diff options
-rw-r--r-- | etc/waterfox.profile | 9 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 4 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 9 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 6 | ||||
-rw-r--r-- | src/include/euid_common.h | 2 | ||||
-rw-r--r-- | src/include/seccomp.h | 26 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
8 files changed, 54 insertions, 5 deletions
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 6520057b4..2322c1fae 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -11,7 +11,11 @@ noblacklist ~/.config/okularpartrc | |||
11 | noblacklist ~/.config/okularrc | 11 | noblacklist ~/.config/okularrc |
12 | noblacklist ~/.config/qpdfview | 12 | noblacklist ~/.config/qpdfview |
13 | noblacklist ~/.kde/share/apps/okular | 13 | noblacklist ~/.kde/share/apps/okular |
14 | noblacklist ~/.kde/share/config/okularpartrc | ||
15 | noblacklist ~/.kde/share/config/okularrc | ||
14 | noblacklist ~/.kde4/share/apps/okular | 16 | noblacklist ~/.kde4/share/apps/okular |
17 | noblacklist ~/.kde4/share/config/okularpartrc | ||
18 | noblacklist ~/.kde4/share/config/okularrc | ||
15 | noblacklist ~/.local/share/gnome-shell/extensions | 19 | noblacklist ~/.local/share/gnome-shell/extensions |
16 | noblacklist ~/.local/share/okular | 20 | noblacklist ~/.local/share/okular |
17 | noblacklist ~/.local/share/qpdfview | 21 | noblacklist ~/.local/share/qpdfview |
@@ -39,7 +43,11 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
39 | whitelist ~/.config/pipelight-widevine | 43 | whitelist ~/.config/pipelight-widevine |
40 | whitelist ~/.config/qpdfview | 44 | whitelist ~/.config/qpdfview |
41 | whitelist ~/.kde/share/apps/okular | 45 | whitelist ~/.kde/share/apps/okular |
46 | whitelist ~/.kde/share/config/okularpartrc | ||
47 | whitelist ~/.kde/share/config/okularrc | ||
42 | whitelist ~/.kde4/share/apps/okular | 48 | whitelist ~/.kde4/share/apps/okular |
49 | whitelist ~/.kde4/share/config/okularpartrc | ||
50 | whitelist ~/.kde4/share/config/okularrc | ||
43 | whitelist ~/.keysnail.js | 51 | whitelist ~/.keysnail.js |
44 | whitelist ~/.lastpass | 52 | whitelist ~/.lastpass |
45 | whitelist ~/.local/share/gnome-shell/extensions | 53 | whitelist ~/.local/share/gnome-shell/extensions |
@@ -72,7 +80,6 @@ tracelog | |||
72 | 80 | ||
73 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env | 81 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env |
74 | private-dev | 82 | private-dev |
75 | # private-dev might prevent video calls going out | ||
76 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 83 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse |
77 | private-tmp | 84 | private-tmp |
78 | 85 | ||
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index d5d1c19ec..ddec19d27 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -11,6 +11,8 @@ whitelist ~/.config/user-dirs.dirs | |||
11 | read-only ~/.config/user-dirs.dirs | 11 | read-only ~/.config/user-dirs.dirs |
12 | whitelist ~/.asoundrc | 12 | whitelist ~/.asoundrc |
13 | whitelist ~/.config/Trolltech.conf | 13 | whitelist ~/.config/Trolltech.conf |
14 | whitelist ~/.local/share/mime | ||
15 | whitelist ~/.drirc | ||
14 | 16 | ||
15 | # fonts | 17 | # fonts |
16 | whitelist ~/.fonts | 18 | whitelist ~/.fonts |
@@ -25,9 +27,11 @@ whitelist ~/.cache/fontconfig | |||
25 | # gtk | 27 | # gtk |
26 | whitelist ~/.gtkrc | 28 | whitelist ~/.gtkrc |
27 | whitelist ~/.gtkrc-2.0 | 29 | whitelist ~/.gtkrc-2.0 |
30 | whitelist ~/.gtk-2.0 | ||
28 | whitelist ~/.config/gtk-2.0 | 31 | whitelist ~/.config/gtk-2.0 |
29 | whitelist ~/.config/gtk-3.0 | 32 | whitelist ~/.config/gtk-3.0 |
30 | whitelist ~/.themes | 33 | whitelist ~/.themes |
34 | whitelist ~/.local/share/themes | ||
31 | whitelist ~/.kde/share/config/gtkrc | 35 | whitelist ~/.kde/share/config/gtkrc |
