diff options
95 files changed, 490 insertions, 119 deletions
diff --git a/.gitignore b/.gitignore index 30793847c..554d1985b 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -28,7 +28,7 @@ src/fldd/fldd | |||
28 | uids.h | 28 | uids.h |
29 | seccomp | 29 | seccomp |
30 | seccomp.debug | 30 | seccomp.debug |
31 | seccomp.i386 | 31 | seccomp.32 |
32 | seccomp.amd64 | 32 | seccomp.64 |
33 | seccomp.block_secondary | 33 | seccomp.block_secondary |
34 | seccomp.mdwx | 34 | seccomp.mdwx |
diff --git a/.travis.yml b/.travis.yml index 9a2c68361..5dd77e1f5 100644 --- a/.travis.yml +++ b/.travis.yml | |||
@@ -3,7 +3,7 @@ dist: trusty | |||
3 | sudo: true | 3 | sudo: true |
4 | 4 | ||
5 | script: | 5 | script: |
6 | - sudo apt-get -y install expect csh zsh | 6 | - sudo apt-get -y install expect csh xzdec |
7 | - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) | 7 | - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) |
8 | - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) | 8 | - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) |
9 | - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) | 9 | - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) |
diff --git a/Makefile.in b/Makefile.in index 9111a3c95..e20aa5b62 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -2,7 +2,7 @@ all: apps man filters | |||
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
8 | exec_prefix=@exec_prefix@ | 8 | exec_prefix=@exec_prefix@ |
@@ -43,8 +43,8 @@ filters: src/fseccomp | |||
43 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 43 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
44 | src/fseccomp/fseccomp default seccomp | 44 | src/fseccomp/fseccomp default seccomp |
45 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers | 45 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers |
46 | src/fseccomp/fseccomp secondary 32 seccomp.i386 | 46 | src/fseccomp/fseccomp secondary 32 seccomp.32 |
47 | src/fseccomp/fseccomp secondary 64 seccomp.amd64 | 47 | src/fseccomp/fseccomp secondary 64 seccomp.64 |
48 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 48 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
49 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 49 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
50 | endif | 50 | endif |
@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. | 103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. |
104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
105 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 105 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
106 | install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. | 106 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. |
107 | install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. | 107 | install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/. |
108 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. | 108 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. |
109 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. | 109 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. |
110 | endif | 110 | endif |
@@ -409,6 +409,7 @@ smithsohu (https://github.com/smitsohu) | |||
409 | - lots of profile hardening and fixes | 409 | - lots of profile hardening and fixes |
410 | - added MuseScore profile | 410 | - added MuseScore profile |
411 | - fixed device discovery for simple-scan | 411 | - fixed device discovery for simple-scan |
412 | - add novideo support in many profiles | ||
412 | soredake (https://github.com/soredake) | 413 | soredake (https://github.com/soredake) |
413 | - fix steam startup with >=llvm-4 | 414 | - fix steam startup with >=llvm-4 |
414 | SpotComms (https://github.com/SpotComms) | 415 | SpotComms (https://github.com/SpotComms) |
@@ -535,6 +536,8 @@ vismir2 (https://github.com/vismir2) | |||
535 | - claws-mail, mutt, git, emacs, vim profiles | 536 | - claws-mail, mutt, git, emacs, vim profiles |
536 | - lots of profile fixes | 537 | - lots of profile fixes |
537 | - support for truecrypt and zuluCrypt | 538 | - support for truecrypt and zuluCrypt |
539 | Vladimir Gorelov (https://github.com/larkvirtual) | ||
540 | - added Yandex browser profile | ||
538 | Vladimir Schowalter (https://github.com/VladimirSchowalter20) | 541 | Vladimir Schowalter (https://github.com/VladimirSchowalter20) |
539 | - apparmor profile enhancements | 542 | - apparmor profile enhancements |
540 | - various KDE profile enhancements | 543 | - various KDE profile enhancements |
@@ -174,6 +174,15 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej | |||
174 | amd64, i386 and x32 system calls are blocked as well as chang‐ | 174 | amd64, i386 and x32 system calls are blocked as well as chang‐ |
175 | ing the execution domain with personality(2) system call. | 175 | ing the execution domain with personality(2) system call. |
176 | 176 | ||
177 | --profile.print=name|pid | ||
178 | Print the name of the profile file for the sandbox identified | ||
179 | by name or or PID. | ||
180 | |||
181 | Example: | ||
182 | $ firejail --profile.print=browser | ||
183 | /etc/firejail/firefox.profile | ||
184 | |||
185 | |||
177 | ````` | 186 | ````` |
178 | 187 | ||
179 | ## /etc/firejail/firejail.config | 188 | ## /etc/firejail/firejail.config |
@@ -214,4 +223,4 @@ IntelliJ IDEA, Android Studio, electron, riot-web, | |||
214 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, | 223 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, |
215 | telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, | 224 | telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, |
216 | remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar, | 225 | remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar, |
217 | musescore, neverball | 226 | musescore, neverball, Yandex Browser |
@@ -6,6 +6,7 @@ firejail (0.9.50~rc1) baseline; urgency=low | |||
6 | * feature: private /lib directory (--private-lib) | 6 | * feature: private /lib directory (--private-lib) |
7 | * feature: disable CDROM/DVD drive (--nodvd) | 7 | * feature: disable CDROM/DVD drive (--nodvd) |
8 | * feature: disable DVB devices (--notv) | 8 | * feature: disable DVB devices (--notv) |
9 | * feature: --profile.print | ||
9 | * enhancement: print all seccomp filters under --debug | 10 | * enhancement: print all seccomp filters under --debug |
10 | * enhancement: /proc/sys mounting | 11 | * enhancement: /proc/sys mounting |
11 | * enhancement: rework IP address assingment for --net options | 12 | * enhancement: rework IP address assingment for --net options |
@@ -27,7 +28,7 @@ firejail (0.9.50~rc1) baseline; urgency=low | |||
27 | * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, | 28 | * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, |
28 | * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter | 29 | * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter |
29 | * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball | 30 | * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball |
30 | * new profiles: sqlitebrowse, | 31 | * new profiles: sqlitebrowse, Yandex Browser |
31 | * bugfixes | 32 | * bugfixes |
32 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 33 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
33 | 34 | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index e10cfbefe..478d5285c 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -17,6 +17,7 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | notv | 19 | notv |
20 | novideo | ||
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | # seccomp | 22 | # seccomp |
22 | shell none | 23 | shell none |
diff --git a/etc/audacious.profile b/etc/audacious.profile index eddc100ca..bd2367fe0 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -24,8 +24,10 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-bin audacious | 27 | # private-bin audacious |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | 30 | ||
31 | memory-deny-write-execute | 31 | memory-deny-write-execute |
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/caja.profile b/etc/caja.profile index d234e6c9b..97663fddb 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -24,6 +24,7 @@ nogroups | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | novideo | ||
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index bc045fb77..4ab49163b 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | ||
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/cmus.profile b/etc/cmus.profile index cf0830475..2d6f2454b 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -17,6 +17,7 @@ netfilter | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | notv | 19 | notv |
20 | novideo | ||
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | seccomp | 22 | seccomp |
22 | shell none | 23 | shell none |
diff --git a/etc/cpio.profile b/etc/cpio.profile index f082d2e40..7f4bc4a84 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -17,11 +17,12 @@ include /etc/firejail/disable-programs.inc | |||
