diff options
53 files changed, 423 insertions, 217 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6a2786427..b53b69f75 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -18,5 +18,11 @@ we can handle the report more easily: | |||
18 | let us know if it runs correctly or not. | 18 | let us know if it runs correctly or not. |
19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. | 19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. |
20 | 20 | ||
21 | Please note: if you are running Debian, Ubuntu, Linux Mint, or another related | ||
22 | distribution and you installed firejail from your distro's repositories, please | ||
23 | ensure that **both** of the following were installed: | ||
24 | `firejail` and `firejail-profiles`. A common source of issues is that | ||
25 | firejail-profiles was not installed when installing firejail. | ||
26 | |||
21 | We take security bugs very seriously. If you believe you have found one, please report it by | 27 | We take security bugs very seriously. If you believe you have found one, please report it by |
22 | emailing us at netblue30@yahoo.com | 28 | emailing us at netblue30@yahoo.com |
@@ -49,6 +49,8 @@ Committers | |||
49 | 49 | ||
50 | Firejail Authors (alphabetical order) | 50 | Firejail Authors (alphabetical order) |
51 | 51 | ||
52 | 7twin (https://github.com/7twin_ | ||
53 | - fix typos | ||
52 | 1dnrr (https://github.com/1dnrr) | 54 | 1dnrr (https://github.com/1dnrr) |
53 | - add pybitmessage profile | 55 | - add pybitmessage profile |
54 | Aidan Gauland (https://github.com/aidalgol) | 56 | Aidan Gauland (https://github.com/aidalgol) |
@@ -439,6 +441,7 @@ n1trux (https://github.com/n1trux) | |||
439 | - fix flashpeak-slimjet profile typos | 441 | - fix flashpeak-slimjet profile typos |
440 | Nick Fox (https://github.com/njfox) | 442 | Nick Fox (https://github.com/njfox) |
441 | - add a profile alias for code-oss | 443 | - add a profile alias for code-oss |
444 | - add code-oss config directory | ||
442 | NickMolloy (https://github.com/NickMolloy) | 445 | NickMolloy (https://github.com/NickMolloy) |
443 | - ARP address length fix | 446 | - ARP address length fix |
444 | Niklas Haas (https://github.com/haasn) | 447 | Niklas Haas (https://github.com/haasn) |
@@ -450,6 +453,7 @@ Ondra Nekola (https://github.com/satai) | |||
450 | Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec) | 453 | Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec) |
451 | - prevent thunderbird conflicts when firefox is running | 454 | - prevent thunderbird conflicts when firefox is running |
452 | - add join-or-start to pluma to open multiple files in tabs | 455 | - add join-or-start to pluma to open multiple files in tabs |
456 | - fixes to keepassxc, thunderbird and pluma | ||
453 | Panzerfather (https://github.com/Panzerfather) | 457 | Panzerfather (https://github.com/Panzerfather) |
454 | - allow eog to access user's trash | 458 | - allow eog to access user's trash |
455 | Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) | 459 | Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) |
@@ -478,6 +482,8 @@ Petter Reinholdtsen (pere@hungry.com) | |||
478 | PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) | 482 | PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) |
479 | - fix quiterss profile | 483 | - fix quiterss profile |
480 | - added profile for gnome-ring | 484 | - added profile for gnome-ring |
485 | pianoslum (https://github.com/pianoslum) | ||
486 | - nodbus breaking evince two-page-view warning | ||
481 | pirate486743186 (https://github.com/pirate486743186) | 487 | pirate486743186 (https://github.com/pirate486743186) |
482 | - KMail profile | 488 | - KMail profile |
483 | - mpsyt profile | 489 | - mpsyt profile |
@@ -536,9 +542,10 @@ rusty-snake (https://github.com/rusty-snake) | |||
536 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter | 542 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter |
537 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano | 543 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano |
538 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 | 544 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 |
539 | - added profiles: kid3-qt, kid3-cli, anki, anki | 545 | - added profiles: kid3-qt, kid3-cli, anki |
540 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse | 546 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse |
541 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool | 547 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool |
548 | - fixed profiles: gnome-logs | ||
542 | - hardened profiles: disable-common.inc, disable-programs.inc | 549 | - hardened profiles: disable-common.inc, disable-programs.inc |
543 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox | 550 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox |
544 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl | 551 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl |
@@ -552,6 +559,8 @@ sarneaud (https://github.com/sarneaud) | |||
552 | - various enhancements and bug fixes | 559 | - various enhancements and bug fixes |
553 | Sergey Alirzaev (https://github.com/l29ah) | 560 | Sergey Alirzaev (https://github.com/l29ah) |
554 | - firejail.h enum fix | 561 | - firejail.h enum fix |
562 | Tobias Schmidl (https://github.com/schtobia) | ||
563 | - added profile for webui-aria2 | ||
555 | Simon Peter (https://github.com/probonopd) | 564 | Simon Peter (https://github.com/probonopd) |
556 | - set $APPIMAGE and $APPDIR environment variables | 565 | - set $APPIMAGE and $APPDIR environment variables |
557 | - AppImage version detection | 566 | - AppImage version detection |
@@ -714,6 +723,12 @@ veloute (https://github.com/veloute) | |||
714 | - fixed discord profile | 723 | - fixed discord profile |
715 | - fixes for various profiles | 724 | - fixes for various profiles |
716 | - removed vim and ranger from firecfg | 725 | - removed vim and ranger from firecfg |
726 | - fixing keepassxc auto-type, noexec /tmp | ||
727 | - fix ipc-namespace prblem in file-roller | ||
728 | - fix exiftool, viewnior, aria2c, ffmpegthumbnailer | ||
729 | - fix pavucontrol (ipcnamespace) | ||
730 | - fix gnuchess | ||
731 | - add anki profile | ||
717 | Vincent43 (https://github.com/Vincent43) | 732 | Vincent43 (https://github.com/Vincent43) |
718 | - apparmor enhancements | 733 | - apparmor enhancements |
719 | vismir2 (https://github.com/vismir2) | 734 | vismir2 (https://github.com/vismir2) |
@@ -102,5 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
102 | ## Current development version: 0.9.59 | 102 | ## Current development version: 0.9.59 |
103 | 103 | ||
104 | ## New profiles: | 104 | ## New profiles: |
105 | crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha, Maelstrom, ostrichriders, bzflag, freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles, teeworlds, torcs, tremulous, warsow, lugaru, manaplus, pioneer, scorched3d, widelands, freemind, kid3, kid3-cli, kid3-qt, nomacs, freecol, opencity, openclonk, slashem, vulturesclaw, vultureseye, anki | 105 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer |
106 | |||
@@ -12,6 +12,7 @@ firejail (0.9.59) baseline; urgency=low | |||
12 | * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt | 12 | * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt |
13 | * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem | 13 | * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem |
14 | * new profiles: vultureseye, vulturesclaw, anki | 14 | * new profiles: vultureseye, vulturesclaw, anki |
15 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell | ||
15 | * memory-deny-write-execute now also blocks memfd_create | 16 | * memory-deny-write-execute now also blocks memfd_create |
16 | * drop support for flatpak/snap packages | 17 | * drop support for flatpak/snap packages |
17 | 18 | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index 674fb2c6a..88c9c453b 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/0ad | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-bin 0ad,pyrogenesis,sh,which | |||
44 | private-dev | 45 | private-dev |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 10f354f19..2347039a6 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/xiaoyong | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -39,6 +40,3 @@ shell none | |||
39 | disable-mnt | 40 | disable-mnt |
40 | private-dev | 41 | private-dev |
41 | private-tmp | 42 | private-tmp |
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/Builder.profile b/etc/Builder.profile new file mode 100644 index 000000000..128e0dfe3 --- /dev/null +++ b/etc/Builder.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-builder | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-builder.profile | ||
diff --git a/etc/Documents.profile b/etc/Documents.profile new file mode 100644 index 000000000..c965c55a8 --- /dev/null +++ b/etc/Documents.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-documents | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-documents.profile | ||
diff --git a/etc/Logs.profile b/etc/Logs.profile new file mode 100644 index 000000000..f82722ed4 --- /dev/null +++ b/etc/Logs.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-logs | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-logs.profile | ||
diff --git a/etc/Maps.profile b/etc/Maps.profile new file mode 100644 index 000000000..b3fc03e38 --- /dev/null +++ b/etc/Maps.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-maps | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-maps.profile | ||
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index c579cc280..6a9848e83 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -7,6 +7,7 @@ include assogiate.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | whitelist ${PICTURES} | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -15,9 +16,8 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | |||
19 | whitelist ${PICTURES} | ||
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | ||
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -39,7 +39,7 @@ shell none | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin assogiate,gtk-update-icon-cache | 42 | private-bin assogiate,gtk-update-icon-cache,update-mime-database |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* |
diff --git a/etc/atom.profile b/etc/atom.profile index 995c5598d..1c0afb277 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.atom | |||
10 | noblacklist ${HOME}/.config/Atom | 10 | noblacklist ${HOME}/.config/Atom |
11 | noblacklist ${HOME}/.cargo/config | 11 | noblacklist ${HOME}/.cargo/config |
12 | noblacklist ${HOME}/.cargo/registry | 12 | noblacklist ${HOME}/.cargo/registry |
13 | noblacklist ${HOME}/.gitconfig | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile new file mode 100644 index 000000000..44c0a3c15 --- /dev/null +++ b/etc/autokey-common.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for autokey | ||
2 | # Description: Desktop automation utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-common.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/autokey | ||
10 | noblacklist ${HOME}/.local/share/autokey | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | noblacklist /usr/share/python2* | ||
20 | noblacklist /usr/share/python3* | ||
21 | |||
22 | include disable-common.inc | ||
23 | include disable-devel.inc | ||
24 | # disable-exec.inc might break scripting functionality | ||
25 | #include disable-exec.inc | ||
26 | include disable-interpreters.inc | ||
27 | include disable-passwdmgr.inc | ||
28 | include disable-programs.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | netfilter | ||
33 | no3d | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nou2f | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | # memory-deny-write-execute - Breaks on Arch | ||
diff --git a/etc/autokey-gtk.profile b/etc/autokey-gtk.profile new file mode 100644 index 000000000..86168ba0d --- /dev/null +++ b/etc/autokey-gtk.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-gtk | ||
2 | # Description: Desktop automation utility (GTK version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-gtk.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/autokey-qt.profile b/etc/autokey-qt.profile new file mode 100644 index 000000000..f3877d829 --- /dev/null +++ b/etc/autokey-qt.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-qt | ||
2 | # Description: Desktop automation utility (Qt version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-qt.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/autokey-run.profile b/etc/autokey-run.profile new file mode 100644 index 000000000..b70239022 --- /dev/null +++ b/etc/autokey-run.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-run | ||
2 | # Description: Desktop automation utility (CLI version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-run.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/autokey-shell.profile b/etc/autokey-shell.profile new file mode 100644 index 000000000..5745fce77 --- /dev/null +++ b/etc/autokey-shell.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-shell | ||
2 | # Description: Desktop automation utility (CLI shell) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-shell.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/brackets.profile b/etc/brackets.profile index cead6ec24..46870e1ad 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -9,8 +9,10 @@ noblacklist ${HOME}/.config/Brackets | |||
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the the next two lines if you are developing rust. | 11 | # Uncomment the the next two lines if you are developing rust. |
12 | # or put it in your brackets.local | ||
12 | #noblacklist ${HOME}/.cargo/config | 13 | #noblacklist ${HOME}/.cargo/config |
13 | #noblacklist ${HOME}/.cargo/registry | 14 | #noblacklist ${HOME}/.cargo/registry |
15 | noblacklist ${HOME}/.gitconfig | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
diff --git a/etc/calibre.profile b/etc/calibre.profile index 5c7d3e1e7..363e9191d 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
@@ -36,6 +37,3 @@ tracelog | |||
36 | 37 | ||
37 | private-dev | 38 | private-dev |
38 | private-tmp | 39 | private-tmp |
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 22bda418a..44ef12aa2 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3* | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-cache | |||
44 | private-dev | 45 | private-dev |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/clocks.profile b/etc/clocks.profile new file mode 100644 index 000000000..dd234ce44 --- /dev/null +++ b/etc/clocks.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-clocks | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-clocks.profile | ||