32 | whitelist ~/.kde/share/config/gtkrc-2.0 | 36 | whitelist ~/.kde/share/config/gtkrc-2.0 |
33 | whitelist ~/.gnome2 | 37 | whitelist ~/.gnome2 |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d87d1fc08..d0e236e61 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -356,3 +356,4 @@ | |||
356 | /etc/firejail/zathura.profile | 356 | /etc/firejail/zathura.profile |
357 | /etc/firejail/zoom.profile | 357 | /etc/firejail/zoom.profile |
358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
359 | /etc/firejail/itch.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 7d817c7e2..50f9f0512 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -1,5 +1,5 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | VERSION="0.9.50~rc1" | 2 | VERSION="0.9.50" |
3 | rm -fr ~/rpmbuild | 3 | rm -fr ~/rpmbuild |
4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | rm -f firejail-$VERSION-1.x86_64.rpm |
5 | 5 | ||
@@ -28,6 +28,7 @@ install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firej | |||
28 | #install -m 755 /usr/lib/firejail/fjclip.py firejail-$VERSION/usr/lib/firejail/. | 28 | #install -m 755 /usr/lib/firejail/fjclip.py firejail-$VERSION/usr/lib/firejail/. |
29 | #install -m 755 /usr/lib/firejail/fjdisplay.py firejail-$VERSION/usr/lib/firejail/. | 29 | #install -m 755 /usr/lib/firejail/fjdisplay.py firejail-$VERSION/usr/lib/firejail/. |
30 | #install -m 755 /usr/lib/firejail/fjresize.py firejail-$VERSION/usr/lib/firejail/. | 30 | #install -m 755 /usr/lib/firejail/fjresize.py firejail-$VERSION/usr/lib/firejail/. |
31 | install -m 755 /usr/lib/firejail/fldd firejail-$VERSION/usr/lib/firejail/. | ||
31 | install -m 755 /usr/lib/firejail/fnet firejail-$VERSION/usr/lib/firejail/. | 32 | install -m 755 /usr/lib/firejail/fnet firejail-$VERSION/usr/lib/firejail/. |
32 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. | 33 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. |
33 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | 34 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. |
@@ -466,6 +467,9 @@ rm -rf %{buildroot} | |||
466 | %{_sysconfdir}/%{name}/unknown-horizons.profile | 467 | %{_sysconfdir}/%{name}/unknown-horizons.profile |
467 | %{_sysconfdir}/%{name}/wireshark-gtk.profile | 468 | %{_sysconfdir}/%{name}/wireshark-gtk.profile |
468 | %{_sysconfdir}/%{name}/wireshark-qt.profile | 469 | %{_sysconfdir}/%{name}/wireshark-qt.profile |
470 | %{_sysconfdir}/%{name}/itch.profile | ||
471 | %{_sysconfdir}/%{name}/minetest.profile | ||
472 | %{_sysconfdir}/%{name}/yandex-browser.profile | ||
469 | 473 | ||
470 | 474 | ||
471 | 475 | ||
@@ -490,6 +494,7 @@ rm -rf %{buildroot} | |||
490 | #/usr/lib/firejail/fjdisplay.py | 494 | #/usr/lib/firejail/fjdisplay.py |
491 | #/usr/lib/firejail/fjresize.py | 495 | #/usr/lib/firejail/fjresize.py |
492 | /usr/lib/firejail/fnet | 496 | /usr/lib/firejail/fnet |
497 | /usr/lib/firejail/fldd | ||
493 | /usr/lib/firejail/fseccomp | 498 | /usr/lib/firejail/fseccomp |
494 | /usr/lib/firejail/seccomp | 499 | /usr/lib/firejail/seccomp |
495 | /usr/lib/firejail/seccomp.64 | 500 | /usr/lib/firejail/seccomp.64 |
@@ -514,7 +519,7 @@ rm -rf %{buildroot} | |||
514 | chmod u+s /usr/bin/firejail | 519 | chmod u+s /usr/bin/firejail |
515 | 520 | ||
516 | %changelog | 521 | %changelog |
517 | * Mon Aug 28 2017 netblue30 <netblue30@yahoo.com> 0.9.50~rc1-1 | 522 | * Fri Sep 8 2017 netblue30 <netblue30@yahoo.com> 0.9.50-1 |
518 | 523 | ||
519 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 | 524 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 |
520 | 525 | ||
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index d0692b2ef..69b6e5271 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = { | |||
274 | #ifdef SYS_vserver | 274 | #ifdef SYS_vserver |
275 | "vserver" | 275 | "vserver" |
276 | #endif | 276 | #endif |