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
20 | net none | ||
21 | no3d | 20 | no3d |
22 | nodvd | 21 | nodvd |
22 | nonewprivs | ||
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | ||
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
27 | tracelog | 28 | tracelog |
diff --git a/etc/curl.profile b/etc/curl.profile index af7eabf59..972bbe9cc 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index e0d32da0f..81ccbc530 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -5,29 +5,8 @@ include /etc/firejail/cvlc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/vlc | 8 | # cvlc doesn't like private-bin |
9 | ignore private-bin | ||
9 | 10 | ||
10 | include /etc/firejail/disable-common.inc | 11 | # Redirect |
11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/vlc.profile |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | # nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # clvc doesn't like private-bin | ||
26 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
27 | private-dev | ||
28 | private-tmp | ||
29 | |||
30 | # mdwe is disabled due to breaking hardware accelerated decoding | ||
31 | # memory-deny-write-execute | ||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7ec842728..13ed3f212 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -179,6 +179,8 @@ blacklist ${HOME}/.config/xmms2 | |||
179 | blacklist ${HOME}/.config/xplayer | 179 | blacklist ${HOME}/.config/xplayer |
180 | blacklist ${HOME}/.config/xreader | 180 | blacklist ${HOME}/.config/xreader |
181 | blacklist ${HOME}/.config/xviewer | 181 | blacklist ${HOME}/.config/xviewer |
182 | blacklist ${HOME}/.config/yandex-browser | ||
183 | blacklist ${HOME}/.config/yandex-browser-beta | ||
182 | blacklist ${HOME}/.config/zathura | 184 | blacklist ${HOME}/.config/zathura |
183 | blacklist ${HOME}/.config/zoomus.conf | 185 | blacklist ${HOME}/.config/zoomus.conf |
184 | blacklist ${HOME}/.conkeror.mozdev.org | 186 | blacklist ${HOME}/.conkeror.mozdev.org |
@@ -428,3 +430,5 @@ blacklist ${HOME}/.cache/vivaldi | |||
428 | blacklist ${HOME}/.cache/wesnoth | 430 | blacklist ${HOME}/.cache/wesnoth |
429 | blacklist ${HOME}/.cache/xmms2 | 431 | blacklist ${HOME}/.cache/xmms2 |
430 | blacklist ${HOME}/.cache/xreader | 432 | blacklist ${HOME}/.cache/xreader |
433 | blacklist ${HOME}/.cache/yandex-browser | ||
434 | blacklist ${HOME}/.cache/yandex-browser-beta | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index d82efef04..a1ccfbe22 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -5,19 +5,30 @@ include /etc/firejail/dnscrypt-proxy.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
10 | 13 | ||
11 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
15 | 18 | ||
19 | caps | ||
20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | ||
16 | no3d | 21 | no3d |
17 | nodvd | 22 | nodvd |
23 | nonewprivs | ||
18 | nosound | 24 | nosound |
19 | notv | 25 | notv |
26 | novideo | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 27 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
21 | 28 | ||
29 | disable-mnt | ||
22 | private | 30 | private |
23 | private-dev | 31 | private-dev |
32 | |||
33 | # mdwe can break modules/plugins | ||
34 | # memory-deny-write-execute | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bf52a5d8a..ce159c343 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -5,8 +5,11 @@ include /etc/firejail/dnsmasq.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
10 | 13 | ||
11 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
@@ -14,12 +17,12 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
15 | 18 | ||
16 | caps | 19 | caps |
17 | netfilter | ||
18 | no3d | 20 | no3d |
19 | nodvd | 21 | nodvd |
20 | nonewprivs | 22 | nonewprivs |
21 | nosound | 23 | nosound |
22 | notv | 24 | notv |
25 | novideo | ||
23 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
24 | seccomp | 27 | seccomp |
25 | 28 | ||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index bec2960f1..fa9b26e82 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/enchant.profile b/etc/enchant.profile index a7b549a4c..b7034b937 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/evolution.profile b/etc/evolution.profile index 2f7f25ff8..9f29b229b 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | novideo | ||
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 565212161..75e5be1b9 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | novideo | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 19d45a1d8..01da2cafe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/feh.profile b/etc/feh.profile index 61b456e34..7935b1354 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -13,17 +13,19 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
16 | no3d | ||
16 | nodvd | 17 | nodvd |
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | notv | 22 | notv |
23 | novideo | ||
22 | protocol unix | 24 | protocol unix |
23 | seccomp | 25 | seccomp |
24 | shell none | 26 | shell none |
25 | 27 | ||
26 | private-bin feh | 28 | private-bin feh,jpegexiforient,jpegtran |
27 | private-dev | 29 | private-dev |
28 | private-etc feh | 30 | private-etc feh |
29 | private-tmp | 31 | private-tmp |
diff --git a/etc/file.profile b/etc/file.profile index 9a4dba7ef..a83b2cf7d 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
@@ -30,3 +31,7 @@ x11 none | |||
30 | private-bin file | 31 | private-bin file |
31 | private-dev | 32 | private-dev |
32 | private-etc magic.mgc,magic,localtime | 33 | private-etc magic.mgc,magic,localtime |
34 | |||
35 | memory-deny-write-execute | ||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 63bfd1e0d..866aaabca 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 619fa1562..1bd45ebd1 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -10,7 +10,11 @@ noblacklist ~/.config/okularpartrc | |||
10 | noblacklist ~/.config/okularrc | 10 | noblacklist ~/.config/okularrc |
11 | noblacklist ~/.config/qpdfview | 11 | noblacklist ~/.config/qpdfview |
12 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
13 | noblacklist ~/.kde/share/config/okularpartrc | ||
14 | noblacklist ~/.kde/share/config/okularrc | ||
13 | noblacklist ~/.kde4/share/apps/okular | 15 | noblacklist ~/.kde4/share/apps/okular |
16 | noblacklist ~/.kde4/share/config/okularpartrc | ||
17 | noblacklist ~/.kde4/share/config/okularrc | ||
14 | noblacklist ~/.local/share/gnome-shell/extensions | 18 | noblacklist ~/.local/share/gnome-shell/extensions |
15 | noblacklist ~/.local/share/okular | 19 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.local/share/qpdfview | 20 | noblacklist ~/.local/share/qpdfview |
@@ -34,7 +38,11 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
34 | whitelist ~/.config/pipelight-widevine | 38 | whitelist ~/.config/pipelight-widevine |
35 | whitelist ~/.config/qpdfview | 39 | whitelist ~/.config/qpdfview |
36 | whitelist ~/.kde/share/apps/okular | 40 | whitelist ~/.kde/share/apps/okular |
41 | whitelist ~/.kde/share/config/okularpartrc | ||
42 | whitelist ~/.kde/share/config/okularrc | ||
37 | whitelist ~/.kde4/share/apps/okular | 43 | whitelist ~/.kde4/share/apps/okular |
44 | whitelist ~/.kde4/share/config/okularpartrc | ||
45 | whitelist ~/.kde4/share/config/okularrc | ||
38 | whitelist ~/.keysnail.js | 46 | whitelist ~/.keysnail.js |
39 | whitelist ~/.lastpass | 47 | whitelist ~/.lastpass |
40 | whitelist ~/.local/share/gnome-shell/extensions | 48 | whitelist ~/.local/share/gnome-shell/extensions |
@@ -66,7 +74,6 @@ tracelog | |||
66 | 74 | ||
67 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | 75 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env |
68 | private-dev | 76 | private-dev |
69 | # private-dev might prevent video calls going out | ||
70 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 77 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
71 | private-tmp | 78 | private-tmp |
72 | 79 | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index a2e855656..37f147f0f 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | novideo | ||
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index c9f9d0074..a50fd4370 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/git.profile b/etc/git.profile index 92bf66b92..14fb55118 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | novideo | ||
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 4921fb0c4..6547c73df 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/gpa.profile b/etc/gpa.profile index 58dfcd3e1..8d721e2c0 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 13bceaa5a..8fd2ce232 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/gpg.profile b/etc/gpg.profile index d99afdfe2..8c39f85e3 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index ec9245e58..26bc589ee 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 63ad07894..287e214e1 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 7713f216f..14662443c 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
