diff options
-rw-r--r-- | README.md | 155 | ||||
-rw-r--r-- | RELNOTES | 5 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 |
4 files changed, 15 insertions, 165 deletions
@@ -96,157 +96,4 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
96 | ````` | 96 | ````` |
97 | 97 | ||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.53 |
100 | |||
101 | ## Whitelisting, globbing etc. | ||
102 | |||
103 | We deployed a whitelist for /var directory ("include /etc/firejail/whitelist-var-common.inc"). | ||
104 | It is currently done for 115 applications. | ||
105 | |||
106 | We added globbing support for --private-bin and whitelisting support for /etc and /usr/share. | ||
107 | |||
108 | --private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. In the next release we do a test run with this option enabled | ||
109 | for the following applications: evince, galculator, gnome-calculator, | ||
110 | leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, | ||
111 | atril, mate-color-select, tar, file, strings, gpicview, | ||
112 | eom, eog, gedit, pluma | ||
113 | |||
114 | Just for fun, this is a private-bin/private-lib Firefox running on Debian 9: | ||
115 | ````` | ||
116 | $ firejail --private-bin=firefox,firefox-esr,sh,which --private-lib=firefox-esr firefox | ||
117 | ````` | ||
118 | |||
119 | |||
120 | ## Profile build tool | ||
121 | ````` | ||
122 | $ firejail --build appname | ||
123 | $ firejail --build=appname.profile appname | ||
124 | ````` | ||
125 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
126 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
127 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
128 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
129 | |||
130 | Example: | ||
131 | ````` | ||
132 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 | ||
133 | |||
134 | [...] | ||
135 | |||
136 | ############################################ | ||
137 | # /usr/bin/vlc profile | ||
138 | ############################################ | ||
139 | # Persistent global definitions | ||
140 | # include /etc/firejail/globals.local | ||
141 | |||
142 | ### basic blacklisting | ||
143 | include /etc/firejail/disable-common.inc | ||
144 | # include /etc/firejail/disable-devel.inc | ||
145 | include /etc/firejail/disable-passwdmgr.inc | ||
146 | # include /etc/firejail/disable-programs.inc | ||
147 | |||
148 | ### home directory whitelisting | ||
149 | whitelist ~/Videos | ||
150 | whitelist ~/.local/share/vlc | ||
151 | whitelist ~/.config/vlc | ||
152 | include /etc/firejail/whitelist-common.inc | ||
153 | |||
154 | ### filesystem | ||
155 | private-tmp | ||
156 | private-dev | ||
157 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
158 | whitelist /var/lib/menu-xdg | ||
159 | # private-bin vlc, | ||
160 | |||
161 | ### security filters | ||
162 | caps.drop all | ||
163 | nonewprivs | ||
164 | seccomp | ||
165 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create | ||
166 | # 76 syscalls total | ||
167 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
168 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
169 | # running your sandbox. | ||
170 | |||
171 | ### network | ||
172 | protocol unix,netlink, | ||
173 | net none | ||
174 | |||
175 | ### environment | ||
176 | shell none | ||
177 | $ | ||
178 | ````` | ||
179 | |||
180 | ## New command line and profile options | ||
181 | ````` | ||
182 | --writable-run-user | ||
183 | This options disables the default blacklisting of | ||
184 | run/user/$UID/systemd and /run/user/$UID/gnupg. | ||
185 | |||
186 | Example: | ||
187 | $ sudo firejail --writable-run-user | ||
188 | |||
189 | --rlimit-as=number | ||
190 | Set the maximum size of the process's virtual memory (address | ||
191 | space) in bytes. | ||
192 | |||
193 | --rlimit-cpu=number | ||
194 | Set the maximum limit, in seconds, for the amount of CPU time | ||
195 | each sandboxed process can consume. When the limit is reached, | ||
196 | the processes are killed. | ||
197 | |||
198 | The CPU limit is a limit on CPU seconds rather than elapsed | ||
199 | time. CPU seconds is basically how many seconds the CPU has | ||
200 | been in use and does not necessarily directly relate to the | ||
201 | elapsed time. Linux kernel keeps track of CPU seconds for each | ||
202 | process independently. | ||
203 | |||
204 | --timeout=hh:mm:ss | ||
205 | Kill the sandbox automatically after the time has elapsed. The | ||
206 | time is specified in hours/minutes/seconds format. | ||
207 | |||
208 | $ firejail --timeout=01:30:00 firefox | ||
209 | |||
210 | --debug-private-lib | ||
211 | Debug messages for --private-lib option. | ||
212 | |||
213 | --netfilter=filename,arg1,arg2,arg3 ... | ||
214 | This is the template version of the previous command. $ARG1, | ||
215 | $ARG2, $ARG3 ... in the firewall script are replaced with arg1, | ||
216 | arg2, arg3 ... passed on the command line. Up to 16 arguments | ||
217 | are supported. Example: | ||
218 | |||
219 | $ firejail --net=eth0 --ip=192.168.1.105 \ | ||
220 | --netfilter=/etc/firejail/tcpserver.net,5001 server-program | ||
221 | |||
222 | --netfilter.print=name|pid | ||
223 | Print the firewall installed in the sandbox specified by name | ||
224 | or PID. Example: | ||
225 | |||
226 | $ firejail --name=browser --net=eth0 --netfilter firefox & | ||
227 | $ firejail --netfilter.print=browser | ||
228 | |||
229 | --netfilter6.print=name|pid | ||
230 | Print the IPv6 firewall installed in the sandbox specified by | ||
231 | name or PID. Example: | ||
232 | |||
233 | $ firejail --name=browser --net=eth0 --netfilter firefox & | ||
234 | $ firejail --netfilter6.print=browser | ||
235 | |||
236 | ````` | ||
237 | |||
238 | ## New profiles: | ||
239 | |||
240 | terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, | ||
241 | amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, | ||
242 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | ||