diff --git a/etc/eom.profile b/etc/eom.profile index a6007f99c..745e650aa 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | #memory-deny-write-execute - breaks on Arch | 46 | #memory-deny-write-execute - breaks on Arch |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index c3c6d4be0..b1f984784 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -23,7 +24,8 @@ machine-id | |||
23 | # net none - breaks AppArmor on Ubuntu systems | 24 | # net none - breaks AppArmor on Ubuntu systems |
24 | netfilter | 25 | netfilter |
25 | no3d | 26 | no3d |
26 | nodbus # might break two-page-view on some systems | 27 | # nodbus might break two-page-view on some systems |
28 | nodbus | ||
27 | nodvd | 29 | nodvd |
28 | nogroups | 30 | nogroups |
29 | nonewprivs | 31 | nonewprivs |
@@ -45,5 +47,3 @@ private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,li | |||
45 | private-tmp | 47 | private-tmp |
46 | 48 | ||
47 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) | 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index ed3b4490f..6de61840c 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -8,6 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.frozen-bubble | 9 | noblacklist ${HOME}/.frozen-bubble |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/cpan* | ||
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | |||
11 | include disable-common.inc | 18 | include disable-common.inc |
12 | include disable-devel.inc | 19 | include disable-devel.inc |
13 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
diff --git a/etc/geany.profile b/etc/geany.profile index a21e19329..7f96449c9 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/geany | 9 | noblacklist ${HOME}/.config/geany |
10 | noblacklist ${HOME}/.python-history | 10 | noblacklist ${HOME}/.python-history |
11 | noblacklist ${HOME}/.gitconfig | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index 05ebea80c..d5e3cd435 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cargo/config | 9 | noblacklist ${HOME}/.cargo/config |
10 | noblacklist ${HOME}/.cargo/registry | 10 | noblacklist ${HOME}/.cargo/registry |
11 | noblacklist ${HOME}/.python-history | 11 | noblacklist ${HOME}/.python-history |
12 | noblacklist ${HOME}/.gitconfig | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index dc5b62428..2f4626891 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gnome-chess | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -37,6 +38,3 @@ private-bin fairymax,gnome-chess,hoichess,gnuchess | |||
37 | private-dev | 38 | private-dev |
38 | private-etc alternatives,fonts,gnome-chess | 39 | private-etc alternatives,fonts,gnome-chess |
39 | private-tmp | 40 | private-tmp |
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 2a13b3b27..ac6d82451 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${DOCUMENTS} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -35,5 +36,3 @@ disable-mnt | |||
35 | private-dev | 36 | private-dev |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index c7cbd8388..9a12162db 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -26,6 +26,7 @@ nodbus | |||
26 | nodvd | 26 | nodvd |
27 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | 27 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), |
28 | # comment both 'nogroups' and 'noroot' | 28 | # comment both 'nogroups' and 'noroot' |
29 | # or put 'ignore nogroups' and 'ignore noroot' to your gnome-logs.local. | ||
29 | nogroups | 30 | nogroups |
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
@@ -46,7 +47,5 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s | |||
46 | private-tmp | 47 | private-tmp |
47 | writable-var-log | 48 | writable-var-log |
48 | 49 | ||
49 | memory-deny-write-execute | ||
50 | |||
51 | # comment this if you export logs to a file in your ${HOME} | 50 | # comment this if you export logs to a file in your ${HOME} |
52 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index e8abf4b31..ee70e6655 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3* | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -53,5 +54,3 @@ private-dev | |||
53 | private-tmp | 54 | private-tmp |
54 | 55 | ||
55 | # memory-deny-write-execute - breaks python | 56 | # memory-deny-write-execute - breaks python |
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 47ea5606a..56a792c8e 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/leafpad | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -36,5 +37,3 @@ private-dev | |||
36 | private-lib | 37 | private-lib |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 4500f74a5..3b9807b28 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Mousepad | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
diff --git a/etc/ping.profile b/etc/ping.profile index bdd29c1a1..66574bab5 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -46,5 +47,3 @@ private-tmp | |||
46 | 47 | ||
47 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 48 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
48 | #memory-deny-write-execute | 49 | #memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/pinta.profile b/etc/pinta.profile index 3dfe3cc1b..8151bc98f 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${PICTURES} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -37,5 +38,3 @@ private-dev | |||
37 | private-cache | 38 | private-cache |
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/sol.profile b/etc/sol.profile index c194eed05..ea1620b31 100644 --- a/etc/sol.profile +++ b/etc/sol.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | include disable-common.inc | 8 | include disable-common.inc |
9 | include disable-devel.inc | 9 | include disable-devel.inc |
10 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | 11 | include disable-interpreters.inc |
11 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 13 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-dev | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | # memory-deny-write-execute | 43 | # memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/utox.profile b/etc/utox.profile new file mode 100644 index 000000000..9216a6a05 --- /dev/null +++ b/etc/utox.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for utox | ||
2 | # Description: Lightweight Tox client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include utox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/tox | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/tox | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.config/tox | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin utox | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 1ef44dd5c..45f9949f3 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -14,6 +14,7 @@ noblacklist /usr/lib/virtualbox | |||
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
19 | 20 | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 816f2236c..85cbc5e43 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.warzone2100-3.* | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
diff --git a/etc/wget.profile b/etc/wget.profile index c0a6f0d21..a7ef32e2c 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wget-hsts | |||
13 | noblacklist ${HOME}/.wgetrc | 13 | noblacklist ${HOME}/.wgetrc |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | 19 | ||