@@ -18,6 +18,7 @@ nogroups | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | notv | 20 | notv |
21 | novideo | ||
21 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 3f6ecec2c..0f04953d8 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -14,6 +14,7 @@ no3d | |||
14 | nodvd | 14 | nodvd |
15 | nosound | 15 | nosound |
16 | notv | 16 | notv |
17 | novideo | ||
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index 83b023a90..d3cacc581 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index bd454a2c8..943350484 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/lynx.profile b/etc/lynx.profile index db01a5b8f..d54bed564 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index bd1ada2b5..2e31e09ec 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol inet,inet6 | 24 | protocol inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index d6a55610f..e502269f7 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index c7bb458df..62527c17d 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
24 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | 25 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 9f3be0d27..4937df51f 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -26,4 +26,5 @@ nodvd | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | novideo | ||
29 | seccomp | 30 | seccomp |
diff --git a/etc/musescore.profile b/etc/musescore.profile index bd00bea69..3b5a0b13c 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -10,6 +10,11 @@ noblacklist ~/.config/MuseScore | |||
10 | noblacklist ~/.local/share/data/MusE | 10 | noblacklist ~/.local/share/data/MusE |
11 | noblacklist ~/.local/share/data/MuseScore | 11 | noblacklist ~/.local/share/data/MuseScore |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
13 | caps.drop all | 18 | caps.drop all |
14 | netfilter | 19 | netfilter |
15 | no3d | 20 | no3d |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 206edefae..aafa3d75d 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -44,6 +44,7 @@ nonewprivs | |||
44 | noroot | 44 | noroot |
45 | nosound | 45 | nosound |
46 | notv | 46 | notv |
47 | novideo | ||
47 | protocol unix,inet,inet6 | 48 | protocol unix,inet,inet6 |
48 | seccomp | 49 | seccomp |
49 | shell none | 50 | shell none |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 57d6faa17..45d23cae6 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | novideo | ||
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/nylas.profile b/etc/nylas.profile index 5d84d1326..d96c6b0d4 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | novideo | ||
29 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index da2d03635..e8c2d54c7 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/parole.profile b/etc/parole.profile index 794d91481..a8ce63e73 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -13,7 +13,6 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | nodvd | ||
17 | nonewprivs | 16 | nonewprivs |
18 | noroot | 17 | noroot |
19 | notv | 18 | notv |
diff --git a/etc/pix.profile b/etc/pix.profile index ed9298727..5440e4634 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | ||
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index ea635ab6e..86db5c26c 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -35,6 +35,7 @@ nonewprivs | |||
35 | noroot | 35 | noroot |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | novideo | ||
38 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
39 | seccomp | 40 | seccomp |
40 | # shell none | 41 | # shell none |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 7d69f38f9..2d1df0f72 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -32,3 +32,5 @@ private-dev | |||
32 | private-tmp | 32 | private-tmp |
33 | 33 | ||
34 | memory-deny-write-execute | 34 | memory-deny-write-execute |
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 6f20f6d7f..96fe04e83 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | novideo | ||
37 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
38 | seccomp | 39 | seccomp |
39 | shell none | 40 | shell none |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 717eca099..9be19c4b1 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | novideo | ||
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | 30 | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index a44d99e5b..c18a1b06c 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -18,6 +18,7 @@ nonewprivs | |||
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | notv | 20 | notv |
21 | novideo | ||
21 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 8eac3610b..a9f6cc461 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -6,10 +6,7 @@ include /etc/firejail/spotify.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | 8 | blacklist ${HOME}/.bashrc |
9 | blacklist /boot | ||
10 | blacklist /lost+found | 9 | blacklist /lost+found |
11 | blacklist /opt | ||
12 | blacklist /root | ||
13 | blacklist /sbin | 10 | blacklist /sbin |
14 | blacklist /srv | 11 | blacklist /srv |
15 | blacklist /sys | 12 | blacklist /sys |
diff --git a/etc/tar.profile b/etc/tar.profile index 34a4f34d6..f14894c25 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -15,6 +15,7 @@ no3d | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | novideo | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 5752c96f3..c7446ed68 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index c4bf7a08d..0bb721c64 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | novideo | ||
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 5351a1efa..08964bbab 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | novideo | ||
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 130defc8e..0b09bffcb 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 877ad635b..56ff4f886 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/unbound.profile b/etc/unbound.profile index c1cb86893..afc903e88 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -5,19 +5,30 @@ include /etc/firejail/unbound.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
10 | 13 | ||
11 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
15 | 18 | ||
19 | caps | ||
20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | ||
16 | no3d | 21 | no3d |
17 | nodvd | 22 | nodvd |
23 | nonewprivs | ||
18 | nosound | 24 | nosound |
19 | notv | 25 | notv |
26 | novideo | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 27 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
21 | 28 | ||
29 | disable-mnt | ||
22 | private | 30 | private |
23 | private-dev | 31 | private-dev |
32 | |||
33 | # mdwe can break modules/plugins | ||
34 | # memory-deny-write-execute | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile index 6a3ac5527..12559a721 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -15,6 +15,7 @@ no3d | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | novideo | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index bb30d74cd..9828fa9b4 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -15,6 +15,7 @@ no3d | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | novideo | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 192d13f80..b30cbaa2a 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -13,6 +13,7 @@ net none | |||
13 | nodvd | 13 | nodvd |
14 | nosound | 14 | nosound |
15 | notv | 15 | notv |
16 | novideo | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index a02845885..af4a2d655 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -19,12 +19,14 @@ include /etc/firejail/disable-programs.inc | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | net none | 21 | net none |
22 | no3d | ||
22 | nodvd | 23 | nodvd |
23 | nogroups | 24 | nogroups |
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
27 | notv | 28 | notv |
29 | novideo | ||
28 | protocol unix | 30 | protocol unix |
29 | seccomp | 31 | seccomp |
30 | shell none | 32 | shell none |
@@ -34,3 +36,7 @@ private-bin viewnior | |||
34 | private-dev | 36 | private-dev |
35 | private-etc fonts | 37 | private-etc fonts |
36 | private-tmp | 38 | private-tmp |
39 | |||
40 | memory-deny-write-execute | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/vim.profile b/etc/vim.profile index 7b5566f5b..97ed06d96 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -20,5 +20,6 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
diff --git a/etc/w3m.profile b/etc/w3m.profile index b25e19135..0d3037b26 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 38e568860..5a07d4b74 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | novideo | ||
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/xmms.profile b/etc/xmms.profile index d2e6eddac..717c81fd0 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile | |||
@@ -18,6 +18,7 @@ no3d | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | notv | 20 | notv |
