | } | ||
279 | } | ||
280 | |||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c new file mode 100644 index 000000000..947f172d8 --- /dev/null +++ b/src/fbuilder/build_home.c | |||
@@ -0,0 +1,199 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | static FileDB *db_skip = NULL; | ||
24 | static FileDB *db_out = NULL; | ||
25 | |||
26 | static void load_whitelist_common(void) { | ||
27 | FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r"); | ||
28 | if (!fp) { | ||
29 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); | ||
30 | exit(1); | ||
31 | } | ||
32 | |||
33 | char buf[MAX_BUF]; | ||
34 | while (fgets(buf, MAX_BUF, fp)) { | ||
35 | if (strncmp(buf, "whitelist ~/", 12) != 0) | ||
36 | continue; | ||
37 | char *fn = buf + 12; | ||
38 | char *ptr = strchr(buf, '\n'); | ||
39 | if (!ptr) | ||
40 | continue; | ||
41 | *ptr = '\0'; | ||
42 | |||
43 | // add the file to skip list | ||
44 | db_skip = filedb_add(db_skip, fn); | ||
45 | } | ||
46 | |||
47 | fclose(fp); | ||
48 | } | ||
49 | |||
50 | void process_home(const char *fname, char *home, int home_len) { | ||
51 | assert(fname); | ||
52 | assert(home); | ||
53 | assert(home_len); | ||
54 | |||
55 | // process trace file | ||
56 | FILE *fp = fopen(fname, "r"); | ||
57 | if (!fp) { | ||
58 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
59 | exit(1); | ||
60 | } | ||
61 | |||
62 | char buf[MAX_BUF]; | ||
63 | while (fgets(buf, MAX_BUF, fp)) { | ||
64 | // remove \n | ||
65 | char *ptr = strchr(buf, '\n'); | ||
66 | if (ptr) | ||
67 | *ptr = '\0'; | ||
68 | |||
69 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
70 | // number followed by : | ||
71 | ptr = buf; | ||
72 | if (!isdigit(*ptr)) | ||
73 | continue; | ||
74 | while (isdigit(*ptr)) | ||
75 | ptr++; | ||
76 | if (*ptr != ':') | ||
77 | continue; | ||
78 | ptr++; | ||
79 | |||
80 | // next : | ||
81 | ptr = strchr(ptr, ':'); | ||
82 | if (!ptr) | ||
83 | continue; | ||
84 | ptr++; | ||
85 | if (strncmp(ptr, "access /home", 12) == 0) | ||
86 | ptr += 7; | ||
87 | else if (strncmp(ptr, "fopen /home", 11) == 0) | ||
88 | ptr += 6; | ||
89 | else if (strncmp(ptr, "fopen64 /home", 13) == 0) | ||
90 | ptr += 8; | ||
91 | else if (strncmp(ptr, "open64 /home", 12) == 0) | ||
92 | ptr += 7; | ||
93 | else if (strncmp(ptr, "open /home", 10) == 0) | ||
94 | ptr += 5; | ||
95 | else | ||
96 | continue; | ||
97 | |||
98 | // end of filename | ||
99 | char *ptr2 = strchr(ptr, ':'); | ||
100 | if (!ptr2) | ||
101 | continue; | ||
102 | *ptr2 = '\0'; | ||
103 | |||
104 | // check home directory | ||
105 | if (strncmp(ptr, home, home_len) != 0) | ||
106 | continue; | ||
107 | if (strcmp(ptr, home) == 0) | ||
108 | continue; | ||
109 | ptr += home_len + 1; | ||
110 | |||
111 | // skip files handled automatically by firejail | ||
112 | if (strcmp(ptr, ".Xauthority") == 0 || | ||
113 | strcmp(ptr, ".Xdefaults-debian") == 0 || | ||
114 | strncmp(ptr, ".config/pulse/", 13) == 0 || | ||
115 | strncmp(ptr, ".pulse/", 7) == 0 || | ||
116 | strncmp(ptr, ".bash_hist", 10) == 0 || | ||
117 | strcmp(ptr, ".bashrc") == 0) | ||
118 | continue; | ||
119 | |||
120 | |||
121 | // try to find the relevant directory for this file | ||
122 | char *dir = extract_dir(ptr); | ||
123 | char *toadd = (dir)? dir: ptr; | ||
124 | |||
125 | // skip some dot directories | ||
126 | if (strcmp(toadd, ".config") == 0 || | ||
127 | strcmp(toadd, ".local") == 0 || | ||
128 | strcmp(toadd, ".local/share") == 0 || | ||
129 | strcmp(toadd, ".cache") == 0) { | ||
130 | if (dir) | ||
131 | free(dir); | ||
132 | continue; | ||
133 | } | ||
134 | |||
135 | // clean .cache entries | ||
136 | if (strncmp(toadd, ".cache/", 7) == 0) { | ||
137 | char *ptr2 = toadd + 7; | ||
138 | ptr2 = strchr(ptr2, '/'); | ||
139 | if (ptr2) | ||
140 | *ptr2 = '\0'; | ||
141 | } | ||
142 | |||
143 | // skip files and directories in whitelist-common.inc | ||
144 | if (filedb_find(db_skip, toadd)) { | ||
145 | if (dir) | ||
146 | free(dir); | ||
147 | continue; | ||
148 | } | ||
149 | |||
150 | // add the file to out list | ||
151 | db_out = filedb_add(db_out, toadd); | ||
152 | if (dir) | ||
153 | free(dir); | ||
154 | |||
155 | } | ||
156 | fclose(fp); | ||
157 | } | ||
158 | |||
159 | |||
160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
161 | void build_home(const char *fname) { | ||
162 | assert(fname); | ||
163 | |||
164 | // load whitelist common | ||
165 | load_whitelist_common(); | ||
166 | |||
167 | // find user home directory | ||
168 | struct passwd *pw = getpwuid(getuid()); | ||