@@ -38,5 +39,3 @@ private-dev | |||
38 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
39 | # private-tmp | 40 | # private-tmp |
40 | 41 | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 1941787b1..0ad423d30 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | include disable-common.inc | 8 | include disable-common.inc |
9 | include disable-devel.inc | 9 | include disable-devel.inc |
10 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | 11 | include disable-interpreters.inc |
11 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 13 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-dev | |||
38 | private-lib | 39 | private-lib |
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index a40b5a824..c8f684abc 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -56,8 +56,10 @@ static int have_profile(const char *filename, const char *homedir) { | |||
56 | if (arg_debug) | 56 | if (arg_debug) |
57 | printf("checking profile for %s\n", filename); | 57 | printf("checking profile for %s\n", filename); |
58 | 58 | ||
59 | // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop, | 59 | // we get strange names here, such as .org.gnome.gedit.desktop, com.uploadedlobster.peek.desktop, |
60 | // or io.github.Pithos.desktop; extract the word before .desktop | 60 | // or io.github.Pithos.desktop; extract the word before .desktop |
61 | // TODO: implement proper fix for #2624 (names like org.gnome.Logs.desktop fall thru | ||
62 | // the 'last word' logic and don't get installed to ~/.local/share/applications | ||
61 | 63 | ||
62 | char *tmpfname = strdup(filename); | 64 | char *tmpfname = strdup(filename); |
63 | if (!tmpfname) | 65 | if (!tmpfname) |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d5c502a67..7aec0f82a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -4,15 +4,19 @@ | |||
4 | #qemu-system-x86_64 | 4 | #qemu-system-x86_64 |
5 | 0ad | 5 | 0ad |
6 | 2048-qt | 6 | 2048-qt |
7 | Builder | ||
7 | Cryptocat | 8 | Cryptocat |
8 | Cyberfox | 9 | Cyberfox |
9 | Discord | 10 | Discord |
10 | DiscordCanary | 11 | DiscordCanary |
12 | Documents | ||
11 | FossaMail | 13 | FossaMail |
12 | Fritzing | 14 | Fritzing |
13 | Gitter | 15 | Gitter |
14 | JDownloader | 16 | JDownloader |
17 | Logs | ||
15 | Maelstrom | 18 | Maelstrom |
19 | Maps | ||
16 | Mathematica | 20 | Mathematica |
17 | Natron | 21 | Natron |
18 | QMediathekView | 22 | QMediathekView |
@@ -50,6 +54,10 @@ atril-thumbnailer | |||
50 | audacious | 54 | audacious |
51 | audacity | 55 | audacity |
52 | authenticator | 56 | authenticator |
57 | autokey-gtk | ||
58 | autokey-qt | ||
59 | autokey-run | ||
60 | autokey-shell | ||
53 | aweather | 61 | aweather |
54 | baloo_file | 62 | baloo_file |
55 | baloo_filemetadata_temp_extractor | 63 | baloo_filemetadata_temp_extractor |
@@ -100,6 +108,7 @@ clementine | |||
100 | clion | 108 | clion |
101 | clipit | 109 | clipit |
102 | cliqz | 110 | cliqz |
111 | clocks | ||
103 | cmus | 112 | cmus |
104 | code | 113 | code |
105 | code-oss | 114 | code-oss |
@@ -557,6 +566,7 @@ uefitool | |||
557 | uget-gtk | 566 | uget-gtk |
558 | unbound | 567 | unbound |
559 | unknown-horizons | 568 | unknown-horizons |
569 | utox | ||
560 | uudeview | 570 | uudeview |
561 | uzbl-browser | 571 | uzbl-browser |
562 | viewnior | 572 | viewnior |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index d0f43041c..8cb994aca 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -2,7 +2,7 @@ all: firejail | |||
2 | 2 | ||
3 | include ../common.mk | 3 | include ../common.mk |
4 | 4 | ||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o | 8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4cb10c875..b2c18d79f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -21,90 +21,13 @@ | |||
21 | #define FIREJAIL_H | 21 | #define FIREJAIL_H |
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include "../include/rundefs.h" | ||
24 | #include <stdarg.h> | 25 | #include <stdarg.h> |
25 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
26 | 27 | ||
27 | // debug restricted shell | 28 | // debug restricted shell |
28 | //#define DEBUG_RESTRICTED_SHELL | 29 | //#define DEBUG_RESTRICTED_SHELL |
29 | 30 | ||
30 | // filesystem | ||
31 | #define RUN_FIREJAIL_BASEDIR "/run" | ||
32 | #define RUN_FIREJAIL_DIR "/run/firejail" | ||
33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | ||
34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place | ||
35 | #define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" | ||
36 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | ||
37 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | ||
38 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | ||
39 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" | ||
40 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock" | ||
41 | #define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock" | ||
42 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | ||
43 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | ||
44 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created | ||
45 | #define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup" | ||
46 | #define RUN_CPU_CFG "/run/firejail/mnt/cpu" | ||
47 | #define RUN_GROUPS_CFG "/run/firejail/mnt/groups" | ||
48 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" | ||
49 | #define RUN_NONEWPRIVS_CFG "/run/firejail/mnt/nonewprivs" | ||
50 | #define RUN_HOME_DIR "/run/firejail/mnt/home" | ||
51 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | ||
52 | #define RUN_OPT_DIR "/run/firejail/mnt/opt" | ||
53 | #define RUN_SRV_DIR "/run/firejail/mnt/srv" | ||
54 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | ||
55 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | ||
56 | #define RUN_LIB_DIR "/run/firejail/mnt/lib" | ||
57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | ||
58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | ||
59 | |||
60 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" | ||
61 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed | ||
62 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter | ||
63 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter | ||
64 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures | ||
65 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute | ||
66 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter | ||
67 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | ||
68 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | ||
69 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | ||
70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | ||
71 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | ||
72 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | ||
73 | |||
74 | |||
75 | #define RUN_DEV_DIR "/run/firejail/mnt/dev" | ||
76 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" | ||
77 | |||
78 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" | ||
79 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking | ||
80 | #define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking | ||
81 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | ||
82 | #define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting | ||
83 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | ||
84 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | ||
