diff options
-rw-r--r-- | Makefile.in | 3 | ||||
-rw-r--r-- | README | 9 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/firejail.config | 6 | ||||
-rw-r--r-- | etc/gnome-chess.profile | 6 | ||||
-rw-r--r-- | etc/strings.profile | 10 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 7 | ||||
-rw-r--r-- | src/firejail/env.c | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 10 | ||||
-rwxr-xr-x | test/compile/compile.sh | 243 | ||||
-rwxr-xr-x | test/sysutils/sysutils.sh | 16 | ||||
-rw-r--r-- | todo | 13 |
14 files changed, 53 insertions, 278 deletions
diff --git a/Makefile.in b/Makefile.in index 6c98742b7..1142059a5 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -160,9 +160,6 @@ snap: all | |||
160 | install-snap: snap | 160 | install-snap: snap |
161 | sudo snap remove faudit; sudo snap install faudit*.snap | 161 | sudo snap remove faudit; sudo snap install faudit*.snap |
162 | 162 | ||
163 | github-compile: | ||
164 | cd test/compile; ./compile.sh | ||
165 | |||
166 | dist-compile: dist | 163 | dist-compile: dist |
167 | cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION) | 164 | cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION) |
168 | 165 | ||
@@ -158,6 +158,7 @@ yumkam (https://github.com/yumkam) | |||
158 | - man page fixes | 158 | - man page fixes |
159 | mahdi1234 (https://github.com/mahdi1234) | 159 | mahdi1234 (https://github.com/mahdi1234) |
160 | - cherrytree profile | 160 | - cherrytree profile |
161 | - Seamonkey profiles | ||
161 | jrabe (https://github.com/jrabe) | 162 | jrabe (https://github.com/jrabe) |
162 | - disallow access to kdbx files | 163 | - disallow access to kdbx files |
163 | - Epiphany profile | 164 | - Epiphany profile |
@@ -176,6 +177,7 @@ pszxzsd (https://github.com/pszxzsd) | |||
176 | Rahiel Kasim (https://github.com/rahiel) | 177 | Rahiel Kasim (https://github.com/rahiel) |
177 | - Mathematica profile | 178 | - Mathematica profile |
178 | - whitelisted Dropbox profile | 179 | - whitelisted Dropbox profile |
180 | - whitelisted keysnail config for firefox | ||
179 | creideiki (https://github.com/creideiki) | 181 | creideiki (https://github.com/creideiki) |
180 | - make the sandbox process reap all children | 182 | - make the sandbox process reap all children |
181 | sinkuu (https://github.com/sinkuu) | 183 | sinkuu (https://github.com/sinkuu) |
@@ -187,8 +189,7 @@ Holger Heinz (https://github.com/hheinz) | |||
187 | - manpage work | 189 | - manpage work |
188 | Andrey Alekseenko (https://github.com/al42and) | 190 | Andrey Alekseenko (https://github.com/al42and) |
189 | - fixing lintian warnings | 191 | - fixing lintian warnings |
190 | mahdi1234 (https://github.com/mahdi1234) | 192 | - fixed Skype profile |
191 | - Seamonkey profiles | ||
192 | Ivan Kozik (https://github.com/ivan) | 193 | Ivan Kozik (https://github.com/ivan) |
193 | - speed up sandbox exit | 194 | - speed up sandbox exit |
194 | Christian Stadelmann (https://github.com/genodeftest) | 195 | Christian Stadelmann (https://github.com/genodeftest) |
@@ -199,8 +200,6 @@ Kaan Genç (https://github.com/SeriousBug) | |||
199 | - dynamic allocation of noblacklist buffer | 200 | - dynamic allocation of noblacklist buffer |
200 | Veeti Paananen (https://github.com/veeti) | 201 | Veeti Paananen (https://github.com/veeti) |
201 | - fixed Spotify profile | 202 | - fixed Spotify profile |
202 | Rahiel Kasim (https://github.com/rahiel) | ||
203 | - whitelist keysnail config for firefox | ||
204 | rogshdo (https://github.com/rogshdo) | 203 | rogshdo (https://github.com/rogshdo) |
205 | - BitlBee profile | 204 | - BitlBee profile |
206 | Bruno Nova (https://github.com/brunonova) | 205 | Bruno Nova (https://github.com/brunonova) |
@@ -208,8 +207,6 @@ Bruno Nova (https://github.com/brunonova) | |||
208 | - bash arguments fix | 207 | - bash arguments fix |
209 | Matt Parnell (https://github.com/ilikenwf) | 208 | Matt Parnell (https://github.com/ilikenwf) |
210 | - whitelisting for core firefox related functionality | 209 | - whitelisting for core firefox related functionality |
211 | Andrey Alekseenko (https://github.com/al42and) | ||
212 | - fixed Skype profile | ||
213 | Ondra Nekola (https://github.com/satai) | 210 | Ondra Nekola (https://github.com/satai) |
214 | - allow firefox theming with non-global themes | 211 | - allow firefox theming with non-global themes |
215 | emacsomancer (https://github.com/emacsomancer) | 212 | emacsomancer (https://github.com/emacsomancer) |
