diff options
-rw-r--r-- | README.md | 15 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/disable-mgmt.inc | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 24 |
6 files changed, 51 insertions, 0 deletions
@@ -63,3 +63,18 @@ If you are using a plugin or extension that requires other directories, please o | |||
63 | ### New security profiles: | 63 | ### New security profiles: |
64 | New profiles introduced in this version: unbound, dnscrypt-proxy | 64 | New profiles introduced in this version: unbound, dnscrypt-proxy |
65 | 65 | ||
66 | ### --noblacklist | ||
67 | ````` | ||
68 | --noblacklist=dirname_or_filename | ||
69 | Disable blacklist for this directory or file. | ||
70 | |||
71 | Example: | ||
72 | $ firejail | ||
73 | $ nc dict.org 2628 | ||
74 | bash: /bin/nc: Permission denied | ||
75 | $ exit | ||
76 | |||
77 | $ firejail --noblacklist=/bin/nc | ||
78 | $ nc dict.org 2628 | ||
79 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | ||
80 | ````` | ||
@@ -1,5 +1,6 @@ | |||
1 | firejail (0.9.34) baseline; urgency=low | 1 | firejail (0.9.34) baseline; urgency=low |
2 | * added unbound and dnscrypt-proxy profiles | 2 | * added unbound and dnscrypt-proxy profiles |
3 | * added --noblacklist option | ||
3 | * bugfixes | 4 | * bugfixes |
4 | -- netblue30 <netblue30@yahoo.com> ongoing development | 5 | -- netblue30 <netblue30@yahoo.com> ongoing development |
5 | 6 | ||
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc index b01b326d4..ab9fe3cb1 100644 --- a/etc/disable-mgmt.inc +++ b/etc/disable-mgmt.inc | |||
@@ -12,6 +12,7 @@ blacklist ${PATH}/xinput | |||
12 | blacklist ${PATH}/evtest | 12 | blacklist ${PATH}/evtest |
13 | blacklist ${PATH}/xev | 13 | blacklist ${PATH}/xev |
14 | blacklist ${PATH}/strace | 14 | blacklist ${PATH}/strace |
15 | blacklist ${PATH}/nc | ||
15 | 16 | ||
16 | # Prevent manipulation of firejail configuration | 17 | # Prevent manipulation of firejail configuration |
17 | blacklist /etc/firejail | 18 | blacklist /etc/firejail |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 729b1805e..7f6d3a1f8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -636,6 +636,14 @@ int main(int argc, char **argv) { | |||
636 | profile_check_line(line, 0); // will exit if something wrong | 636 | profile_check_line(line, 0); // will exit if something wrong |
637 | profile_add(line); | 637 | profile_add(line); |
638 | } | 638 | } |
639 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { | ||
640 | char *line; | ||
641 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) | ||
642 | errExit("asprintf"); | ||
643 | |||
644 | profile_check_line(line, 0); // will exit if something wrong | ||
645 | profile_add(line); | ||
646 | } | ||
639 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 647 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
640 | char *line; | 648 | char *line; |
641 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 649 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 76c12ecc1..238205c04 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -140,6 +140,8 @@ void usage(void) { | |||
140 | 140 | ||
141 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | 141 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); |
142 | printf("\t\tnetwork namespace.\n\n"); | 142 | printf("\t\tnetwork namespace.\n\n"); |
143 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); | ||
144 | printf("\t\tor file.\n\n"); | ||
143 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); | 145 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); |
144 | printf("\t\tsupplementary groups are enabled for the user starting the\n"); | 146 | printf("\t\tsupplementary groups are enabled for the user starting the\n"); |
145 | printf("\t\tsandbox. For root user supplementary groups are always\n"); | 147 | printf("\t\tsandbox. For root user supplementary groups are always\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 912a08580..2a0c9eb47 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -608,6 +608,30 @@ PID User RX(KB/s) TX(KB/s) Command | |||
608 | 608 | ||
609 | 609 | ||
610 | .TP | 610 | .TP |
611 | \fB\-\-noblacklist=dirname_or_filename | ||
612 | Disable blacklist for this directory or file. | ||
613 | .br | ||
614 | |||
615 | .br | ||
616 | Example: | ||
617 | .br | ||
618 | $ firejail | ||
619 | .br | ||
620 | $ nc dict.org 2628 | ||
621 | .br | ||
622 | bash: /bin/nc: Permission denied | ||
623 | .br | ||
624 | $ exit | ||
625 | .br | ||
626 | |||
627 | .br | ||
628 | $ firejail --noblacklist=/bin/nc | ||
629 | .br | ||
630 | $ nc dict.org 2628 | ||
631 | .br | ||
632 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | ||
633 | .br | ||
634 | .TP | ||
611 | \fB\-\-nogroups | 635 | \fB\-\-nogroups |
612 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the | 636 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the |
613 | sandbox. For root user supplementary groups are always disabled. | 637 | sandbox. For root user supplementary groups are always disabled. |