85 | #define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" | ||
86 | #define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" | ||
87 | #define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" | ||
88 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" | ||
89 | #define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" | ||
90 | #define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc" | ||
91 | #define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share" | ||
92 | #define RUN_WHITELIST_MODULE_DIR "/run/firejail/mnt/orig-module" | ||
93 | |||
94 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" | ||
95 | #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" | ||
96 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | ||
97 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | ||
98 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | ||
99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | ||
100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | ||
101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | ||
102 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" | ||
103 | #define RUN_GROUP_FILE "/run/firejail/mnt/group" | ||
104 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | ||
105 | #define RUN_UMASK_FILE "/run/firejail/mnt/umask" | ||
106 | #define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" | ||
107 | #define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join" | ||
108 | 31 | ||
109 | 32 | ||
110 | // profiles | 33 | // profiles |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h new file mode 100644 index 000000000..67d7cfa4f --- /dev/null +++ b/src/include/rundefs.h | |||
@@ -0,0 +1,102 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2019 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifndef RUNDEFS_H | ||
22 | #define RUNDEFS_H | ||
23 | // filesystem | ||
24 | #define RUN_FIREJAIL_BASEDIR "/run" | ||
25 | #define RUN_FIREJAIL_DIR "/run/firejail" | ||
26 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | ||
27 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place | ||
28 | #define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" | ||
29 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | ||
30 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | ||
31 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | ||
32 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" | ||
33 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock" | ||
34 | #define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock" | ||
35 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | ||
36 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | ||
37 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created | ||
38 | #define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup" | ||
39 | #define RUN_CPU_CFG "/run/firejail/mnt/cpu" | ||
40 | #define RUN_GROUPS_CFG "/run/firejail/mnt/groups" | ||
41 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" | ||
42 | #define RUN_NONEWPRIVS_CFG "/run/firejail/mnt/nonewprivs" | ||
43 | #define RUN_HOME_DIR "/run/firejail/mnt/home" | ||
44 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | ||
45 | #define RUN_OPT_DIR "/run/firejail/mnt/opt" | ||
46 | #define RUN_SRV_DIR "/run/firejail/mnt/srv" | ||
47 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | ||
48 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | ||
49 | #define RUN_LIB_DIR "/run/firejail/mnt/lib" | ||
50 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | ||
51 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | ||
52 | |||
53 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" | ||
54 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed | ||
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter | ||
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter | ||
57 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures | ||
58 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute | ||
59 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter | ||
60 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | ||
61 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | ||
62 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | ||
63 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | ||
64 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | ||
65 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | ||
66 | |||
67 | |||
68 | #define RUN_DEV_DIR "/run/firejail/mnt/dev" | ||
69 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" | ||
70 | |||
71 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" | ||
72 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking | ||
73 | #define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking | ||
74 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | ||
75 | #define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting | ||
76 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | ||
77 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | ||
78 | #define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" | ||
79 | #define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" | ||
80 | #define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" | ||
81 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" | ||
82 | #define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" | ||
83 | #define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc" | ||
84 | #define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share" | ||
85 | #define RUN_WHITELIST_MODULE_DIR "/run/firejail/mnt/orig-module" | ||
86 | |||
87 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" | ||
88 | #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" | ||
89 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | ||
90 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | ||
91 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | ||
92 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | ||
93 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | ||
94 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | ||
95 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" | ||
96 | #define RUN_GROUP_FILE "/run/firejail/mnt/group" | ||
97 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | ||
98 | #define RUN_UMASK_FILE "/run/firejail/mnt/umask" | ||
99 | #define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" | ||
100 | #define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join" | ||
101 | |||
102 | #endif | ||
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in index 92803342c..8d6dde4e0 100644 --- a/src/libpostexecseccomp/Makefile.in +++ b/src/libpostexecseccomp/Makefile.in | |||
@@ -13,13 +13,12 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | |||
13 | 13 | ||
14 | all: libpostexecseccomp.so | 14 | all: libpostexecseccomp.so |
15 | 15 | ||
16 | %.o : %.c $(H_FILE_LIST) | 16 | %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h |
17 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 17 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
18 | 18 | ||
19 | libpostexecseccomp.so: $(OBJS) | 19 | libpostexecseccomp.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 21 | ||
22 | |||
23 | clean:; rm -f $(OBJS) libpostexecseccomp.so | 22 | clean:; rm -f $(OBJS) libpostexecseccomp.so |
24 | 23 | ||