21 | novideo | ||
21 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/xreader.profile b/etc/xreader.profile index dd09c8a92..c02b9a014 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -30,7 +30,7 @@ tracelog | |||
30 | 30 | ||
31 | private-bin xreader,xreader-previewer,xreader-thumbnailer | 31 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
32 | private-dev | 32 | private-dev |
33 | # private-etc fonts | 33 | # private-etc fonts,ld.so.cache |
34 | # xreader needs access to /tmp/mozilla* to work in firefox | 34 | # xreader needs access to /tmp/mozilla* to work in firefox |
35 | # private-tmp | 35 | # private-tmp |
36 | 36 | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 7f21f5d2f..d5c4ac6f0 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -14,6 +14,7 @@ no3d | |||
14 | nodvd | 14 | nodvd |
15 | nosound | 15 | nosound |
16 | notv | 16 | notv |
17 | novideo | ||
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile new file mode 100644 index 000000000..bfb7b9d87 --- /dev/null +++ b/etc/yandex-browser.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for yandex-browser | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/yandex-browser.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ~/.cache/yandex-browser | ||
9 | noblacklist ~/.cache/yandex-browser-beta | ||
10 | noblacklist ~/.config/yandex-browser | ||
11 | noblacklist ~/.config/yandex-browser-beta | ||
12 | noblacklist ~/.pki | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | mkdir ~/.cache/yandex-browser | ||
19 | mkdir ~/.cache/yandex-browser-beta | ||
20 | mkdir ~/.config/yandex-browser | ||
21 | mkdir ~/.config/yandex-browser-beta | ||
22 | mkdir ~/.pki | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ~/.cache/yandex-browser | ||
25 | whitelist ~/.cache/yandex-browser-beta | ||
26 | whitelist ~/.config/yandex-browser | ||
27 | whitelist ~/.config/yandex-browser-beta | ||
28 | whitelist ~/.pki | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.keep sys_chroot,sys_admin | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | shell none | ||
37 | |||
38 | private-dev | ||
39 | # private-tmp - problems with multiple browser sessions | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index e7eab20a2..cf1c50ec6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -354,3 +354,4 @@ | |||
354 | /etc/firejail/youtube-dl.profile | 354 | /etc/firejail/youtube-dl.profile |
355 | /etc/firejail/zathura.profile | 355 | /etc/firejail/zathura.profile |
356 | /etc/firejail/zoom.profile | 356 | /etc/firejail/zoom.profile |
357 | /etc/firejail/yandex-browser.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 505171d1c..7d817c7e2 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej | |||
36 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 36 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. |
37 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. | 37 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. |
38 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. | 38 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. |
39 | install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/. | 39 | install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/. |
40 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. | 40 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. |
41 | install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/. | 41 | install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/. |
42 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. | 42 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. |
43 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. | 43 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. |
44 | 44 | ||
@@ -492,9 +492,9 @@ rm -rf %{buildroot} | |||
492 | /usr/lib/firejail/fnet | 492 | /usr/lib/firejail/fnet |
493 | /usr/lib/firejail/fseccomp | 493 | /usr/lib/firejail/fseccomp |
494 | /usr/lib/firejail/seccomp | 494 | /usr/lib/firejail/seccomp |
495 | /usr/lib/firejail/seccomp.amd64 | 495 | /usr/lib/firejail/seccomp.64 |
496 | /usr/lib/firejail/seccomp.debug | 496 | /usr/lib/firejail/seccomp.debug |
497 | /usr/lib/firejail/seccomp.i386 | 497 | /usr/lib/firejail/seccomp.32 |
498 | /usr/lib/firejail/seccomp.block_secondary | 498 | /usr/lib/firejail/seccomp.block_secondary |
499 | /usr/lib/firejail/seccomp.mdwx | 499 | /usr/lib/firejail/seccomp.mdwx |
500 | 500 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 6bdeaab77..10a0cfd98 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -311,6 +311,7 @@ xplayer | |||
311 | xpra | 311 | xpra |
312 | xreader | 312 | xreader |
313 | xviewer | 313 | xviewer |
314 | yandex-browser | ||
314 | youtube-dl | 315 | youtube-dl |
315 | zathura | 316 | zathura |
316 | zoom | 317 | zoom |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..75450fe0f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -34,6 +34,7 @@ | |||
34 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 34 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
35 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 35 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
36 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 36 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
37 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" | ||
37 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 38 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" |
38 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | 39 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
39 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | 40 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" |
@@ -54,15 +55,15 @@ | |||
54 | 55 | ||
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 56 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 57 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
57 | #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures | 58 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures |
58 | #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures | 59 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 60 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 61 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 62 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 63 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 64 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
64 | #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make | 65 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make |
65 | #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make | 66 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 67 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 68 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
68 | 69 | ||
@@ -410,6 +411,7 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); | |||
410 | // preproc.c | 411 | // preproc.c |
411 | void preproc_build_firejail_dir(void); | 412 | void preproc_build_firejail_dir(void); |
412 | void preproc_mount_mnt_dir(void); | 413 | void preproc_mount_mnt_dir(void); |
414 | void preproc_clean_run(void); | ||
413 | 415 | ||
414 | // fs.c | 416 | // fs.c |
415 | // blacklist files or directoies by mounting empty files on top of them | 417 | // blacklist files or directoies by mounting empty files on top of them |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 480df1766..dad8545a0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -368,12 +368,12 @@ void fs_whitelist(void) { | |||
368 | // replace ~/ or ${HOME} into /home/username | 368 | // replace ~/ or ${HOME} into /home/username |
369 | new_name = expand_home(dataptr, cfg.homedir); | 369 | new_name = expand_home(dataptr, cfg.homedir); |
370 | assert(new_name); | 370 | assert(new_name); |
371 | if (arg_debug) | 371 | if (arg_debug || arg_debug_whitelists) |
372 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); | 372 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); |
373 | 373 | ||
374 | // valid path referenced to filesystem root | 374 | // valid path referenced to filesystem root |
375 | if (*new_name != '/') { | 375 | if (*new_name != '/') { |
376 | if (arg_debug) | 376 | if (arg_debug || arg_debug_whitelists) |
377 | fprintf(stderr, "Debug %d: \n", __LINE__); | 377 | fprintf(stderr, "Debug %d: \n", __LINE__); |
378 | goto errexit; | 378 | goto errexit; |
379 | } | 379 | } |
@@ -417,6 +417,8 @@ void fs_whitelist(void) { | |||
417 | entry->data = EMPTY_STRING; | 417 | entry->data = EMPTY_STRING; |
418 | continue; | 418 | continue; |
419 | } | 419 | } |
420 | else if (arg_debug_whitelists) | ||
421 | printf("real path %s\n", fname); | ||
420 | 422 | ||
421 | if (nowhitelist_flag) { | 423 | if (nowhitelist_flag) { |
422 | // store the path in nowhitelist array | 424 | // store the path in nowhitelist array |
@@ -501,9 +503,15 @@ void fs_whitelist(void) { | |||