@@ -196,6 +196,6 @@ Browsers: Palemoon | |||
196 | 196 | ||
197 | ## New security profiles | 197 | ## New security profiles |
198 | 198 | ||
199 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview | 199 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview |
200 | tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess | 200 | tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess |
201 | 201 | ||
@@ -18,9 +18,10 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
18 | * seccomp filter updated | 18 | * seccomp filter updated |
19 | * compile time and run time support to disable whitelists | 19 | * compile time and run time support to disable whitelists |
20 | * compile time support to disable global configuration file | 20 | * compile time support to disable global configuration file |
21 | * added quiet-by-default config option in /etc/firejail/firejail.config | ||
21 | * added netfilter-default config option in /etc/firejail/firejail.config | 22 | * added netfilter-default config option in /etc/firejail/firejail.config |
22 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | 23 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice |
23 | * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less | 24 | * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less |
24 | * new profiles: Atom Beta, Atom, jitsi, eom, uudeview | 25 | * new profiles: Atom Beta, Atom, jitsi, eom, uudeview |
25 | * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux | 26 | * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux |
26 | -- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500 | 27 | -- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500 |
diff --git a/etc/firejail.config b/etc/firejail.config index 20c4d7a5f..82fe65ac7 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -15,12 +15,16 @@ | |||
15 | # Force use of nonewprivs. This mitigates the possibility of | 15 | # Force use of nonewprivs. This mitigates the possibility of |
16 | # a user abusing firejail's features to trick a privileged (suid | 16 | # a user abusing firejail's features to trick a privileged (suid |
17 | # or file capabilities) process into loading code or configuration | 17 | # or file capabilities) process into loading code or configuration |
18 | # that is partially under their control. Default disabled | 18 | # that is partially under their control. Default disabled. |
19 | # force-nonewprivs no | 19 | # force-nonewprivs no |
20 | 20 | ||
21 | # Enable or disable networking features, default enabled. | 21 | # Enable or disable networking features, default enabled. |
22 | # network yes | 22 | # network yes |
23 | 23 | ||
24 | # Enable --quiet as default every time the sandbox is started. Default disabled. | ||
25 | # quiet-by-default no | ||
26 | |||
27 | |||
24 | # Enable or disable restricted network support, default disabled. If enabled, | 28 | # Enable or disable restricted network support, default disabled. If enabled, |
25 | # networking features should also be enabled (network yes). | 29 | # networking features should also be enabled (network yes). |
26 | # Restricted networking grants access to --interface, --net=ethXXX and | 30 | # Restricted networking grants access to --interface, --net=ethXXX and |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index e93970f7d..297f7e6a9 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -7,14 +7,16 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | net none | ||
11 | nogroups | 10 | nogroups |
12 | nonewprivs | 11 | nonewprivs |
13 | noroot | 12 | noroot |
14 | nosound | 13 | nosound |
14 | protocol unix | ||
15 | seccomp | 15 | seccomp |
16 | shell none | 16 | shell none |
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | private-bin gnome-chess | 19 | private-bin fairymax,gnome-chess,hoichess |
20 | private-dev | 20 | private-dev |
21 | private-etc fonts,gnome-chess | ||
22 | private-tmp | ||
diff --git a/etc/strings.profile b/etc/strings.profile deleted file mode 100644 index 6ebe81d09..000000000 --- a/etc/strings.profile +++ /dev/null | |||
@@ -1,10 +0,0 @@ | |||
1 | # strings profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | tracelog | ||
6 | net none | ||
7 | shell none | ||
8 | private-dev | ||
9 | private-tmp | ||
10 | nosound | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d2ee3a83e..633123e92 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -111,7 +111,6 @@ | |||
111 | /etc/firejail/ssh.profile | 111 | /etc/firejail/ssh.profile |