25 | distclean: clean | 24 | distclean: clean |
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c index e51445de4..3983510ec 100644 --- a/src/libpostexecseccomp/libpostexecseccomp.c +++ b/src/libpostexecseccomp/libpostexecseccomp.c | |||
@@ -17,19 +17,22 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "libpostexecseccomp.h" | ||
21 | #include "../include/seccomp.h" | 20 | #include "../include/seccomp.h" |
21 | #include "../include/rundefs.h" | ||
22 | #include <fcntl.h> | 22 | #include <fcntl.h> |
23 | #include <linux/filter.h> | 23 | #include <linux/filter.h> |
24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
25 | #include <sys/prctl.h> | 25 | #include <sys/prctl.h> |
26 | #include <unistd.h> | 26 | #include <unistd.h> |
27 | #include <stdio.h> | ||
27 | 28 | ||
28 | __attribute__((constructor)) | 29 | __attribute__((constructor)) |
29 | static void load_seccomp(void) { | 30 | static void load_seccomp(void) { |
30 | int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY); | 31 | int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY); |
31 | if (fd == -1) | 32 | if (fd == -1) { |
33 | fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC); | ||
32 | return; | 34 | return; |
35 | } | ||
33 | 36 | ||
34 | off_t size = lseek(fd, 0, SEEK_END); | 37 | off_t size = lseek(fd, 0, SEEK_END); |
35 | if (size <= 0) { | 38 | if (size <= 0) { |
@@ -40,11 +43,12 @@ static void load_seccomp(void) { | |||
40 | struct sock_filter *filter = MAP_FAILED; | 43 | struct sock_filter *filter = MAP_FAILED; |
41 | if (size != 0) | 44 | if (size != 0) |
42 | filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | 45 | filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); |
43 | |||
44 | close(fd); | 46 | close(fd); |
45 | 47 | ||
46 | if (filter == MAP_FAILED) | 48 | if (filter == MAP_FAILED) { |
49 | fprintf(stderr, "Error: cannot map seccomp postexec filter data\n"); | ||
47 | return; | 50 | return; |
51 | } | ||
48 | 52 | ||
49 | // install filter | 53 | // install filter |
50 | struct sock_fprog prog = { | 54 | struct sock_fprog prog = { |
diff --git a/src/libpostexecseccomp/libpostexecseccomp.h b/src/libpostexecseccomp/libpostexecseccomp.h deleted file mode 100644 index 908364d43..000000000 --- a/src/libpostexecseccomp/libpostexecseccomp.h +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2019 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef LIBPOSTEXECSECCOMP_H | ||
21 | #define LIBPOSTEXECSECCOMP_H | ||
22 | |||
23 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" | ||
24 | |||
25 | #endif | ||
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in index 3927c762a..5c27f3cb3 100644 --- a/src/libtracelog/Makefile.in +++ b/src/libtracelog/Makefile.in | |||
@@ -13,7 +13,7 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | |||
13 | 13 | ||
14 | all: libtracelog.so | 14 | all: libtracelog.so |
15 | 15 | ||
16 | %.o : %.c $(H_FILE_LIST) | 16 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h |
17 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 17 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
18 | 18 | ||
19 | libtracelog.so: $(OBJS) | 19 | libtracelog.so: $(OBJS) |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 420c9370c..3641a81af 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -32,6 +32,7 @@ | |||
32 | #include <syslog.h> | 32 | #include <syslog.h> |
33 | #include <dirent.h> | 33 | #include <dirent.h> |
34 | #include <limits.h> | 34 | #include <limits.h> |
35 | #include "../include/rundefs.h" | ||
35 | 36 | ||
36 | //#define DEBUG | 37 | //#define DEBUG |
37 | 38 | ||
@@ -163,7 +164,6 @@ static char *storage_find(const char *str) { | |||
163 | // | 164 | // |
164 | // load blacklist form /run/firejail/mnt/fslogger | 165 | // load blacklist form /run/firejail/mnt/fslogger |
165 | // | 166 | // |
166 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | ||
167 | #define MAXBUF 4096 | 167 | #define MAXBUF 4096 |
168 | static int blacklist_loaded = 0; | 168 | static int blacklist_loaded = 0; |
169 | static char *sandbox_pid_str = NULL; | 169 | static char *sandbox_pid_str = NULL; |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index 39f836ed0..dc4bf34f2 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -13,7 +13,7 @@ after 100 | |||
13 | send -- "firejail --debug sleep 1; echo done\r" | 13 | send -- "firejail --debug sleep 1; echo done\r" |
14 | expect { | 14 | expect { |
15 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "seccomp entries in /run/firejail/mnt/seccomp" | 16 | "seccomp entries in /run/firejail/mnt/seccomp/seccomp" |
17 | } | 17 | } |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 2\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
@@ -38,15 +38,15 @@ expect { | |||
38 | } | 38 | } |
39 | expect { | 39 | expect { |
40 | timeout {puts "TESTING ERROR 6\n";exit} | 40 | timeout {puts "TESTING ERROR 6\n";exit} |
41 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 41 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
42 | } | 42 | } |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 7\n";exit} | 44 | timeout {puts "TESTING ERROR 7\n";exit} |
45 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" | 45 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
46 | } | 46 | } |
47 | expect { | 47 | expect { |
48 | timeout {puts "TESTING ERROR 8\n";exit} | 48 | timeout {puts "TESTING ERROR 8\n";exit} |
49 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 49 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
50 | } | 50 | } |
51 | expect { | 51 | expect { |
52 | timeout {puts "TESTING ERROR 9\n";exit} | 52 | timeout {puts "TESTING ERROR 9\n";exit} |
@@ -58,15 +58,15 @@ after 100 | |||
58 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | 58 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 10\n";exit} | 60 | timeout {puts "TESTING ERROR 10\n";exit} |
61 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 61 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
62 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 62 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
63 | "Child process initialized" | 63 | "Child process initialized" |
64 | } | 64 | } |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 13\n";exit} | 66 | timeout {puts "TESTING ERROR 13\n";exit} |
67 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 67 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
68 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 68 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
69 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 69 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
70 | } | 70 | } |
71 | expect { | 71 | expect { |
72 | timeout {puts "TESTING ERROR 16\n";exit} | 72 | timeout {puts "TESTING ERROR 16\n";exit} |
@@ -78,18 +78,18 @@ after 100 | |||
78 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" | 78 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" |
79 | expect { | 79 | expect { |
80 | timeout {puts "TESTING ERROR 17\n";exit} | 80 | timeout {puts "TESTING ERROR 17\n";exit} |
81 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit} | 81 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit} |
82 | "Child process initialized" | 82 | "Child process initialized" |
83 | } | 83 | } |
84 | expect { | 84 | expect { |
85 | timeout {puts "TESTING ERROR 19\n";exit} | 85 | timeout {puts "TESTING ERROR 19\n";exit} |