501 | else if (strncmp(new_name, "/dev/", 5) == 0) { | 503 | else if (strncmp(new_name, "/dev/", 5) == 0) { |
502 | entry->dev_dir = 1; | 504 | entry->dev_dir = 1; |
503 | dev_dir = 1; | 505 | dev_dir = 1; |
504 | // both path and absolute path are under /dev | 506 | |
505 | if (strncmp(fname, "/dev/", 5) != 0) { | 507 | // special handling for /dev/shm |
506 | goto errexit; | 508 | // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm |
509 | if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); | ||
510 | else { | ||
511 | // both path and absolute path are under /dev | ||
512 | if (strncmp(fname, "/dev/", 5) != 0) { | ||
513 | goto errexit; | ||
514 | } | ||
507 | } | 515 | } |
508 | } | 516 | } |
509 | else if (strncmp(new_name, "/opt/", 5) == 0) { | 517 | else if (strncmp(new_name, "/opt/", 5) == 0) { |
@@ -708,7 +716,6 @@ void fs_whitelist(void) { | |||
708 | } | 716 | } |
709 | 717 | ||
710 | 718 | ||
711 | |||
712 | // go through profile rules again, and interpret whitelist commands | 719 | // go through profile rules again, and interpret whitelist commands |
713 | entry = cfg.profile; | 720 | entry = cfg.profile; |
714 | while (entry) { | 721 | while (entry) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3f805a7e0..c317aa477 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -130,15 +130,22 @@ unsigned long long start_timestamp; | |||
130 | 130 | ||
131 | static void set_name_file(pid_t pid); | 131 | static void set_name_file(pid_t pid); |
132 | static void delete_name_file(pid_t pid); | 132 | static void delete_name_file(pid_t pid); |
133 | static void delete_profile_file(pid_t pid); | ||
133 | static void delete_x11_file(pid_t pid); | 134 | static void delete_x11_file(pid_t pid); |
134 | 135 | ||
135 | void clear_run_files(pid_t pid) { | 136 | void clear_run_files(pid_t pid) { |
136 | bandwidth_del_run_file(pid); // bandwidth file | 137 | bandwidth_del_run_file(pid); // bandwidth file |
137 | network_del_run_file(pid); // network map file | 138 | network_del_run_file(pid); // network map file |
138 | delete_name_file(pid); | 139 | delete_name_file(pid); |
140 | delete_profile_file(pid); | ||
139 | delete_x11_file(pid); | 141 | delete_x11_file(pid); |
140 | } | 142 | } |
141 | 143 | ||
144 | static void clear_atexit(void) { | ||
145 | EUID_ROOT(); | ||
146 | clear_run_files(getpid()); | ||
147 | } | ||
148 | |||
142 | static void myexit(int rv) { | 149 | static void myexit(int rv) { |
143 | logmsg("exiting..."); | 150 | logmsg("exiting..."); |
144 | if (!arg_command && !arg_quiet) | 151 | if (!arg_command && !arg_quiet) |
@@ -465,6 +472,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
465 | exit(0); | 472 | exit(0); |
466 | } | 473 | } |
467 | #endif | 474 | #endif |
475 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { | ||
476 | pid_t pid = read_pid(argv[i] + 16); | ||
477 | |||
478 | // print /run/firejail/profile/<PID> file | ||
479 | char *fname; | ||
480 | if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) | ||
481 | errExit("asprintf"); | ||
482 | FILE *fp = fopen(fname, "r"); | ||
483 | if (!fp) { | ||
484 | fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); | ||
485 | exit(1); | ||
486 | } | ||
487 | #define MAXBUF 4096 | ||
488 | char buf[MAXBUF]; | ||
489 | if (fgets(buf, MAXBUF, fp)) | ||
490 | printf("%s", buf); | ||
491 | fclose(fp); | ||
492 | exit(0); | ||
493 | |||
494 | } | ||
468 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | 495 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { |
469 | // join sandbox by pid or by name | 496 | // join sandbox by pid or by name |
470 | pid_t pid = read_pid(argv[i] + 12); | 497 | pid_t pid = read_pid(argv[i] + 12); |
@@ -738,6 +765,15 @@ static void delete_name_file(pid_t pid) { | |||
738 | free(fname); | 765 | free(fname); |
739 | } | 766 | } |
740 | 767 | ||
768 | static void delete_profile_file(pid_t pid) { | ||
769 | char *fname; | ||
770 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1) | ||
771 | errExit("asprintf"); | ||
772 | int rv = unlink(fname); | ||
773 | (void) rv; | ||
774 | free(fname); | ||
775 | } | ||
776 | |||
741 | void set_x11_file(pid_t pid, int display) { | 777 | void set_x11_file(pid_t pid, int display) { |
742 | char *fname; | 778 | char *fname; |
743 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | 779 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) |
@@ -825,12 +861,14 @@ int main(int argc, char **argv) { | |||
825 | char *custom_profile_dir = NULL; // custom profile directory | 861 | char *custom_profile_dir = NULL; // custom profile directory |
826 | 862 | ||
827 | 863 | ||
864 | atexit(clear_atexit); | ||
865 | |||
828 | // get starting timestamp | 866 | // get starting timestamp |
829 | start_timestamp = getticks(); | 867 | start_timestamp = getticks(); |
830 | 868 | ||
831 | |||
832 | // build /run/firejail directory structure | 869 | // build /run/firejail directory structure |
833 | preproc_build_firejail_dir(); | 870 | preproc_build_firejail_dir(); |
871 | preproc_clean_run(); | ||
834 | 872 | ||
835 | if (check_arg(argc, argv, "--quiet")) | 873 | if (check_arg(argc, argv, "--quiet")) |
836 | arg_quiet = 1; | 874 | arg_quiet = 1; |
@@ -2554,14 +2592,10 @@ int main(int argc, char **argv) { | |||
2554 | close(lockfd); | 2592 | close(lockfd); |
2555 | } | 2593 | } |
2556 | 2594 | ||
2557 | // create name file under /run/firejail | ||
2558 | |||
2559 | |||
2560 | // handle CTRL-C in parent | 2595 | // handle CTRL-C in parent |
2561 | signal (SIGINT, my_handler); | 2596 | signal (SIGINT, my_handler); |
2562 | signal (SIGTERM, my_handler); | 2597 | signal (SIGTERM, my_handler); |
2563 | 2598 | ||
2564 | |||
2565 | // wait for the child to finish | 2599 | // wait for the child to finish |
2566 | EUID_USER(); | 2600 | EUID_USER(); |
2567 | int status = 0; | 2601 | int status = 0; |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..42502008e 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -20,6 +20,8 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/types.h> | ||
24 | #include <dirent.h> | ||
23 | 25 | ||
24 | static int tmpfs_mounted = 0; | 26 | static int tmpfs_mounted = 0; |
25 | 27 | ||
@@ -48,6 +50,10 @@ void preproc_build_firejail_dir(void) { | |||
48 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | 50 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |
49 | } | 51 | } |
50 | 52 | ||
53 | if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) { | ||
54 | create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); | ||
55 | } | ||
56 | |||
51 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { | 57 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { |
52 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); | 58 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); |
53 | } | 59 | } |
@@ -79,8 +85,8 @@ void preproc_mount_mnt_dir(void) { | |||
79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 85 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
80 | else { | 86 | else { |
81 | //copy default seccomp files | 87 | //copy default seccomp files |
82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 88 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 89 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed |
84 | } | 90 | } |
85 | if (arg_allow_debuggers) | 91 | if (arg_allow_debuggers) |
86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
@@ -98,3 +104,77 @@ void preproc_mount_mnt_dir(void) { | |||
98 | errExit("set_perms"); | 104 | errExit("set_perms"); |
99 | } | 105 | } |
100 | } | 106 | } |
107 | |||
108 | // clean run directory | ||
109 | void preproc_clean_run(void) { | ||
110 | int max_pids=32769; | ||
111 | int start_pid = 100; | ||
112 | // extract real max_pids | ||
113 | FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); | ||
114 | if (fp) { | ||
115 | int val; | ||
116 | if (fscanf(fp, "%d", &val) == 1) { | ||
117 | if (val >= max_pids) | ||
118 | max_pids = val + 1; | ||
119 | } | ||
120 | fclose(fp); | ||
121 | } | ||
122 | int *pidarr = malloc(max_pids * sizeof(int)); | ||
123 | if (!pidarr) | ||
124 | errExit("malloc"); | ||
125 | |||
126 | memset(pidarr, 0, max_pids * sizeof(int)); | ||
127 | |||
128 | // open /proc directory | ||
129 | DIR *dir; | ||
130 | if (!(dir = opendir("/proc"))) { | ||
131 | // sleep 2 seconds and try again | ||
132 | sleep(2); | ||
133 | if (!(dir = opendir("/proc"))) { | ||
134 | fprintf(stderr, "Error: cannot open /proc directory\n"); | ||
135 | exit(1); | ||
136 | } | ||
137 | } | ||
138 | |||
139 | // read /proc and populate pidarr with all active processes | ||
140 | struct dirent *entry; | ||
141 | char *end; | ||
142 | while ((entry = readdir(dir)) != NULL) { | ||
143 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
144 | pid %= max_pids; | ||
145 | if (end == entry->d_name || *end) | ||
146 | continue; | ||
147 | |||
148 | if (pid < start_pid) | ||
149 | continue; | ||
150 | pidarr[pid] = 1; | ||