112 | /etc/firejail/steam.profile | 112 | /etc/firejail/steam.profile |
113 | /etc/firejail/stellarium.profile | 113 | /etc/firejail/stellarium.profile |
114 | /etc/firejail/strings.profile | ||
115 | /etc/firejail/tar.profile | 114 | /etc/firejail/tar.profile |
116 | /etc/firejail/telegram.profile | 115 | /etc/firejail/telegram.profile |
117 | /etc/firejail/thunderbird.profile | 116 | /etc/firejail/thunderbird.profile |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 12921e294..3b60dafb6 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -220,7 +220,12 @@ int checkcfg(int val) { | |||
220 | if (!xephyr_extra_params) | 220 | if (!xephyr_extra_params) |
221 | errExit("strdup"); | 221 | errExit("strdup"); |
222 | } | 222 | } |
223 | 223 | ||
224 | // quiet by default | ||
225 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | ||
226 | if (strcmp(ptr + 17, "yes") == 0) | ||
227 | arg_quiet = 1; | ||
228 | } | ||
224 | else | 229 | else |
225 | goto errout; | 230 | goto errout; |
226 | 231 | ||
diff --git a/src/firejail/env.c b/src/firejail/env.c index a5b3ccfb3..79d6b81e3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -133,7 +133,7 @@ void env_defaults(void) { | |||
133 | errExit("setenv"); | 133 | errExit("setenv"); |
134 | 134 | ||
135 | // set the window title | 135 | // set the window title |
136 | printf("\033]0;firejail %s\007\n", cfg.window_title); | 136 | printf("\033]0;firejail %s\007", cfg.window_title);fflush(0); |
137 | } | 137 | } |
138 | 138 | ||
139 | // parse and store the environment setting | 139 | // parse and store the environment setting |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5bcfa6066..86126672e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1064,6 +1064,16 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1064 | struct stat s; | 1064 | struct stat s; |
1065 | char *name; | 1065 | char *name; |
1066 | 1066 | ||
1067 | // rootdir has to be owned by root | ||
1068 | if (stat(rootdir, &s) != 0) { | ||
1069 | fprintf(stderr, "Error: cannot find chroot directory\n"); | ||
1070 | return 1; | ||
1071 | } | ||
1072 | if (s.st_uid != 0) { | ||
1073 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); | ||
1074 | return 1; | ||
1075 | } | ||
1076 | |||
1067 | // check /dev | 1077 | // check /dev |
1068 | if (asprintf(&name, "%s/dev", rootdir) == -1) | 1078 | if (asprintf(&name, "%s/dev", rootdir) == -1) |
1069 | errExit("asprintf"); | 1079 | errExit("asprintf"); |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh deleted file mode 100755 index 1207ef518..000000000 --- a/test/compile/compile.sh +++ /dev/null | |||
@@ -1,243 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | arr[1]="TEST 1: standard compilation" | ||
4 | arr[2]="TEST 2: compile seccomp disabled" | ||
5 | arr[3]="TEST 3: compile chroot disabled" | ||
6 | arr[4]="TEST 4: compile bind disabled" | ||
7 | arr[5]="TEST 5: compile user namespace disabled" | ||
8 | arr[6]="TEST 6: compile network disabled" | ||
9 | arr[7]="TEST 7: compile X11 disabled" | ||
10 | arr[8]="TEST 8: compile network restricted" | ||
11 | arr[9]="TEST 9: compile file transfer disabled" | ||
12 | |||
13 | |||
14 | # remove previous reports and output file | ||
15 | cleanup() { | ||
16 | rm -f report* | ||
17 | rm -fr firejail | ||
18 | rm -f oc* om* | ||
19 | } | ||
20 | |||
21 | print_title() { | ||
22 | echo | ||
23 | echo | ||
24 | echo | ||
25 | echo "**************************************************" | ||
26 | echo $1 | ||
27 | echo "**************************************************" | ||
28 | } | ||
29 | |||
30 | while [ $# -gt 0 ]; do # Until you run out of parameters . . . | ||
31 | case "$1" in | ||
32 | --clean) | ||
33 | cleanup | ||
34 | exit | ||
35 | ;; | ||
36 | --help) | ||
37 | echo "./compile.sh [--clean|--help]" | ||
38 | exit | ||
39 | ;; | ||
40 | esac | ||
41 | shift # Check next set of parameters. | ||
42 | done | ||
43 | |||
44 | cleanup | ||
45 | |||
46 | #***************************************************************** | ||
47 | # TEST 1 | ||
48 | #***************************************************************** | ||
49 | # - checkout source code | ||
50 | # - check compilation | ||
51 | # - install | ||
52 | #***************************************************************** | ||
53 | print_title "${arr[1]}" | ||
54 | git clone https://github.com/netblue30/firejail.git | ||
55 | cd firejail | ||
56 | ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