169 | if (!pw) | ||
170 | errExit("getpwuid"); | ||
171 | char *home = pw->pw_dir; | ||
172 | if (!home) | ||
173 | errExit("getpwuid"); | ||
174 | int home_len = strlen(home); | ||
175 | |||
176 | // run fname | ||
177 | process_home(fname, home, home_len); | ||
178 | |||
179 | // run all the rest | ||
180 | struct stat s; | ||
181 | int i; | ||
182 | for (i = 1; i <= 5; i++) { | ||
183 | char *newname; | ||
184 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
185 | errExit("asprintf"); | ||
186 | if (stat(newname, &s) == 0) | ||
187 | process_home(newname, home, home_len); | ||
188 | free(newname); | ||
189 | } | ||
190 | |||
191 | // print the out list if any | ||
192 | if (db_out) { | ||
193 | filedb_print(db_out, "whitelist ~/"); | ||
194 | printf("include /etc/firejail/whitelist-common.inc\n"); | ||
195 | } | ||
196 | else | ||
197 | printf("private\n"); | ||
198 | |||
199 | } \ No newline at end of file | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c new file mode 100644 index 000000000..3f5fe48ca --- /dev/null +++ b/src/fbuilder/build_profile.c | |||
@@ -0,0 +1,165 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | #include <sys/wait.h> | ||
23 | #include <fcntl.h> | ||
24 | |||
25 | #define TRACE_OUTPUT "/tmp/firejail-trace" | ||
26 | #define STRACE_OUTPUT "/tmp/firejail-strace" | ||
27 | |||
28 | static char *cmdlist[] = { | ||
29 | "/usr/bin/firejail", | ||
30 | "--quiet", | ||
31 | "--output=" TRACE_OUTPUT, | ||
32 | "--noprofile", | ||
33 | "--caps.drop=all", | ||
34 | "--nonewprivs", | ||
35 | "--trace", | ||
36 | "--shell=none", | ||
37 | "/usr/bin/strace", // also used as a marker in build_profile() | ||
38 | "-c", | ||
39 | "-f", | ||
40 | "-o" STRACE_OUTPUT, | ||
41 | }; | ||
42 | |||
43 | static void clear_tmp_files(void) { | ||
44 | unlink(STRACE_OUTPUT); | ||
45 | unlink(TRACE_OUTPUT); | ||
46 | |||
47 | // run all the rest | ||
48 | int i; | ||
49 | for (i = 1; i <= 5; i++) { | ||
50 | char *newname; | ||
51 | if (asprintf(&newname, "%s.%d", TRACE_OUTPUT, i) == -1) | ||
52 | errExit("asprintf"); | ||
53 | unlink(newname); | ||
54 | free(newname); | ||
55 | } | ||
56 | |||
57 | } | ||
58 | |||
59 | void build_profile(int argc, char **argv, int index) { | ||
60 | // next index is the application name | ||
61 | if (index >= argc) { | ||
62 | fprintf(stderr, "Error: application name missing\n"); | ||
63 | exit(1); | ||
64 | } | ||
65 | |||
66 | // clean /tmp files | ||
67 | clear_tmp_files(); | ||
68 | |||
69 | // detect strace | ||
70 | int have_strace = 0; | ||
71 | if (access("/usr/bin/strace", X_OK) == 0) | ||
72 | have_strace = 1; | ||
73 | |||
74 | // calculate command length | ||
75 | int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | ||
76 | if (arg_debug) | ||
77 | printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); | ||
78 | char *cmd[len]; | ||
79 | |||
80 | // build command | ||
81 | int i = 0; | ||
82 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | ||
83 | // skip strace if not installed | ||
84 | if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | ||
85 | break; | ||
86 | cmd[i] = cmdlist[i]; | ||
87 | } | ||
88 | |||
89 | int i2 = index; | ||
90 | for (; i < (len - 1); i++, i2++) | ||
91 | cmd[i] = argv[i2]; | ||
92 | cmd[i] = NULL; | ||
93 | |||
94 | if (arg_debug) { | ||
95 | for (i = 0; i < len; i++) | ||
96 | printf("\t%s\n", cmd[i]); | ||
97 | } | ||
98 | |||
99 | // fork and execute | ||
100 | pid_t child = fork(); | ||
101 | if (child == -1) | ||
102 | errExit("fork"); | ||
103 | if (child == 0) { | ||
104 | int rv = execvp(cmd[0], cmd); | ||
105 | errExit("execv"); | ||
106 | } | ||
107 | |||
108 | // wait for all processes to finish | ||
109 | int status; | ||
110 | if (waitpid(child, &status, 0) != child) | ||
111 | errExit("waitpid"); | ||
112 | |||
113 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | ||
114 | printf("\n\n\n"); | ||
115 | printf("############################################\n"); | ||
116 | printf("# %s profile\n", argv[index]); | ||
117 | printf("############################################\n"); | ||
118 | printf("# Persistent global definitions\n"); | ||
119 | printf("# include /etc/firejail/globals.local\n"); | ||
120 | printf("\n"); | ||
121 | |||
122 | printf("### basic blacklisting\n"); | ||
123 | printf("include /etc/firejail/disable-common.inc\n"); | ||
124 | printf("# include /etc/firejail/disable-devel.inc\n"); | ||
125 | printf("include /etc/firejail/disable-passwdmgr.inc\n"); | ||
126 | printf("# include /etc/firejail/disable-programs.inc\n"); | ||