151 | } | ||
152 | closedir(dir); | ||
153 | |||
154 | // open /run/firejail/profile directory | ||
155 | if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) { | ||
156 | // sleep 2 seconds and try again | ||
157 | sleep(2); | ||
158 | if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) { | ||
159 | fprintf(stderr, "Error: cannot open %s directory\n", RUN_FIREJAIL_PROFILE_DIR); | ||
160 | exit(1); | ||
161 | } | ||
162 | } | ||
163 | |||
164 | // read /run/firejail/profile directory and clean leftover files | ||
165 | while ((entry = readdir(dir)) != NULL) { | ||
166 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
167 | pid %= max_pids; | ||
168 | if (end == entry->d_name || *end) | ||
169 | continue; | ||
170 | |||
171 | if (pid < start_pid) | ||
172 | continue; | ||
173 | if (pidarr[pid] == 0) | ||
174 | clear_run_files(pid); | ||
175 | } | ||
176 | closedir(dir); | ||
177 | |||
178 | free(pidarr); | ||
179 | } | ||
180 | |||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index fc390c83a..e61f59f46 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1193,6 +1193,29 @@ void profile_read(const char *fname) { | |||
1193 | exit(1); | 1193 | exit(1); |
1194 | } | 1194 | } |
1195 | 1195 | ||
1196 | // save the name of the file for --profile.print option | ||
1197 | if (include_level == 0) { | ||
1198 | char *runfile; | ||
1199 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, getpid()) == -1) | ||
1200 | errExit("asprintf"); | ||
1201 | |||
1202 | EUID_ROOT(); | ||
1203 | // the file is deleted first | ||
1204 | FILE *fp = fopen(runfile, "w"); | ||
1205 | if (!fp) { | ||
1206 | fprintf(stderr, "Error: cannot create %s\n", runfile); | ||
1207 | exit(1); | ||
1208 | } | ||
1209 | fprintf(fp, "%s\n", fname); | ||
1210 | |||
1211 | // mode and ownership | ||
1212 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
1213 | fclose(fp); | ||
1214 | EUID_USER(); | ||
1215 | free(runfile); | ||
1216 | } | ||
1217 | |||
1218 | |||
1196 | int msg_printed = 0; | 1219 | int msg_printed = 0; |
1197 | 1220 | ||
1198 | // read the file line by line | 1221 | // read the file line by line |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -137,22 +137,22 @@ errexit: | |||
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | 139 | ||
140 | // i386 filter installed on amd64 architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | 141 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 142 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
144 | if (arg_debug) | 144 | if (arg_debug) |
145 | printf("Dual i386/amd64 seccomp filter configured\n"); | 145 | printf("Dual 32/64 bit seccomp filter configured\n"); |
146 | } | 146 | } |
147 | } | 147 | } |
148 | #endif | 148 | #endif |
149 | 149 | ||
150 | // amd64 filter installed on i386 architectures | 150 | // 64 bit arch filter installed on 32 bit architectures |
151 | #if defined(__i386__) | 151 | #if defined(__ILP32__) |
152 | static void seccomp_filter_64(void) { | 152 | static void seccomp_filter_64(void) { |
153 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | printf("Dual i386/amd64 seccomp filter configured\n"); | 155 | printf("Dual 32/64 bit seccomp filter configured\n"); |
156 | } | 156 | } |
157 | } | 157 | } |
158 | #endif | 158 | #endif |
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 177 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 178 | seccomp_filter_block_secondary(); |
179 | else { | 179 | else { |
180 | #if defined(__x86_64__) | 180 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 181 | seccomp_filter_32(); |
182 | #endif | 182 | #endif |
183 | #if defined(__i386__) | 183 | #if defined(__ILP32__) |
184 | seccomp_filter_64(); | 184 | seccomp_filter_64(); |
185 | #endif | 185 | #endif |
186 | } | 186 | } |
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 190 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 191 | seccomp_filter_block_secondary(); |
192 | else { | 192 | else { |
193 | #if defined(__x86_64__) | 193 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 194 | seccomp_filter_32(); |
195 | #endif | 195 | #endif |
196 | #if defined(__i386__) | 196 | #if defined(__ILP32__) |
197 | seccomp_filter_64(); | 197 | seccomp_filter_64(); |
198 | #endif | 198 | #endif |
199 | } | 199 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 10e6ab687..fc7dbd69c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -159,6 +159,7 @@ void usage(void) { | |||
159 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); | 159 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); |
160 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); | 160 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); |
161 | printf(" --profile=filename - use a custom profile.\n"); | 161 | printf(" --profile=filename - use a custom profile.\n"); |
162 | printf(" --profile.print=name|pid - print the name of profile file.\n"); | ||
162 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); | 163 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); |
163 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 164 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); |
164 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); | 165 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7262bc2ca..e14a473fe 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -191,6 +191,21 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
191 | close(fd); | 191 | close(fd); |
192 | } | 192 | } |
193 | 193 | ||
194 | #if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__) | ||
195 | # define filter_syscall SYS_mmap | ||
196 | # undef block_syscall | ||
197 | #elif defined(__i386__) | ||
198 | # define filter_syscall SYS_mmap2 | ||
199 | # define block_syscall SYS_mmap | ||
200 | #elif defined(__arm__) | ||
201 | # define filter_syscall SYS_mmap2 | ||
202 | # undef block_syscall | ||
203 | #else | ||
204 | # warning "Platform does not support seccomp memory-deny-write-execute filter yet" | ||
205 | # undef filter_syscall | ||
206 | # undef block_syscall | ||
207 | #endif | ||
208 | |||
194 | void memory_deny_write_execute(const char *fname) { | 209 | void memory_deny_write_execute(const char *fname) { |
195 | // open file | 210 | // open file |
196 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 211 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
@@ -203,22 +218,19 @@ void memory_deny_write_execute(const char *fname) { | |||
203 | 218 | ||
204 | // build filter | 219 | // build filter |
205 | static const struct sock_filter filter[] = { | 220 | static const struct sock_filter filter[] = { |
206 | #ifdef __i386__ | 221 | #ifdef block_syscall |
207 | // block old multiplexing mmap syscall for i386 | 222 | // block old multiplexing mmap syscall for i386 |
208 | BLACKLIST(SYS_mmap), | 223 | BLACKLIST(block_syscall), |
209 | #endif | 224 | #endif |
225 | #ifdef filter_syscall | ||
210 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created | 226 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created |
211 | #ifdef __i386__ | 227 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5), |
212 | // mmap2 is used for mmap on i386 these days | ||
213 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5), | ||
214 | #else | ||
215 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5), | ||
216 | #endif | ||
217 | EXAMINE_ARGUMENT(2), | 228 | EXAMINE_ARGUMENT(2), |
218 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), | 229 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), |
219 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 230 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
220 | KILL_PROCESS, | 231 | KILL_PROCESS, |
221 | RETURN_ALLOW, | 232 | RETURN_ALLOW, |
233 | #endif | ||
222 | 234 | ||
223 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 235 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
224 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 236 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
@@ -228,7 +240,7 @@ void memory_deny_write_execute(const char *fname) { | |||
228 | KILL_PROCESS, | 240 | KILL_PROCESS, |
229 | RETURN_ALLOW, | 241 | RETURN_ALLOW, |
230 | 242 | ||
231 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | 243 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) |
232 | #ifdef SYS_shmat | 244 | #ifdef SYS_shmat |
233 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 245 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
234 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 246 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 3793e125d..e8df2bda5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -90,7 +90,7 @@ static int detect_filter_type(void) { | |||
90 | } | 90 | } |
91 | 91 | ||
92 | 92 | ||
93 | // testing for secondare amd64 filter | 93 | // testing for secondary 64 bit filter |
94 | const struct sock_filter start_secondary_64[] = { | 94 | const struct sock_filter start_secondary_64[] = { |