57 | make -j4 2>&1 | tee ../output-make | ||
58 | cd .. | ||
59 | grep Warning output-configure output-make > ./report-test1 | ||
60 | grep Error output-configure output-make >> ./report-test1 | ||
61 | cp output-configure oc1 | ||
62 | cp output-make om1 | ||
63 | rm output-configure output-make | ||
64 | |||
65 | |||
66 | #***************************************************************** | ||
67 | # TEST 2 | ||
68 | #***************************************************************** | ||
69 | # - disable seccomp configuration | ||
70 | # - check compilation | ||
71 | #***************************************************************** | ||
72 | print_title "${arr[2]}" | ||
73 | # seccomp | ||
74 | cd firejail | ||
75 | make distclean | ||
76 | ./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
77 | make -j4 2>&1 | tee ../output-make | ||
78 | cd .. | ||
79 | grep Warning output-configure output-make > ./report-test2 | ||
80 | grep Error output-configure output-make >> ./report-test2 | ||
81 | cp output-configure oc2 | ||
82 | cp output-make om2 | ||
83 | rm output-configure output-make | ||
84 | |||
85 | #***************************************************************** | ||
86 | # TEST 3 | ||
87 | #***************************************************************** | ||
88 | # - disable chroot configuration | ||
89 | # - check compilation | ||
90 | #***************************************************************** | ||
91 | print_title "${arr[3]}" | ||
92 | # seccomp | ||
93 | cd firejail | ||
94 | make distclean | ||
95 | ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
96 | make -j4 2>&1 | tee ../output-make | ||
97 | cd .. | ||
98 | grep Warning output-configure output-make > ./report-test3 | ||
99 | grep Error output-configure output-make >> ./report-test3 | ||
100 | cp output-configure oc3 | ||
101 | cp output-make om3 | ||
102 | rm output-configure output-make | ||
103 | |||
104 | #***************************************************************** | ||
105 | # TEST 4 | ||
106 | #***************************************************************** | ||
107 | # - disable bind configuration | ||
108 | # - check compilation | ||
109 | #***************************************************************** | ||
110 | print_title "${arr[4]}" | ||
111 | # seccomp | ||
112 | cd firejail | ||
113 | make distclean | ||
114 | ./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
115 | make -j4 2>&1 | tee ../output-make | ||
116 | cd .. | ||
117 | grep Warning output-configure output-make > ./report-test4 | ||
118 | grep Error output-configure output-make >> ./report-test4 | ||
119 | cp output-configure oc4 | ||
120 | cp output-make om4 | ||
121 | rm output-configure output-make | ||
122 | |||
123 | #***************************************************************** | ||
124 | # TEST 5 | ||
125 | #***************************************************************** | ||
126 | # - disable user namespace configuration | ||
127 | # - check compilation | ||
128 | #***************************************************************** | ||
129 | print_title "${arr[5]}" | ||
130 | # seccomp | ||
131 | cd firejail | ||
132 | make distclean | ||
133 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
134 | make -j4 2>&1 | tee ../output-make | ||
135 | cd .. | ||
136 | grep Warning output-configure output-make > ./report-test5 | ||
137 | grep Error output-configure output-make >> ./report-test5 | ||
138 | cp output-configure oc5 | ||
139 | cp output-make om5 | ||
140 | rm output-configure output-make | ||
141 | |||
142 | #***************************************************************** | ||
143 | # TEST 6 | ||
144 | #***************************************************************** | ||
145 | # - disable user namespace configuration | ||
146 | # - check compilation | ||
147 | #***************************************************************** | ||
148 | print_title "${arr[6]}" | ||
149 | # seccomp | ||
150 | cd firejail | ||
151 | make distclean | ||
152 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
153 | make -j4 2>&1 | tee ../output-make | ||
154 | cd .. | ||
155 | grep Warning output-configure output-make > ./report-test6 | ||
156 | grep Error output-configure output-make >> ./report-test6 | ||
157 | cp output-configure oc6 | ||
158 | cp output-make om6 | ||
159 | rm output-configure output-make | ||
160 | |||
161 | #***************************************************************** | ||
162 | # TEST 7 | ||