86 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit} | 86 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit} |
87 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 87 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
88 | } | 88 | } |
89 | expect { | 89 | expect { |
90 | timeout {puts "TESTING ERROR 21\n";exit} | 90 | timeout {puts "TESTING ERROR 21\n";exit} |
91 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 91 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
92 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" | 92 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
93 | } | 93 | } |
94 | expect { | 94 | expect { |
95 | timeout {puts "TESTING ERROR 23\n";exit} | 95 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -105,7 +105,7 @@ expect { | |||
105 | } | 105 | } |
106 | expect { | 106 | expect { |
107 | timeout {puts "TESTING ERROR 25\n";exit} | 107 | timeout {puts "TESTING ERROR 25\n";exit} |
108 | "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" | 108 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" |
109 | } | 109 | } |
110 | expect { | 110 | expect { |
111 | timeout {puts "TESTING ERROR 26\n";exit} | 111 | timeout {puts "TESTING ERROR 26\n";exit} |
@@ -117,18 +117,18 @@ expect { | |||
117 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 117 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
118 | expect { | 118 | expect { |
119 | timeout {puts "TESTING ERROR 27\n";exit} | 119 | timeout {puts "TESTING ERROR 27\n";exit} |
120 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 120 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
121 | "Child process initialized" | 121 | "Child process initialized" |
122 | } | 122 | } |
123 | expect { | 123 | expect { |
124 | timeout {puts "TESTING ERROR 29\n";exit} | 124 | timeout {puts "TESTING ERROR 29\n";exit} |
125 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 125 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
126 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 126 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
127 | } | 127 | } |
128 | expect { | 128 | expect { |
129 | timeout {puts "TESTING ERROR 31\n";exit} | 129 | timeout {puts "TESTING ERROR 31\n";exit} |
130 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} | 130 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 131 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
132 | } | 132 | } |
133 | expect { | 133 | expect { |
134 | timeout {puts "TESTING ERROR 33\n";exit} | 134 | timeout {puts "TESTING ERROR 33\n";exit} |
@@ -140,13 +140,13 @@ after 100 | |||
140 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 140 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
141 | expect { | 141 | expect { |
142 | timeout {puts "TESTING ERROR 33\n";exit} | 142 | timeout {puts "TESTING ERROR 33\n";exit} |
143 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 143 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
144 | "Child process initialized" | 144 | "Child process initialized" |
145 | } | 145 | } |
146 | expect { | 146 | expect { |
147 | timeout {puts "TESTING ERROR 35\n";exit} | 147 | timeout {puts "TESTING ERROR 35\n";exit} |
148 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 148 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
149 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 149 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
150 | } | 150 | } |
151 | expect { | 151 | expect { |
152 | timeout {puts "TESTING ERROR 37\n";exit} | 152 | timeout {puts "TESTING ERROR 37\n";exit} |
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp index f9201f926..f1d57238b 100755 --- a/test/filters/seccomp-join.exp +++ b/test/filters/seccomp-join.exp | |||
@@ -20,15 +20,15 @@ set spawn_id $id1 | |||
20 | send -- "firejail --name=jointesting --debug\r" | 20 | send -- "firejail --name=jointesting --debug\r" |
21 | expect { | 21 | expect { |
22 | timeout {puts "TESTING ERROR 0\n";exit} | 22 | timeout {puts "TESTING ERROR 0\n";exit} |
23 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 23 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
24 | } | 24 | } |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 1\n";exit} | 26 | timeout {puts "TESTING ERROR 1\n";exit} |
27 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" | 27 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
28 | } | 28 | } |
29 | expect { | 29 | expect { |
30 | timeout {puts "TESTING ERROR 2\n";exit} | 30 | timeout {puts "TESTING ERROR 2\n";exit} |
31 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 31 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
32 | } | 32 | } |
33 | sleep 1 | 33 | sleep 1 |
34 | 34 | ||
@@ -37,15 +37,15 @@ set spawn_id $id2 | |||
37 | send -- "firejail --debug --join=jointesting\r" | 37 | send -- "firejail --debug --join=jointesting\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 3\n";exit} | 39 | timeout {puts "TESTING ERROR 3\n";exit} |
40 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 40 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
41 | } | 41 | } |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 4\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
44 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" | 44 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
45 | } | 45 | } |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 5\n";exit} | 47 | timeout {puts "TESTING ERROR 5\n";exit} |
48 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 48 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
49 | } | 49 | } |
50 | sleep 1 | 50 | sleep 1 |
51 | 51 | ||
@@ -64,16 +64,16 @@ set spawn_id $id1 | |||
64 | send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r" | 64 | send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r" |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 10\n";exit} | 66 | timeout {puts "TESTING ERROR 10\n";exit} |
67 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 67 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
68 | } | 68 | } |
69 | expect { | 69 | expect { |
70 | timeout {puts "TESTING ERROR 11\n";exit} | 70 | timeout {puts "TESTING ERROR 11\n";exit} |
71 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 71 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
72 | "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter" | 72 | "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter" |
73 | } | 73 | } |
74 | expect { | 74 | expect { |
75 | timeout {puts "TESTING ERROR 13\n";exit} | 75 | timeout {puts "TESTING ERROR 13\n";exit} |
76 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 76 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
77 | } | 77 | } |
78 | sleep 1 | 78 | sleep 1 |
79 | 79 | ||
@@ -81,15 +81,15 @@ set spawn_id $id2 | |||
81 | send -- "firejail --debug --join=jointesting\r" | 81 | send -- "firejail --debug --join=jointesting\r" |
82 | expect { | 82 | expect { |
83 | timeout {puts "TESTING ERROR 14\n";exit} | 83 | timeout {puts "TESTING ERROR 14\n";exit} |
84 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 84 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" |
85 | } | 85 | } |
86 | expect { | 86 | expect { |
87 | timeout {puts "TESTING ERROR 15\n";exit} | 87 | timeout {puts "TESTING ERROR 15\n";exit} |