95 | VALIDATE_ARCHITECTURE_64, | 95 | VALIDATE_ARCHITECTURE_64, |
96 | EXAMINE_SYSCALL, | 96 | EXAMINE_SYSCALL, |
@@ -102,7 +102,7 @@ static int detect_filter_type(void) { | |||
102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); |
103 | } | 103 | } |
104 | 104 | ||
105 | // testing for secondare i386 filter | 105 | // testing for secondary 32 bit filter |
106 | const struct sock_filter start_secondary_32[] = { | 106 | const struct sock_filter start_secondary_32[] = { |
107 | VALIDATE_ARCHITECTURE_32, | 107 | VALIDATE_ARCHITECTURE_32, |
108 | EXAMINE_SYSCALL, | 108 | EXAMINE_SYSCALL, |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index dd69b58cc..da6a693e6 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) { | |||
108 | write_filter(fname, sizeof(filter), filter); | 108 | write_filter(fname, sizeof(filter), filter); |
109 | } | 109 | } |
110 | 110 | ||
111 | // i386 filter installed on amd64 architectures | 111 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 112 | void seccomp_secondary_32(const char *fname) { |
113 | // hardcoded syscall values | 113 | // hardcoded syscall values |
114 | struct sock_filter filter[] = { | 114 | struct sock_filter filter[] = { |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 8c18b2d14..abdedb957 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -83,6 +83,9 @@ static const SyscallGroupList sysgroups[] = { | |||
83 | #ifdef SYS_vm86old | 83 | #ifdef SYS_vm86old |
84 | "vm86old" | 84 | "vm86old" |
85 | #endif | 85 | #endif |
86 | #if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old) | ||
87 | "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed | ||
88 | #endif | ||
86 | }, | 89 | }, |
87 | { .name = "@debug", .list = | 90 | { .name = "@debug", .list = |
88 | #ifdef SYS_lookup_dcookie | 91 | #ifdef SYS_lookup_dcookie |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -91,10 +91,64 @@ struct seccomp_data { | |||
91 | 91 | ||
92 | #if defined(__i386__) | 92 | #if defined(__i386__) |
93 | # define ARCH_NR AUDIT_ARCH_I386 | 93 | # define ARCH_NR AUDIT_ARCH_I386 |
94 | # define ARCH_32 AUDIT_ARCH_I386 | ||
95 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
94 | #elif defined(__x86_64__) | 96 | #elif defined(__x86_64__) |
95 | # define ARCH_NR AUDIT_ARCH_X86_64 | 97 | # define ARCH_NR AUDIT_ARCH_X86_64 |
98 | # define ARCH_32 AUDIT_ARCH_I386 | ||
99 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
100 | #elif defined(__aarch64__) | ||
101 | # define ARCH_NR AUDIT_ARCH_AARCH64 | ||
102 | # define ARCH_32 AUDIT_ARCH_ARM | ||
103 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
96 | #elif defined(__arm__) | 104 | #elif defined(__arm__) |
97 | # define ARCH_NR AUDIT_ARCH_ARM | 105 | # define ARCH_NR AUDIT_ARCH_ARM |
106 | # define ARCH_32 AUDIT_ARCH_ARM | ||
107 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
108 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
109 | # define ARCH_NR AUDIT_ARCH_MIPS | ||
110 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
111 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
112 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
113 | # define ARCH_NR AUDIT_ARCH_MIPSEL | ||
114 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
115 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
116 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
117 | # define ARCH_NR AUDIT_ARCH_MIPS64 | ||
118 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
119 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
120 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
121 | # define ARCH_NR AUDIT_ARCH_MIPSEL64 | ||
122 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
123 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
124 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
125 | # define ARCH_NR AUDIT_ARCH_MIPS64N32 | ||
126 | # define ARCH_32 AUDIT_ARCH_MIPS64N32 | ||
127 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
128 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
129 | # define ARCH_NR AUDIT_ARCH_MIPSEL64N32 | ||
130 | # define ARCH_32 AUDIT_ARCH_MIPSEL64N32 | ||
131 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
132 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
133 | # define ARCH_NR AUDIT_ARCH_PPC64 | ||
134 | # define ARCH_32 AUDIT_ARCH_PPC | ||
135 | # define ARCH_64 AUDIT_ARCH_PPC64 | ||
136 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
137 | # define ARCH_NR AUDIT_ARCH_PPC64LE | ||
138 | # define ARCH_32 AUDIT_ARCH_PPC | ||
139 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
140 | #elif defined(__powerpc__) | ||
141 | # define ARCH_NR AUDIT_ARCH_PPC | ||
142 | # define ARCH_32 AUDIT_ARCH_PPC | ||
143 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
144 | #elif defined(__s390x__) | ||
145 | # define ARCH_NR AUDIT_ARCH_S390X | ||
146 | # define ARCH_32 AUDIT_ARCH_S390 | ||
147 | # define ARCH_64 AUDIT_ARCH_S390X | ||
148 | #elif defined(__s390__) | ||
149 | # define ARCH_NR AUDIT_ARCH_S390 | ||
150 | # define ARCH_32 AUDIT_ARCH_S390 | ||
151 | # define ARCH_64 AUDIT_ARCH_S390X | ||
98 | #else | 152 | #else |
99 | # warning "Platform does not support seccomp filter yet" | 153 | # warning "Platform does not support seccomp filter yet" |
100 | # define ARCH_NR 0 | 154 | # define ARCH_NR 0 |
@@ -112,12 +166,12 @@ struct seccomp_data { | |||
112 | 166 | ||
113 | #define VALIDATE_ARCHITECTURE_64 \ | 167 | #define VALIDATE_ARCHITECTURE_64 \ |
114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 168 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 169 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 170 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
117 | 171 | ||
118 | #define VALIDATE_ARCHITECTURE_32 \ | 172 | #define VALIDATE_ARCHITECTURE_32 \ |
119 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 173 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
120 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 174 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
121 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 175 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
122 | 176 | ||
123 | #if defined(__x86_64__) | 177 | #if defined(__x86_64__) |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9ae5d6782..a70f662fd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1424,6 +1424,19 @@ Example: | |||
1424 | $ firejail \-\-profile=myprofile | 1424 | $ firejail \-\-profile=myprofile |
1425 | 1425 | ||
1426 | .TP | 1426 | .TP |
1427 | \fB\-\-profile.print=name|pid | ||
1428 | Print the name of the profile file for the sandbox identified by name or or PID. | ||
1429 | .br | ||
1430 | |||
1431 | .br | ||
1432 | Example: | ||
1433 | .br | ||
1434 | $ firejail \-\-profile.print=browser | ||
1435 | .br | ||
1436 | /etc/firejail/firefox.profile | ||
1437 | .br | ||
1438 | |||
1439 | .TP | ||
1427 | \fB\-\-profile-path=directory | 1440 | \fB\-\-profile-path=directory |
1428 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. | 1441 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. |
1429 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in | 1442 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in |
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp index 6983758c3..098b309f5 100755 --- a/test/filters/seccomp-debug-32.exp +++ b/test/filters/seccomp-debug-32.exp | |||
@@ -43,7 +43,7 @@ expect { | |||
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" | 46 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 9\n";exit} | 49 | timeout {puts "TESTING ERROR 9\n";exit} |
@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | |||
56 | expect { | 56 | expect { |
57 | timeout {puts "TESTING ERROR 10\n";exit} | 57 | timeout {puts "TESTING ERROR 10\n";exit} |
58 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 58 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
59 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 59 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
60 | "Child process initialized" | 60 | "Child process initialized" |
61 | } | 61 | } |
62 | expect { | 62 | expect { |
63 | timeout {puts "TESTING ERROR 13\n";exit} | 63 | timeout {puts "TESTING ERROR 13\n";exit} |
64 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 64 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
65 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 65 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
66 | "done" | 66 | "done" |
67 | } | 67 | } |
68 | after 100 | 68 | after 100 |
@@ -82,7 +82,7 @@ expect { | |||
82 | expect { | 82 | expect { |
83 | timeout {puts "TESTING ERROR 21\n";exit} | 83 | timeout {puts "TESTING ERROR 21\n";exit} |
84 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 84 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
85 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" | 85 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" |