127 | printf("\n"); | ||
128 | |||
129 | printf("### home directory whitelisting\n"); | ||
130 | build_home(TRACE_OUTPUT); | ||
131 | printf("\n"); | ||
132 | |||
133 | printf("### filesystem\n"); | ||
134 | build_tmp(TRACE_OUTPUT); | ||
135 | build_dev(TRACE_OUTPUT); | ||
136 | build_etc(TRACE_OUTPUT); | ||
137 | build_var(TRACE_OUTPUT); | ||
138 | build_bin(TRACE_OUTPUT); | ||
139 | printf("\n"); | ||
140 | |||
141 | printf("### security filters\n"); | ||
142 | printf("caps.drop all\n"); | ||
143 | printf("nonewprivs\n"); | ||
144 | printf("seccomp\n"); | ||
145 | if (have_strace) | ||
146 | build_seccomp(STRACE_OUTPUT); | ||
147 | else { | ||
148 | printf("# If you install strace on your system, Firejail will also create a\n"); | ||
149 | printf("# whitelisted seccomp filter.\n"); | ||
150 | } | ||
151 | printf("\n"); | ||
152 | |||
153 | printf("### network\n"); | ||
154 | build_protocol(TRACE_OUTPUT); | ||
155 | printf("\n"); | ||
156 | |||
157 | printf("### environment\n"); | ||
158 | printf("shell none\n"); | ||
159 | |||
160 | } | ||
161 | else { | ||
162 | fprintf(stderr, "Error: cannot run the sandbox\n"); | ||
163 | exit(1); | ||
164 | } | ||
165 | } | ||
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c new file mode 100644 index 000000000..18a767518 --- /dev/null +++ b/src/fbuilder/build_seccomp.c | |||
@@ -0,0 +1,191 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | void build_seccomp(const char *fname) { | ||
24 | assert(fname); | ||
25 | |||
26 | FILE *fp = fopen(fname, "r"); | ||
27 | if (!fp) { | ||
28 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
29 | exit(1); | ||
30 | } | ||
31 | |||
32 | char buf[MAX_BUF]; | ||
33 | int line = 1; | ||
34 | int position = 0; | ||
35 | int cnt = 0; | ||
36 | while (fgets(buf, MAX_BUF, fp)) { | ||
37 | // remove \n | ||
38 | char *ptr = strchr(buf, '\n'); | ||
39 | if (ptr) | ||
40 | *ptr = '\0'; | ||
41 | |||
42 | // first line: | ||
43 | //% time seconds usecs/call calls errors syscall | ||
44 | if (line == 1) { | ||
45 | // extract syscall position | ||
46 | ptr = strstr(buf, "syscall"); | ||
47 | if (*buf != '%' || ptr == NULL) { | ||
48 | // skip this line, it could be garbage from strace | ||
49 | continue; | ||
50 | } | ||
51 | position = (int) (ptr - buf); | ||
52 | } | ||
53 | else if (line == 2) { | ||
54 | if (*buf != '-') { | ||
55 | fprintf(stderr, "Error: invalid strace output\n%s\n", buf); | ||
56 | exit(1); | ||
57 | } | ||
58 | } | ||
59 | else { | ||
60 | // get out on the next "----" line | ||
61 | if (*buf == '-') | ||
62 | break; | ||
63 | |||
64 | if (line == 3) | ||
65 | printf("# seccomp.keep %s", buf + position); | ||
66 | else | ||
67 | printf(",%s", buf + position); | ||
68 | cnt++; | ||
69 | } | ||
70 | line++; | ||
71 | } | ||
72 | printf("\n"); | ||
73 | printf("# %d syscalls total\n", cnt); | ||
74 | printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); | ||
75 | printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); | ||
76 | printf("# running your sandbox.\n"); | ||
77 | |||
78 | fclose(fp); | ||
79 | } | ||
80 | |||
81 | //*************************************** | ||
82 | // protocol | ||
83 | //*************************************** | ||
84 | int unix_s = 0; | ||
85 | int inet = 0; | ||
86 | int inet6 = 0; | ||
87 | int netlink = 0; | ||
88 | int packet = 0; | ||
89 | static void process_protocol(const char *fname) { | ||
90 | assert(fname); | ||
91 | |||
92 | // process trace file | ||
93 | FILE *fp = fopen(fname, "r"); | ||
94 | if (!fp) { | ||
95 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
96 | exit(1); | ||
97 | } | ||
98 | |||
99 | char buf[MAX_BUF]; | ||
100 | while (fgets(buf, MAX_BUF, fp)) { | ||
101 | // remove \n | ||
102 | char *ptr = strchr(buf, '\n'); | ||
103 | if (ptr) | ||
104 | *ptr = '\0'; | ||
105 | |||
106 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
107 | // number followed by : | ||
108 | ptr = buf; | ||
109 | if (!isdigit(*ptr)) | ||
110 | continue; | ||
111 | while (isdigit(*ptr)) | ||
112 | ptr++; | ||
113 | if (*ptr != ':') | ||
114 | continue; | ||
115 | ptr++; | ||
116 | |||
117 | // next : | ||
118 | ptr = strchr(ptr, ':'); | ||
119 | if (!ptr) | ||
120 | continue; | ||
121 | ptr++; | ||
122 | if (strncmp(ptr, "socket ", 7) == 0) | ||
123 | ptr += 7; | ||
124 | else | ||
125 | continue; | ||
126 | |||
127 | if (strncmp(ptr, "AF_LOCAL ", 9) == 0) | ||
128 | unix_s = 1; | ||
129 | else if (strncmp(ptr, "AF_INET ", 8) == 0) | ||
130 | inet = 1; | ||
131 | else if (strncmp(ptr, "AF_INET6 ", 9) == 0) | ||