277 | #if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver) | ||
278 | "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed | ||
279 | #endif | ||
277 | }, | 280 | }, |
278 | { .name = "@privileged", .list = | 281 | { .name = "@privileged", .list = |
279 | "@clock," | 282 | "@clock," |
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = { | |||
334 | #ifdef SYS_s390_mmio_write | 337 | #ifdef SYS_s390_mmio_write |
335 | "s390_mmio_write" | 338 | "s390_mmio_write" |
336 | #endif | 339 | #endif |
340 | #if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write) | ||
341 | "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed | ||
342 | #endif | ||
337 | }, | 343 | }, |
338 | { .name = "@reboot", .list = | 344 | { .name = "@reboot", .list = |
339 | #ifdef SYS_kexec_load | 345 | #ifdef SYS_kexec_load |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index f343d77bb..4e6db514d 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
@@ -35,7 +35,7 @@ extern uid_t firejail_gid; | |||
35 | 35 | ||
36 | static inline void EUID_ROOT(void) { | 36 | static inline void EUID_ROOT(void) { |
37 | int rv = seteuid(0); | 37 | int rv = seteuid(0); |
38 | rv = setegid(0); | 38 | rv |= setegid(0); |
39 | (void) rv; | 39 | (void) rv; |
40 | } | 40 | } |
41 | 41 | ||
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 133b6ce72..b8bfce96b 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -149,9 +149,35 @@ struct seccomp_data { | |||
149 | # define ARCH_NR AUDIT_ARCH_S390 | 149 | # define ARCH_NR AUDIT_ARCH_S390 |
150 | # define ARCH_32 AUDIT_ARCH_S390 | 150 | # define ARCH_32 AUDIT_ARCH_S390 |
151 | # define ARCH_64 AUDIT_ARCH_S390X | 151 | # define ARCH_64 AUDIT_ARCH_S390X |
152 | #elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
153 | # define ARCH_NR AUDIT_ARCH_SH64 | ||
154 | # define ARCH_32 AUDIT_ARCH_SH | ||
155 | # define ARCH_64 AUDIT_ARCH_SH64 | ||
156 | #elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
157 | # define ARCH_NR AUDIT_ARCH_SHEL64 | ||
158 | # define ARCH_32 AUDIT_ARCH_SHEL | ||
159 | # define ARCH_64 AUDIT_ARCH_SHEL64 | ||
160 | #elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN | ||
161 | # define ARCH_NR AUDIT_ARCH_SH | ||
162 | # define ARCH_32 AUDIT_ARCH_SH | ||
163 | # define ARCH_64 AUDIT_ARCH_SH64 | ||
164 | #elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
165 | # define ARCH_NR AUDIT_ARCH_SHEL | ||
166 | # define ARCH_32 AUDIT_ARCH_SHEL | ||
167 | # define ARCH_64 AUDIT_ARCH_SHEL64 | ||
168 | #elif defined(__sparc64__) | ||
169 | # define ARCH_NR AUDIT_ARCH_SPARC64 | ||
170 | # define ARCH_32 AUDIT_ARCH_SPARC | ||
171 | # define ARCH_64 AUDIT_ARCH_SPARC64 | ||
172 | #elif defined(__sparc__) | ||
173 | # define ARCH_NR AUDIT_ARCH_SPARC | ||
174 | # define ARCH_32 AUDIT_ARCH_SPARC | ||
175 | # define ARCH_64 AUDIT_ARCH_SPARC64 | ||
152 | #else | 176 | #else |
153 | # warning "Platform does not support seccomp filter yet" | 177 | # warning "Platform does not support seccomp filter yet" |
154 | # define ARCH_NR 0 | 178 | # define ARCH_NR 0 |
179 | # define ARCH_32 0 | ||
180 | # define ARCH_64 0 | ||
155 | #endif | 181 | #endif |
156 | 182 | ||
157 | #define VALIDATE_ARCHITECTURE \ | 183 | #define VALIDATE_ARCHITECTURE \ |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a70f662fd..c9d57b87b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1131,7 +1131,7 @@ Disable whitelist for this directory or file. | |||
1131 | 1131 | ||
1132 | .TP | 1132 | .TP |
1133 | \fB\-\-output=logfile | 1133 | \fB\-\-output=logfile |
1134 | stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log | 1134 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log |
1135 | rotation. Five files with prefixes .1 to .5 are used in rotation. | 1135 | rotation. Five files with prefixes .1 to .5 are used in rotation. |
1136 | .br | 1136 | .br |
1137 | 1137 | ||