86 | } | 86 | } |
87 | expect { | 87 | expect { |
88 | timeout {puts "TESTING ERROR 23\n";exit} | 88 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -110,12 +110,12 @@ expect { | |||
110 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 110 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
111 | expect { | 111 | expect { |
112 | timeout {puts "TESTING ERROR 27\n";exit} | 112 | timeout {puts "TESTING ERROR 27\n";exit} |
113 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 113 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
114 | "Child process initialized" | 114 | "Child process initialized" |
115 | } | 115 | } |
116 | expect { | 116 | expect { |
117 | timeout {puts "TESTING ERROR 29\n";exit} | 117 | timeout {puts "TESTING ERROR 29\n";exit} |
118 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 118 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
119 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 119 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
120 | } | 120 | } |
121 | expect { | 121 | expect { |
@@ -128,12 +128,12 @@ after 100 | |||
128 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 128 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
129 | expect { | 129 | expect { |
130 | timeout {puts "TESTING ERROR 33\n";exit} | 130 | timeout {puts "TESTING ERROR 33\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 131 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
132 | "Child process initialized" | 132 | "Child process initialized" |
133 | } | 133 | } |
134 | expect { | 134 | expect { |
135 | timeout {puts "TESTING ERROR 35\n";exit} | 135 | timeout {puts "TESTING ERROR 35\n";exit} |
136 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 136 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
137 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 137 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
138 | } | 138 | } |
139 | expect { | 139 | expect { |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index 7a4a13991..4986a6bf6 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -31,7 +31,7 @@ expect { | |||
31 | after 100 | 31 | after 100 |
32 | 32 | ||
33 | 33 | ||
34 | # amd64 architecture | 34 | # 64 bit architecture |
35 | send -- "firejail --debug sleep 1; echo done\r" | 35 | send -- "firejail --debug sleep 1; echo done\r" |
36 | expect { | 36 | expect { |
37 | timeout {puts "TESTING ERROR 5\n";exit} | 37 | timeout {puts "TESTING ERROR 5\n";exit} |
@@ -43,7 +43,7 @@ expect { | |||
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | 46 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 8\n";exit} | 49 | timeout {puts "TESTING ERROR 8\n";exit} |
@@ -55,18 +55,18 @@ expect { | |||
55 | } | 55 | } |
56 | after 100 | 56 | after 100 |
57 | 57 | ||
58 | # amd64 architecture - ignore seccomp | 58 | # 64 bit architecture - ignore seccomp |
59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | 59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 10\n";exit} | 61 | timeout {puts "TESTING ERROR 10\n";exit} |
62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
63 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 63 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
64 | "Child process initialized" | 64 | "Child process initialized" |
65 | } | 65 | } |
66 | expect { | 66 | expect { |
67 | timeout {puts "TESTING ERROR 13\n";exit} | 67 | timeout {puts "TESTING ERROR 13\n";exit} |
68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
69 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 69 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" |
71 | } | 71 | } |
72 | expect { | 72 | expect { |
@@ -75,7 +75,7 @@ expect { | |||
75 | } | 75 | } |
76 | after 100 | 76 | after 100 |
77 | 77 | ||
78 | # amd64 architecture - ignore protocol | 78 | # 64 bit architecture - ignore protocol |
79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" | 79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" |
80 | expect { | 80 | expect { |
81 | timeout {puts "TESTING ERROR 17\n";exit} | 81 | timeout {puts "TESTING ERROR 17\n";exit} |
@@ -90,7 +90,7 @@ expect { | |||
90 | expect { | 90 | expect { |
91 | timeout {puts "TESTING ERROR 21\n";exit} | 91 | timeout {puts "TESTING ERROR 21\n";exit} |
92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
93 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | 93 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" |
94 | } | 94 | } |
95 | expect { | 95 | expect { |
96 | timeout {puts "TESTING ERROR 23\n";exit} | 96 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -114,21 +114,21 @@ expect { | |||
114 | } | 114 | } |
115 | 115 | ||
116 | 116 | ||
117 | # amd64 architecture - seccomp.block-secondary | 117 | # 64 bit architecture - seccomp.block-secondary |
118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
119 | expect { | 119 | expect { |
120 | timeout {puts "TESTING ERROR 27\n";exit} | 120 | timeout {puts "TESTING ERROR 27\n";exit} |
121 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 121 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
122 | "Child process initialized" | 122 | "Child process initialized" |
123 | } | 123 | } |
124 | expect { | 124 | expect { |
125 | timeout {puts "TESTING ERROR 29\n";exit} | 125 | timeout {puts "TESTING ERROR 29\n";exit} |
126 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 126 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
127 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 127 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
128 | } | 128 | } |
129 | expect { | 129 | expect { |
130 | timeout {puts "TESTING ERROR 31\n";exit} | 130 | timeout {puts "TESTING ERROR 31\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit} | 131 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} |
132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" |
133 | } | 133 | } |
134 | expect { | 134 | expect { |
@@ -137,16 +137,16 @@ expect { | |||
137 | } | 137 | } |
138 | after 100 | 138 | after 100 |
139 | 139 | ||
140 | # amd64 architecture - seccomp.block-secondary, profile | 140 | # 64 bit architecture - seccomp.block-secondary, profile |
141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
142 | expect { | 142 | expect { |
143 | timeout {puts "TESTING ERROR 33\n";exit} | 143 | timeout {puts "TESTING ERROR 33\n";exit} |
144 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 144 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
145 | "Child process initialized" | 145 | "Child process initialized" |
146 | } | 146 | } |
147 | expect { | 147 | expect { |
148 | timeout {puts "TESTING ERROR 35\n";exit} | 148 | timeout {puts "TESTING ERROR 35\n";exit} |
149 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 149 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
150 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 150 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
151 | } | 151 | } |
152 | expect { | 152 | expect { |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index b064671b6..b6ae6319f 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -25,14 +25,14 @@ sleep 1 | |||
25 | 25 | ||
26 | send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r" | 26 | send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r" |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 0\n";exit} | 28 | timeout {puts "TESTING ERROR 2\n";exit} |
29 | "Child process initialized" | 29 | "Child process initialized" |
30 | } | 30 | } |
31 | sleep 1 | 31 | sleep 1 |
32 | 32 | ||
33 | send -- "find /dev | wc -l\r" | 33 | send -- "find /dev | wc -l\r" |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 0.1\n";exit} | 35 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "4" | 36 | "4" |
37 | } | 37 | } |
38 | after 100 | 38 | after 100 |
@@ -41,14 +41,14 @@ sleep 1 | |||
41 | 41 | ||
42 | send -- "firejail --private-dev --debug\r" | 42 | send -- "firejail --private-dev --debug\r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 2\n";exit} | 44 | timeout {puts "TESTING ERROR 4\n";exit} |
45 | "Child process initialized" | 45 | "Child process initialized" |
46 | } | 46 | } |
47 | sleep 1 | 47 | sleep 1 |
48 | 48 | ||
49 | send -- "ls -l /dev | wc -l\r" | 49 | send -- "ls -l /dev | wc -l\r" |
50 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 3\n";exit} | 51 | timeout {puts "TESTING ERROR 5\n";exit} |
52 | "12" {puts "OK\n"} | 52 | "12" {puts "OK\n"} |
53 | "13" {puts "OK\n"} | 53 | "13" {puts "OK\n"} |
54 | "14" {puts "OK\n"} | 54 | "14" {puts "OK\n"} |
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index 6bc47f33f..63fb3a150 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp | |||
@@ -18,6 +18,5 @@ expect { | |||
18 | timeout {puts "TESTING ERROR 0\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
19 | "done" | 19 | "done" |
20 | } | 20 | } |
21 | send -- "exit\r" | ||
22 | after 100 | 21 | after 100 |
23 | puts "\n" | 22 | puts "\n" |