132 | inet6 = 1; | ||
133 | else if (strncmp(ptr, "AF_NETLINK ", 9) == 0) | ||
134 | netlink = 1; | ||
135 | else if (strncmp(ptr, "AF_PACKET ", 9) == 0) | ||
136 | packet = 1; | ||
137 | } | ||
138 | |||
139 | fclose(fp); | ||
140 | } | ||
141 | |||
142 | |||
143 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
144 | void build_protocol(const char *fname) { | ||
145 | assert(fname); | ||
146 | |||
147 | // run fname | ||
148 | process_protocol(fname); | ||
149 | |||
150 | // run all the rest | ||
151 | struct stat s; | ||
152 | int i; | ||
153 | for (i = 1; i <= 5; i++) { | ||
154 | char *newname; | ||
155 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
156 | errExit("asprintf"); | ||
157 | if (stat(newname, &s) == 0) | ||
158 | process_protocol(newname); | ||
159 | free(newname); | ||
160 | } | ||
161 | |||
162 | int net = 0; | ||
163 | if (unix_s || inet || inet6 || netlink || packet) { | ||
164 | printf("protocol "); | ||
165 | if (unix_s) | ||
166 | printf("unix,"); | ||
167 | if (inet) { | ||
168 | printf("inet,"); | ||
169 | net = 1; | ||
170 | } | ||
171 | if (inet6) { | ||
172 | printf("inet6,"); | ||
173 | net = 1; | ||
174 | } | ||
175 | if (netlink) | ||
176 | printf("netlink,"); | ||
177 | if (packet) { | ||
178 | printf("packet"); | ||
179 | net = 1; | ||
180 | } | ||
181 | printf("\n"); | ||
182 | } | ||
183 | |||
184 | if (net == 0) | ||
185 | printf("net none\n"); | ||
186 | else { | ||
187 | printf("# net eth0\n"); | ||
188 | printf("netfilter\n"); | ||
189 | } | ||
190 | } | ||
191 | |||
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h new file mode 100644 index 000000000..c448f3e06 --- /dev/null +++ b/src/fbuilder/fbuilder.h | |||
@@ -0,0 +1,68 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifndef FBUILDER_H | ||
22 | #define FBUILDER_H | ||
23 | #include "../include/common.h" | ||
24 | #include <sys/types.h> | ||
25 | #include <pwd.h> | ||
26 | #include <sys/types.h> | ||
27 | #include <sys/stat.h> | ||
28 | |||
29 | |||
30 | #define MAX_BUF 4096 | ||
31 | // main.c | ||
32 | extern int arg_debug; | ||
33 | |||
34 | // build_profile.c | ||
35 | void build_profile(int argc, char **argv, int index); | ||
36 | |||
37 | // build_seccomp.c | ||
38 | void build_seccomp(const char *fname); | ||
39 | void build_protocol(const char *fname); | ||
40 | |||
41 | // build_fs.c | ||
42 | void build_etc(const char *fname); | ||
43 | void build_var(const char *fname); | ||
44 | void build_tmp(const char *fname); | ||
45 | void build_dev(const char *fname); | ||
46 | |||
47 | // build_bin.c | ||
48 | void build_bin(const char *fname); | ||
49 | |||
50 | // build_home.c | ||
51 | void build_home(const char *fname); | ||
52 | |||
53 | // utils.c | ||
54 | int is_dir(const char *fname); | ||
55 | char *extract_dir(char *fname); | ||
56 | |||
57 | // filedb.c | ||
58 | typedef struct filedb_t { | ||
59 | struct filedb_t *next; | ||
60 | char *fname; // file name | ||
61 | int len; // length of file name | ||
62 | } FileDB; | ||
63 | |||
64 | FileDB *filedb_add(FileDB *head, const char *fname); | ||
65 | FileDB *filedb_find(FileDB *head, const char *fname); | ||
66 | void filedb_print(FileDB *head, const char *prefix); | ||
67 | |||
68 | #endif \ No newline at end of file | ||
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c new file mode 100644 index 000000000..a76fbc961 --- /dev/null +++ b/src/fbuilder/filedb.c | |||
@@ -0,0 +1,79 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | FileDB *filedb_find(FileDB *head, const char *fname) { | ||
24 | FileDB *ptr = head; | ||
25 | int found = 0; | ||
26 | int len = strlen(fname); | ||
27 | |||
28 | while (ptr) { | ||
29 | // exact name | ||
30 | if (strcmp(fname, ptr->fname) == 0) { | ||
31 | found = 1; | ||
32 | break; | ||
33 | } | ||
34 | |||
35 | // parent directory in the list | ||
36 | if (len > ptr->len && | ||
37 | fname[ptr->len] == '/' && | ||
38 | strncmp(ptr->fname, fname, ptr->len) == 0) { | ||
39 | found = 1; | ||
40 | break; | ||
41 | } | ||
42 | |||
43 | ptr = ptr->next; | ||
44 | } | ||
45 | |||
46 | if (found) | ||
47 | return ptr; | ||
48 | |||
49 | return NULL; | ||
50 | } | ||
51 | |||
52 | FileDB *filedb_add(FileDB *head, const char *fname) { | ||
53 | assert(fname); | ||
54 | |||
55 | // don't add it if it is already there or if the parent directory is already in the list | ||
56 | if (filedb_find(head, fname)) | ||
57 | return head; | ||
58 | |||
59 | // add a new entry | ||
60 | FileDB *entry = malloc(sizeof(FileDB)); | ||
61 | if (!entry) | ||