163 | #***************************************************************** | ||
164 | # - disable X11 support | ||
165 | # - check compilation | ||
166 | #***************************************************************** | ||
167 | print_title "${arr[7]}" | ||
168 | # seccomp | ||
169 | cd firejail | ||
170 | make distclean | ||
171 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
172 | make -j4 2>&1 | tee ../output-make | ||
173 | cd .. | ||
174 | grep Warning output-configure output-make > ./report-test7 | ||
175 | grep Error output-configure output-make >> ./report-test7 | ||
176 | cp output-configure oc7 | ||
177 | cp output-make om7 | ||
178 | rm output-configure output-make | ||
179 | |||
180 | |||
181 | #***************************************************************** | ||
182 | # TEST 8 | ||
183 | #***************************************************************** | ||
184 | # - enable network restricted | ||
185 | # - check compilation | ||
186 | #***************************************************************** | ||
187 | print_title "${arr[8]}" | ||
188 | # seccomp | ||
189 | cd firejail | ||
190 | make distclean | ||
191 | ./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
192 | make -j4 2>&1 | tee ../output-make | ||
193 | cd .. | ||
194 | grep Warning output-configure output-make > ./report-test8 | ||
195 | grep Error output-configure output-make >> ./report-test8 | ||
196 | cp output-configure oc8 | ||
197 | cp output-make om8 | ||
198 | rm output-configure output-make | ||
199 | |||
200 | |||
201 | #***************************************************************** | ||
202 | # TEST 9 | ||
203 | #***************************************************************** | ||
204 | # - disable file transfer | ||
205 | # - check compilation | ||
206 | #***************************************************************** | ||
207 | print_title "${arr[9]}" | ||
208 | # seccomp | ||
209 | cd firejail | ||
210 | make distclean | ||
211 | ./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
212 | make -j4 2>&1 | tee ../output-make | ||
213 | cd .. | ||
214 | grep Warning output-configure output-make > ./report-test9 | ||
215 | grep Error output-configure output-make >> ./report-test9 | ||
216 | cp output-configure oc9 | ||
217 | cp output-make om9 | ||
218 | rm output-configure output-make | ||
219 | |||
220 | |||
221 | #***************************************************************** | ||
222 | # PRINT REPORTS | ||
223 | #***************************************************************** | ||
224 | echo | ||
225 | echo | ||
226 | echo | ||
227 | echo | ||
228 | echo "**********************************************************" | ||
229 | echo "TEST RESULTS" | ||
230 | echo "**********************************************************" | ||
231 | |||
232 | wc -l report-test* | ||
233 | echo | ||
234 | echo "Legend:" | ||
235 | echo ${arr[1]} | ||
236 | echo ${arr[2]} | ||
237 | echo ${arr[3]} | ||
238 | echo ${arr[4]} | ||
239 | echo ${arr[5]} | ||
240 | echo ${arr[6]} | ||
241 | echo ${arr[7]} | ||
242 | echo ${arr[8]} | ||
243 | echo ${arr[9]} | ||
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 315b73c9d..99939133d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -15,14 +15,14 @@ else | |||
15 | echo "TESTING SKIP: cpio not found" | 15 | echo "TESTING SKIP: cpio not found" |
16 | fi | 16 | fi |
17 | 17 | ||
18 | which strings | 18 | #which strings |
19 | if [ "$?" -eq 0 ]; | 19 | #if [ "$?" -eq 0 ]; |
20 | then | 20 | #then |
21 | echo "TESTING: strings" | 21 | # echo "TESTING: strings" |
22 | ./strings.exp | 22 | # ./strings.exp |
23 | else | 23 | #else |
24 | echo "TESTING SKIP: strings not found" | 24 | # echo "TESTING SKIP: strings not found" |
25 | fi | 25 | #fi |
26 | 26 | ||
27 | which gzip | 27 | which gzip |
28 | if [ "$?" -eq 0 ]; | 28 | if [ "$?" -eq 0 ]; |
@@ -266,3 +266,16 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log | |||
266 | 24. check monitor proc behaviour for sandboxes with --blacklist=/proc | 266 | 24. check monitor proc behaviour for sandboxes with --blacklist=/proc |
267 | also check --apparmor in this case | 267 | also check --apparmor in this case |
268 | 268 | ||
269 | 25. bring back strings.profile | ||
270 | |||
271 | # strings profile | ||
272 | quiet | ||
273 | ignore noroot | ||
274 | include /etc/firejail/default.profile | ||
275 | tracelog | ||
276 | net none | ||
277 | shell none | ||
278 | private-dev | ||
279 | private-tmp | ||
280 | nosound | ||
281 | |||