88 | "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter" | 88 | "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter" |
89 | } | 89 | } |
90 | expect { | 90 | expect { |
91 | timeout {puts "TESTING ERROR 16\n";exit} | 91 | timeout {puts "TESTING ERROR 16\n";exit} |
92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 92 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
93 | } | 93 | } |
94 | sleep 1 | 94 | sleep 1 |
95 | 95 | ||
@@ -106,7 +106,7 @@ set spawn_id $id1 | |||
106 | send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r" | 106 | send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r" |
107 | expect { | 107 | expect { |
108 | timeout {puts "TESTING ERROR 22\n";exit} | 108 | timeout {puts "TESTING ERROR 22\n";exit} |
109 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 109 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
110 | } | 110 | } |
111 | sleep 1 | 111 | sleep 1 |
112 | 112 | ||
@@ -115,9 +115,9 @@ set spawn_id $id2 | |||
115 | send -- "firejail --debug --join=jointesting\r" | 115 | send -- "firejail --debug --join=jointesting\r" |
116 | expect { | 116 | expect { |
117 | timeout {puts "TESTING ERROR 23\n";exit} | 117 | timeout {puts "TESTING ERROR 23\n";exit} |
118 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit} | 118 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit} |
119 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit} | 119 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit} |
120 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 120 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
121 | } | 121 | } |
122 | sleep 1 | 122 | sleep 1 |
123 | 123 | ||
@@ -134,7 +134,7 @@ set spawn_id $id1 | |||
134 | send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r" | 134 | send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r" |
135 | expect { | 135 | expect { |
136 | timeout {puts "TESTING ERROR 32\n";exit} | 136 | timeout {puts "TESTING ERROR 32\n";exit} |
137 | "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" | 137 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" |
138 | } | 138 | } |
139 | sleep 1 | 139 | sleep 1 |
140 | 140 | ||
@@ -143,10 +143,10 @@ set spawn_id $id2 | |||
143 | send -- "firejail --debug --join=jointesting\r" | 143 | send -- "firejail --debug --join=jointesting\r" |
144 | expect { | 144 | expect { |
145 | timeout {puts "TESTING ERROR 33\n";exit} | 145 | timeout {puts "TESTING ERROR 33\n";exit} |
146 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit} | 146 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit} |
147 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 147 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
148 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit} | 148 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit} |
149 | "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" | 149 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" |
150 | } | 150 | } |
151 | sleep 1 | 151 | sleep 1 |
152 | 152 | ||
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp index afdd07bb0..3f4e506af 100755 --- a/test/filters/seccomp-run-files.exp +++ b/test/filters/seccomp-run-files.exp | |||
@@ -10,18 +10,18 @@ match_max 100000 | |||
10 | send -- "firejail --debug\r" | 10 | send -- "firejail --debug\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "/run/firejail/mnt/seccomp seccomp filter" | 13 | "/run/firejail/mnt/seccomp/seccomp seccomp filter" |
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "/run/firejail/mnt/seccomp.32 seccomp filter" | 17 | "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | 21 | "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
22 | } | 22 | } |
23 | after 100 | 23 | after 100 |
24 | send -- "ls -l /run/firejail/mnt | grep -c seccomp\r" | 24 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
27 | "5" | 27 | "5" |
@@ -32,13 +32,13 @@ sleep 1 | |||
32 | send -- "firejail --ignore=seccomp --debug\r" | 32 | send -- "firejail --ignore=seccomp --debug\r" |
33 | expect { | 33 | expect { |
34 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
35 | "/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit} | 35 | "/run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit} |
36 | "/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit} | 36 | "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit} |
37 | "/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit} | 37 | "/run/firejail/mnt/seccomp/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit} |
38 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 38 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
39 | } | 39 | } |
40 | after 100 | 40 | after 100 |
41 | send -- "ls -l /run/firejail/mnt | grep -c seccomp\r" | 41 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 8\n";exit} | 43 | timeout {puts "TESTING ERROR 8\n";exit} |
44 | "3" | 44 | "3" |
@@ -49,15 +49,15 @@ sleep 1 | |||
49 | send -- "firejail --ignore=protocol --debug\r" | 49 | send -- "firejail --ignore=protocol --debug\r" |
50 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 9\n";exit} | 51 | timeout {puts "TESTING ERROR 9\n";exit} |
52 | "/run/firejail/mnt/seccomp seccomp filter" | 52 | "/run/firejail/mnt/seccomp/seccomp seccomp filter" |
53 | } | 53 | } |
54 | expect { | 54 | expect { |
55 | timeout {puts "TESTING ERROR 10\n";exit} | 55 | timeout {puts "TESTING ERROR 10\n";exit} |
56 | "/run/firejail/mnt/seccomp.32 seccomp filter" | 56 | "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
57 | } | 57 | } |
58 | expect { | 58 | expect { |
59 | timeout {puts "TESTING ERROR 11\n";exit} | 59 | timeout {puts "TESTING ERROR 11\n";exit} |
60 | "/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit} | 60 | "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit} |
61 | "monitoring" | 61 | "monitoring" |
62 | } | 62 | } |
63 | after 100 | 63 | after 100 |
@@ -72,22 +72,22 @@ sleep 1 | |||
72 | send -- "firejail --memory-deny-write-execute --debug\r" | 72 | send -- "firejail --memory-deny-write-execute --debug\r" |
73 | expect { | 73 | expect { |
74 | timeout {puts "TESTING ERROR 14\n";exit} | 74 | timeout {puts "TESTING ERROR 14\n";exit} |
75 | "/run/firejail/mnt/seccomp.mdwx seccomp filter" | 75 | "/run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" |
76 | } | 76 | } |
77 | expect { | 77 | expect { |
78 | timeout {puts "TESTING ERROR 15\n";exit} | 78 | timeout {puts "TESTING ERROR 15\n";exit} |
79 | "/run/firejail/mnt/seccomp seccomp filter" | 79 | "/run/firejail/mnt/seccomp/seccomp seccomp filter" |
80 | } | 80 | } |
81 | expect { | 81 | expect { |
82 | timeout {puts "TESTING ERROR 16\n";exit} | 82 | timeout {puts "TESTING ERROR 16\n";exit} |
83 | "/run/firejail/mnt/seccomp.32 seccomp filter" | 83 | "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter" |
84 | } | 84 | } |
85 | expect { | 85 | expect { |
86 | timeout {puts "TESTING ERROR 17\n";exit} | 86 | timeout {puts "TESTING ERROR 17\n";exit} |
87 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | 87 | "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" |
88 | } | 88 | } |
89 | after 100 | 89 | after 100 |
90 | send -- "ls -l /run/firejail/mnt | grep -c seccomp\r" | 90 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
91 | expect { | 91 | expect { |
92 | timeout {puts "TESTING ERROR 18\n";exit} | 92 | timeout {puts "TESTING ERROR 18\n";exit} |
93 | "6" | 93 | "6" |