62 | errExit("malloc"); | ||
63 | memset(entry, 0, sizeof(FileDB)); | ||
64 | entry->fname = strdup(fname); | ||
65 | if (!entry->fname) | ||
66 | errExit("strdup"); | ||
67 | entry->len = strlen(entry->fname); | ||
68 | entry->next = head; | ||
69 | return entry; | ||
70 | }; | ||
71 | |||
72 | void filedb_print(FileDB *head, const char *prefix) { | ||
73 | FileDB *ptr = head; | ||
74 | while (ptr) { | ||
75 | printf("%s%s\n", prefix, ptr->fname); | ||
76 | ptr = ptr->next; | ||
77 | } | ||
78 | } | ||
79 | |||
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c new file mode 100644 index 000000000..83217ef98 --- /dev/null +++ b/src/fbuilder/main.c | |||
@@ -0,0 +1,71 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fbuilder.h" | ||
21 | int arg_debug = 0; | ||
22 | |||
23 | static void usage(void) { | ||
24 | printf("Firejail profile builder\n"); | ||
25 | printf("Usage: firejail [--debug] --build program-and-arguments\n"); | ||
26 | } | ||
27 | |||
28 | int main(int argc, char **argv) { | ||
29 | #if 0 | ||
30 | { | ||
31 | system("cat /proc/self/status"); | ||
32 | int i; | ||
33 | for (i = 0; i < argc; i++) | ||
34 | printf("*%s* ", argv[i]); | ||
35 | printf("\n"); | ||
36 | } | ||
37 | #endif | ||
38 | |||
39 | int i; | ||
40 | int prog_index = 0; | ||
41 | |||
42 | // parse arguments and extract program index | ||
43 | for (i = 1; i < argc; i++) { | ||
44 | if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) { | ||
45 | usage(); | ||
46 | return 0; | ||
47 | } | ||
48 | else if (strcmp(argv[i], "--debug") == 0) | ||
49 | arg_debug = 1; | ||
50 | else if (strcmp(argv[i], "--build") == 0) | ||
51 | ; // do nothing, this is passed down from firejail | ||
52 | else { | ||
53 | if (*argv[i] == '-') { | ||
54 | fprintf(stderr, "Error fbuilder: invalid program\n"); | ||
55 | usage(); | ||
56 | exit(1); | ||
57 | } | ||
58 | prog_index = i; | ||
59 | break; | ||
60 | } | ||
61 | } | ||
62 | |||
63 | if (prog_index == 0) { | ||
64 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); | ||
65 | usage(); | ||
66 | exit(1); | ||
67 | } | ||
68 | |||
69 | build_profile(argc, argv, prog_index); | ||
70 | return 0; | ||
71 | } | ||
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c new file mode 100644 index 000000000..902290899 --- /dev/null +++ b/src/fbuilder/utils.c | |||
@@ -0,0 +1,72 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | // todo: duplicated from src/firejail/util.c - remove dplication | ||
24 | // return 1 if the file is a directory | ||
25 | int is_dir(const char *fname) { | ||
26 | assert(fname); | ||
27 | if (*fname == '\0') | ||
28 | return 0; | ||
29 | |||
30 | // if fname doesn't end in '/', add one | ||
31 | int rv; | ||
32 | struct stat s; | ||
33 | if (fname[strlen(fname) - 1] == '/') | ||
34 | rv = stat(fname, &s); | ||
35 | else { | ||
36 | char *tmp; | ||
37 | if (asprintf(&tmp, "%s/", fname) == -1) { | ||
38 | fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); | ||
39 | errExit("asprintf"); | ||
40 | } | ||
41 | rv = stat(tmp, &s); | ||
42 | free(tmp); | ||
43 | } | ||
44 | |||
45 | if (rv == -1) | ||
46 | return 0; | ||
47 | |||
48 | if (S_ISDIR(s.st_mode)) | ||
49 | return 1; | ||
50 | |||
51 | return 0; | ||
52 | } | ||
53 | |||
54 | // return NULL if fname is already a directory, or if no directory found | ||
55 | char *extract_dir(char *fname) { | ||
56 | assert(fname); | ||
57 | if (is_dir(fname)) | ||
58 | return NULL; | ||
59 | |||
60 | char *name = strdup(fname); | ||
61 | if (!name) | ||
62 | errExit("strdup"); | ||
63 | |||
64 | char *ptr = strrchr(name, '/'); | ||
65 | if (!ptr) { | ||
66 | free(name); | ||
67 | return NULL; | ||
68 | } | ||
69 | *ptr = '\0'; | ||
70 | |||
71 | return name; | ||
72 | } | ||
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index da5ade428..e7b4ffa8a 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <fcntl.h> | 22 | #include <fcntl.h> |
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | #include <pwd.h> | ||
25 | 26 | ||
26 | int arg_quiet = 0; | 27 | int arg_quiet = 0; |
27 | static int arg_follow_link = 0; | 28 | static int arg_follow_link = 0; |
@@ -199,10 +200,22 @@ static char *check(const char *src) { | |||
199 | if (!rsrc || stat(rsrc, &s) == -1) | 200 | if (!rsrc || stat(rsrc, &s) == -1) |
200 | goto errexit; | 201 | goto errexit; |
201 | 202 | ||
202 | // check uid | 203 | // on systems with systemd-resolved installed /etc/resolve.conf is a symlink to |
204 | // /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user | ||