243 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | ||
244 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | ||
245 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, | ||
246 | conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool, | ||
247 | aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass, | ||
248 | kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch), | ||
249 | kdeinit4 | ||
250 | |||
251 | Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles, | ||
252 | https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles. | ||
@@ -1,4 +1,8 @@ | |||
1 | firejail (0.9.52) baseline; urgency=low | 1 | firejail (0.9.52) baseline; urgency=low |
2 | * work in progress | ||
3 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 | ||
4 | |||
5 | firejail (0.9.52) baseline; urgency=low | ||
2 | * modif: --allow-private-blacklists was deprecated; blacklisting, | 6 | * modif: --allow-private-blacklists was deprecated; blacklisting, |
3 | read-only, read-write, tmpfs and noexec are allowed in | 7 | read-only, read-write, tmpfs and noexec are allowed in |
4 | private home directories | 8 | private home directories |
@@ -43,7 +47,6 @@ firejail (0.9.52) baseline; urgency=low | |||
43 | xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, | 47 | xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, |
44 | kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report | 48 | kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report |
45 | cower (Arch), kdeinit4 | 49 | cower (Arch), kdeinit4 |
46 | |||
47 | -- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500 | 50 | -- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500 |
48 | 51 | ||
49 | firejail (0.9.50~rc1) baseline; urgency=low | 52 | firejail (0.9.50~rc1) baseline; urgency=low |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.52. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.53. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.52' | 583 | PACKAGE_VERSION='0.9.53' |
584 | PACKAGE_STRING='firejail 0.9.52' | 584 | PACKAGE_STRING='firejail 0.9.53' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then | |||
1276 | # Omit some internal or obsolete options to make the list less imposing. | 1276 | # Omit some internal or obsolete options to make the list less imposing. |
1277 | # This message is too long to be a string in the A/UX 3.1 sh. | 1277 | # This message is too long to be a string in the A/UX 3.1 sh. |
1278 | cat <<_ACEOF | 1278 | cat <<_ACEOF |
1279 | \`configure' configures firejail 0.9.52 to adapt to many kinds of systems. | 1279 | \`configure' configures firejail 0.9.53 to adapt to many kinds of systems. |
1280 | 1280 | ||
1281 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1281 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1282 | 1282 | ||
@@ -1338,7 +1338,7 @@ fi | |||
1338 | 1338 | ||
1339 | if test -n "$ac_init_help"; then | 1339 | if test -n "$ac_init_help"; then |
1340 | case $ac_init_help in | 1340 | case $ac_init_help in |
1341 | short | recursive ) echo "Configuration of firejail 0.9.52:";; | 1341 | short | recursive ) echo "Configuration of firejail 0.9.53:";; |
1342 | esac | 1342 | esac |
1343 | cat <<\_ACEOF | 1343 | cat <<\_ACEOF |
1344 | 1344 | ||
@@ -1446,7 +1446,7 @@ fi | |||
1446 | test -n "$ac_init_help" && exit $ac_status | 1446 | test -n "$ac_init_help" && exit $ac_status |
1447 | if $ac_init_version; then | 1447 | if $ac_init_version; then |
1448 | cat <<\_ACEOF | 1448 | cat <<\_ACEOF |
1449 | firejail configure 0.9.52 | 1449 | firejail configure 0.9.53 |
1450 | generated by GNU Autoconf 2.69 | 1450 | generated by GNU Autoconf 2.69 |
1451 | 1451 | ||
1452 | Copyright (C) 2012 Free Software Foundation, Inc. | 1452 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF | |||
1748 | This file contains any messages produced by compilers while | 1748 | This file contains any messages produced by compilers while |
1749 | running configure, to aid debugging if configure makes a mistake. | 1749 | running configure, to aid debugging if configure makes a mistake. |
1750 | 1750 | ||
1751 | It was created by firejail $as_me 0.9.52, which was | 1751 | It was created by firejail $as_me 0.9.53, which was |
1752 | generated by GNU Autoconf 2.69. Invocation command line was | 1752 | generated by GNU Autoconf 2.69. Invocation command line was |
1753 | 1753 | ||
1754 | $ $0 $@ | 1754 | $ $0 $@ |
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4367 | # report actual input values of CONFIG_FILES etc. instead of their | 4367 | # report actual input values of CONFIG_FILES etc. instead of their |
4368 | # values after options handling. | 4368 | # values after options handling. |
4369 | ac_log=" | 4369 | ac_log=" |
4370 | This file was extended by firejail $as_me 0.9.52, which was | 4370 | This file was extended by firejail $as_me 0.9.53, which was |
4371 | generated by GNU Autoconf 2.69. Invocation command line was | 4371 | generated by GNU Autoconf 2.69. Invocation command line was |
4372 | 4372 | ||
4373 | CONFIG_FILES = $CONFIG_FILES | 4373 | CONFIG_FILES = $CONFIG_FILES |
@@ -4421,7 +4421,7 @@ _ACEOF | |||
4421 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4421 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4422 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4422 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4423 | ac_cs_version="\\ | 4423 | ac_cs_version="\\ |
4424 | firejail config.status 0.9.52 | 4424 | firejail config.status 0.9.53 |
4425 | configured by $0, generated by GNU Autoconf 2.69, | 4425 | configured by $0, generated by GNU Autoconf 2.69, |
4426 | with options \\"\$ac_cs_config\\" | 4426 | with options \\"\$ac_cs_config\\" |
4427 | 4427 | ||
diff --git a/configure.ac b/configure.ac index 2b7dd1d28..cc70a4ded 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.52, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.53, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||