203 | // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock | 205 | // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock |
204 | if (s.st_uid != getuid()/* || s.st_gid != getgid()*/) | 206 | uid_t user = getuid(); |
205 | goto errexit; | 207 | if (user == 0 && strcmp(rsrc, "/run/systemd/resolve/resolv.conf") == 0) { |
208 | // check user systemd-resolve | ||
209 | struct passwd *p = getpwnam("systemd-resolve"); | ||
210 | if (!p) | ||
211 | goto errexit; | ||
212 | if (s.st_uid != user && s.st_uid != p->pw_uid) | ||
213 | goto errexit; | ||
214 | } | ||
215 | else { | ||
216 | if (s.st_uid != user) | ||
217 | goto errexit; | ||
218 | } | ||
206 | 219 | ||
207 | // dir, link, regular file | 220 | // dir, link, regular file |
208 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | 221 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 79b263823..95fc14d04 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -8,15 +8,20 @@ | |||
8 | Cyberfox | 8 | Cyberfox |
9 | FossaMail | 9 | FossaMail |
10 | Mathematica | 10 | Mathematica |
11 | Natron | ||
11 | Telegram | 12 | Telegram |
13 | Viber | ||
12 | VirtualBox | 14 | VirtualBox |
13 | Wire | 15 | Wire |
14 | Xephyr | 16 | Xephyr |
15 | abrowser | 17 | abrowser |
16 | akregator | 18 | akregator |
17 | amarok | 19 | amarok |
20 | amule | ||
18 | android-studio | 21 | android-studio |
19 | apktool | 22 | apktool |
23 | ardour4 | ||
24 | ardour5 | ||
20 | arduino | 25 | arduino |
21 | ark | 26 | ark |
22 | arm | 27 | arm |
@@ -34,18 +39,33 @@ bitlbee | |||
34 | bleachbit | 39 | bleachbit |
35 | blender | 40 | blender |
36 | bless | 41 | bless |
42 | brackets | ||
37 | brasero | 43 | brasero |
38 | brave | 44 | brave |
39 | calibre | 45 | calibre |
46 | calligra | ||
47 | calligraauthor | ||
48 | calligraconverter | ||
49 | calligraflow | ||
50 | calligraplan | ||
51 | calligraplanwork | ||
52 | calligrasheets | ||
53 | calligrastage | ||
54 | calligrawords | ||
40 | catfish | 55 | catfish |
41 | cherrytree | 56 | cherrytree |
42 | chromium | 57 | chromium |
43 | chromium-browser | 58 | chromium-browser |
59 | cin | ||
60 | clamdscan | ||
61 | clamdtop | ||
62 | clamscan | ||
44 | claws-mail | 63 | claws-mail |
45 | clementine | 64 | clementine |
46 | clipit | 65 | clipit |
47 | cmus | 66 | cmus |
48 | conkeror | 67 | conkeror |
68 | conky | ||
49 | corebird | 69 | corebird |
50 | cvlc | 70 | cvlc |
51 | cyberfox | 71 | cyberfox |
@@ -61,6 +81,8 @@ display | |||
61 | dnscrypt-proxy | 81 | dnscrypt-proxy |
62 | dnsmasq | 82 | dnsmasq |
63 | dolphin | 83 | dolphin |
84 | dooble | ||
85 | dooble-qt4 | ||
64 | dosbox | 86 | dosbox |
65 | dragon | 87 | dragon |
66 | dropbox | 88 | dropbox |
@@ -85,6 +107,9 @@ flashpeak-slimjet | |||
85 | flowblade | 107 | flowblade |
86 | fontforge | 108 | fontforge |
87 | franz | 109 | franz |
110 | freecad | ||
111 | freecadcmd | ||
112 | freshclam | ||
88 | frozen-bubble | 113 | frozen-bubble |
89 | gajim | 114 | gajim |
90 | galculator | 115 | galculator |
@@ -118,6 +143,7 @@ google-chrome | |||
118 | google-chrome-beta | 143 | google-chrome-beta |
119 | google-chrome-stable | 144 | google-chrome-stable |
120 | google-chrome-unstable | 145 | google-chrome-unstable |
146 | google-earth | ||
121 | google-play-music-desktop-player | 147 | google-play-music-desktop-player |
122 | gpa | 148 | gpa |
123 | gpicview | 149 | gpicview |
@@ -137,6 +163,7 @@ icecat | |||
137 | icedove | 163 | icedove |
138 | iceweasel | 164 | iceweasel |
139 | idea.sh | 165 | idea.sh |
166 | imagej | ||
140 | img2txt | 167 | img2txt |
141 | inkscape | 168 | inkscape |
142 | inox | 169 | inox |
@@ -145,8 +172,10 @@ iridium-browser | |||
145 | jd-gui | 172 | jd-gui |
146 | jitsi | 173 | jitsi |
147 | k3b | 174 | k3b |
175 | karbon | ||
148 | kate | 176 | kate |
149 | kcalc | 177 | kcalc |
178 | kdenlive | ||
150 | keepass | 179 | keepass |
151 | keepass2 | 180 | keepass2 |
152 | keepassx | 181 | keepassx |
@@ -157,12 +186,15 @@ kmail | |||
157 | knotes | 186 | knotes |
158 | kodi | 187 | kodi |
159 | konversation | 188 | konversation |
189 | krita | ||
160 | ktorrent | 190 | ktorrent |
161 | kwrite | 191 | kwrite |
162 | leafpad | 192 | leafpad |
163 | less | 193 | less |
164 | libreoffice | 194 | libreoffice |
165 | liferea | 195 | liferea |
196 | linphone | ||
197 | lmms | ||
166 | localc | 198 | localc |
167 | lodraw | 199 | lodraw |
168 | loffice | 200 | loffice |
@@ -176,6 +208,7 @@ luminance-hdr | |||
176 | lximage-qt | 208 | lximage-qt |
177 | lxmusic | 209 | lxmusic |
178 | lynx | 210 | lynx |
211 | macrofusion | ||
179 | mate-calc | 212 | mate-calc |
180 | mate-calculator | 213 | mate-calculator |
181 | mate-color-select | 214 | mate-color-select |
@@ -196,6 +229,7 @@ mupdf | |||
196 | mupen64plus | 229 | mupen64plus |
197 | musescore | 230 | musescore |
198 | mutt | 231 | mutt |
232 | natron | ||
199 | nautilus | 233 | nautilus |
200 | netsurf | 234 | netsurf |
201 | neverball | 235 | neverball |
@@ -234,13 +268,16 @@ rambox | |||
234 | ranger | 268 | ranger |
235 | remmina | 269 | remmina |
236 | rhythmbox | 270 | rhythmbox |
271 | ricochet | ||
237 | riot-web | 272 | riot-web |
238 | ristretto | 273 | ristretto |
274 | rocketchat | ||
239 | rtorrent | 275 | rtorrent |
240 | scribus | 276 | scribus |
241 | sdat2img | 277 | sdat2img |
242 | seamonkey | 278 | seamonkey |
243 | seamonkey-bin | 279 | seamonkey-bin |
280 | shotcut | ||
244 | silentarmy | 281 | silentarmy |
245 | simple-scan | 282 | simple-scan |
246 | simutrans | 283 | simutrans |
@@ -261,9 +298,12 @@ stellarium | |||
261 | strings | 298 | strings |
262 | supertux2 | 299 | supertux2 |
263 | synfigstudio | 300 | synfigstudio |
301 | teamspeak3 | ||
264 | telegram | 302 | telegram |
265 | telegram-desktop | 303 | telegram-desktop |
304 | terasology | ||
266 | thunderbird | 305 | thunderbird |
306 | tor-browser-en | ||
267 | totem | 307 | totem |
268 | tracker | 308 | tracker |
269 | transmission-cli | 309 | transmission-cli |
@@ -304,6 +344,7 @@ xfce4-dict | |||
304 | xfce4-notes | 344 | xfce4-notes |
305 | xiphos | 345 | xiphos |
306 | xmms | 346 | xmms |
347 | xmr-stak-cpu | ||
307 | xonotic | 348 | xonotic |
308 | xonotic-glx | 349 | xonotic-glx |
309 | xonotic-sdl | 350 | xonotic-sdl |
@@ -314,5 +355,6 @@ xreader | |||
314 | xviewer | 355 | xviewer |
315 | yandex-browser | 356 | yandex-browser |
316 | youtube-dl | 357 | youtube-dl |
358 | zart | ||
317 | zathura | 359 | zathura |
318 | zoom | 360 | zoom |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 1ecfbf524..82b30c2c5 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -330,23 +330,39 @@ static void set_links(void) { | |||
330 | free(firejail_exec); | 330 | free(firejail_exec); |
331 | } | 331 | } |
332 | 332 | ||
333 | int have_profile(const char *filename) { | 333 | // look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory |
334 | static int have_profile(const char *filename, const char *homedir) { | ||
335 | assert(filename); | ||
336 | assert(homedir); | ||
337 | printf("test #%s# #%s#\n", filename, homedir); | ||
338 | |||
334 | // remove .desktop extension | 339 | // remove .desktop extension |
335 | char *f1 = strdup(filename); | 340 | char *f1 = strdup(filename); |
336 | if (!f1) | 341 | if (!f1) |
337 | errExit("strdup"); | 342 | errExit("strdup"); |
338 | f1[strlen(filename) - 8] = '\0'; | 343 | f1[strlen(filename) - 8] = '\0'; |
344 | printf("#%s#\n", f1); | ||
339 | 345 | ||
340 | // build profile name | 346 | // build profile name |
341 | char *profname; | 347 | char *profname1; |
342 | if (asprintf(&profname, "%s/%s.profile", SYSCONFDIR, f1) == -1) | 348 | char *profname2; |
349 | if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1) | ||
343 | errExit("asprintf"); | 350 | errExit("asprintf"); |
344 | 351 | if (asprintf(&profname2, "%s/./configure/firejail/%s.profile", homedir, f1) == -1) | |
345 | struct stat s; | 352 | errExit("asprintf"); |
346 | int rv = stat(profname, &s); | 353 | printf("#%s#\n", profname1); |
354 | printf("#%s#\n", profname2); | ||
355 | |||
356 | int rv = 0; | ||
357 | if (access(profname1, R_OK) == 0) | ||
358 | rv = 1; | ||
359 | else if (access(profname2, R_OK) == 0) | ||
360 | rv == 1; | ||
361 | |||
347 | free(f1); | 362 | free(f1); |
348 | free(profname); | 363 | free(profname1); |
349 | return (rv == 0)? 1: 0; | 364 | free(profname2); |
365 | return rv; | ||
350 | } | 366 | } |
351 | 367 | ||
352 | static void fix_desktop_files(char *homedir) { | 368 | static void fix_desktop_files(char *homedir) { |
@@ -411,7 +427,7 @@ static void fix_desktop_files(char *homedir) { | |||
411 | errExit("stat"); | 427 | errExit("stat"); |
412 | 428 | ||
413 | // no profile in /etc/firejail, no desktop file fixing | 429 | // no profile in /etc/firejail, no desktop file fixing |
414 | if (!have_profile(filename)) | 430 | if (!have_profile(filename, homedir)) |
415 | continue; | 431 | continue; |
416 | 432 | ||
417 | /* coverity[toctou] */ | 433 | /* coverity[toctou] */ |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 399770142..1b49c5fb3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -849,6 +849,24 @@ static int check_arg(int argc, char **argv, const char *argument) { | |||
849 | return found; | 849 | return found; |
850 | } | 850 | } |
851 | 851 | ||
852 | static void run_builder(int argc, char **argv) { | ||
853 | EUID_ASSERT(); | ||
854 | |||
855 | // drop privileges | ||
856 | if (setgid(getgid()) < 0) | ||
857 | errExit("setgid/getgid"); | ||
858 | if (setuid(getuid()) < 0) | ||
859 | errExit("setuid/getuid"); | ||
860 | assert(getenv("LD_PRELOAD") == NULL); | ||
861 | |||
862 | argv[0] = LIBDIR "/firejail/fbuilder"; | ||
863 | execvp(argv[0], argv); | ||
864 | |||
865 | perror("execvp"); | ||
866 | exit(1); | ||
867 | } | ||
868 | |||
869 | |||
852 | //******************************************* | 870 | //******************************************* |
853 | // Main program | 871 | // Main program |
854 | //******************************************* | 872 | //******************************************* |
@@ -907,6 +925,10 @@ int main(int argc, char **argv) { | |||
907 | git_uninstall(); // this function will not return | 925 | git_uninstall(); // this function will not return |
908 | #endif | 926 | #endif |
909 | 927 | ||
928 | // profile builder | ||
929 | if (check_arg(argc, argv, "--build")) | ||
930 | run_builder(argc, argv); // this function will not return | ||
931 | |||
910 | // check argv[0] symlink wrapper if this is not a login shell | 932 | // check argv[0] symlink wrapper if this is not a login shell |
911 | if (*argv[0] != '-') | 933 | if (*argv[0] != '-') |
912 | run_symlink(argc, argv); // this function will not return | 934 | run_symlink(argc, argv); // this function will not return |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index fc7dbd69c..f09eb6416 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -44,6 +44,7 @@ void usage(void) { | |||
44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); | 44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); |
45 | #endif | 45 | #endif |
46 | printf(" --blacklist=filename - blacklist directory or file.\n"); | 46 | printf(" --blacklist=filename - blacklist directory or file.\n"); |
47 | printf(" --build - build a whitelisted profile for the application.\n"); | ||
47 | printf(" -c - execute command and exit.\n"); | 48 | printf(" -c - execute command and exit.\n"); |
48 | printf(" --caps - enable default Linux capabilities filter.\n"); | 49 | printf(" --caps - enable default Linux capabilities filter.\n"); |
49 | printf(" --caps.drop=all - drop all capabilities.\n"); | 50 | printf(" --caps.drop=all - drop all capabilities.\n"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3e0729620..4d1c94c25 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -196,7 +196,7 @@ static int copy_file_by_fd(int src, int dst) { | |||
196 | done += rv; | 196 | done += rv; |
197 | } | 197 | } |
198 | } | 198 | } |
199 | fflush(0); | 199 | // fflush(0); |
200 | return 0; | 200 | return 0; |
201 | } | 201 | } |
202 | 202 | ||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 5cdb254a3..04cf64997 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -673,3 +673,15 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { | |||
673 | 673 | ||
674 | return rv; | 674 | return rv; |
675 | } | 675 | } |
676 | |||
677 | // every time a new process is started, this gets called | ||
678 | // it can be used to build things like private-bin | ||
679 | __attribute__((constructor)) | ||
680 | static void log_exec(int argc, char** argv) { | ||
681 | static char buf[PATH_MAX + 1]; | ||
682 | int rv = readlink("/proc/self/exe", buf, PATH_MAX); | ||
683 | if (rv != -1) { | ||
684 | buf[rv] = '\0'; // readlink does not add a '\0' at the end | ||
685 | printf("%u:%s:exec %s:0\n", pid(), name(), buf); | ||
686 | } | ||
687 | } | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2dd3abbb7..f205bfa30 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | |||
154 | .br | 154 | .br |
155 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | 155 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines |
156 | .TP | 156 | .TP |
157 | \fB\-\-build | ||
158 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
159 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
160 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
161 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
162 | .br | ||
163 | |||
164 | .br | ||
165 | Example: | ||
166 | .br | ||
167 | $ firejail --build vlc ~/Videos/test.mp4 | ||
168 | .TP | ||
157 | \fB\-c | 169 | \fB\-c |
158 | Execute command and exit. | 170 | Execute command and exit. |
159 | .TP | 171 | .TP |