diff options
-rw-r--r-- | README | 14 | ||||
-rw-r--r-- | README.md | 12 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/arch-audit.profile | 40 | ||||
-rw-r--r-- | etc/audacious.profile | 1 | ||||
-rw-r--r-- | etc/conky.profile | 35 | ||||
-rw-r--r-- | etc/corebird.profile | 14 | ||||
-rw-r--r-- | etc/disable-common.inc | 8 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/ffmpeg.profile | 33 | ||||
-rw-r--r-- | etc/firefox.profile | 3 | ||||
-rw-r--r-- | etc/geary.profile | 1 | ||||
-rw-r--r-- | etc/musescore.profile | 1 | ||||
-rw-r--r-- | etc/quiterss.profile | 1 | ||||
-rw-r--r-- | etc/smtube.profile (renamed from smtube.profile) | 0 | ||||
-rw-r--r-- | etc/thunderbird.profile | 1 | ||||
-rw-r--r-- | etc/tuxguitar.profile | 1 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 7 | ||||
-rw-r--r-- | etc/whitelist-var-common.inc | 1 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/fbuilder/build_bin.c | 121 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 4 | ||||
-rw-r--r-- | src/fbuilder/fbuilder.h | 3 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 5 | ||||
-rw-r--r-- | src/firecfg/main.c | 104 | ||||
-rw-r--r-- | src/firejail/util.c | 2 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 6 | ||||
-rwxr-xr-x | test/sysutils/less.exp | 6 |
29 files changed, 405 insertions, 34 deletions
@@ -35,6 +35,8 @@ Maintainer: | |||
35 | Committers | 35 | Committers |
36 | - Fred-Barclay (https://github.com/Fred-Barclay) | 36 | - Fred-Barclay (https://github.com/Fred-Barclay) |
37 | - Reiner Herrmann (https://github.com/reinerh) | 37 | - Reiner Herrmann (https://github.com/reinerh) |
38 | - smithsohu (https://github.com/smitsohu) | ||
39 | - SpotComms (https://github.com/SpotComms) | ||
38 | - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer | 40 | - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer |
39 | - Topi Miettinen (https://github.com/topimiettinen) | 41 | - Topi Miettinen (https://github.com/topimiettinen) |
40 | - netblue30 (netblue30@yahoo.com) | 42 | - netblue30 (netblue30@yahoo.com) |
@@ -112,6 +114,10 @@ creideiki (https://github.com/creideiki) | |||
112 | - make the sandbox process reap all children | 114 | - make the sandbox process reap all children |
113 | chiraag-nataraj (https://github.com/chiraag-nataraj) | 115 | chiraag-nataraj (https://github.com/chiraag-nataraj) |
114 | - support for newer Xpra versions (2.1+) | 116 | - support for newer Xpra versions (2.1+) |
117 | - added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles | ||
118 | - added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles | ||
119 | - added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles | ||
120 | - added tor, x-terminal-emulator, zart profiles | ||
115 | Christian Stadelmann (https://github.com/genodeftest) | 121 | Christian Stadelmann (https://github.com/genodeftest) |
116 | - profile fixes | 122 | - profile fixes |
117 | - evolution profile fix | 123 | - evolution profile fix |
@@ -241,6 +247,8 @@ Impyy (https://github.com/Impyy) | |||
241 | - added mumble profile | 247 | - added mumble profile |
242 | irregulator (https://github.com/irregulator) | 248 | irregulator (https://github.com/irregulator) |
243 | - thunderbird profile fixes for debian stretch | 249 | - thunderbird profile fixes for debian stretch |
250 | Irvine (https://github.com/Irvinehimself) | ||
251 | - added conky profile | ||
244 | Ivan Kozik (https://github.com/ivan) | 252 | Ivan Kozik (https://github.com/ivan) |
245 | - speed up sandbox exit | 253 | - speed up sandbox exit |
246 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | 254 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) |
@@ -307,6 +315,8 @@ Mattias Wadman (https://github.com/wader) | |||
307 | - seccomp errno filter support | 315 | - seccomp errno filter support |
308 | Matthew Gyurgyik (https://github.com/pyther) | 316 | Matthew Gyurgyik (https://github.com/pyther) |
309 | - rpm spec and several fixes | 317 | - rpm spec and several fixes |
318 | melvinvermeeren (https://github.com/melvinvermeeren) | ||
319 | - added teamspeak3 profile | ||
310 | Michael Haas (https://github.com/mhaas) | 320 | Michael Haas (https://github.com/mhaas) |
311 | - bugfixes | 321 | - bugfixes |
312 | Mike Frysinger (vapier@gentoo.org) | 322 | Mike Frysinger (vapier@gentoo.org) |
@@ -320,6 +330,8 @@ n1trux (https://github.com/n1trux) | |||
320 | netblue30 (netblue30@yahoo.com) | 330 | netblue30 (netblue30@yahoo.com) |
321 | Niklas Haas (https://github.com/haasn) | 331 | Niklas Haas (https://github.com/haasn) |
322 | - blacklisting for keybase.io's client | 332 | - blacklisting for keybase.io's client |
333 | nyancat18 (https://github.com/nyancat18) | ||
334 | - added ardour4, dooble, karbon, krita profiles | ||
323 | Ondra Nekola (https://github.com/satai) | 335 | Ondra Nekola (https://github.com/satai) |
324 | - allow firefox theming with non-global themes | 336 | - allow firefox theming with non-global themes |
325 | Panzerfather (https://github.com/Panzerfather) | 337 | Panzerfather (https://github.com/Panzerfather) |
@@ -343,6 +355,8 @@ Peter Hogg (https://github.com/pigmonkey) | |||
343 | - fixes for youtube-dl in mpv profile | 355 | - fixes for youtube-dl in mpv profile |
344 | Petter Reinholdtsen (pere@hungry.com) | 356 | Petter Reinholdtsen (pere@hungry.com) |
345 | - Opera profile patch | 357 | - Opera profile patch |
358 | PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) | ||
359 | - fix quiterss profile | ||
346 | pirate486743186 (https://github.com/pirate486743186) | 360 | pirate486743186 (https://github.com/pirate486743186) |
347 | - KMail profile | 361 | - KMail profile |
348 | Pixel Fairy (https://github.com/xahare) | 362 | Pixel Fairy (https://github.com/xahare) |
@@ -114,12 +114,12 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w | |||
114 | 114 | ||
115 | Example: | 115 | Example: |
116 | ````` | 116 | ````` |
117 | $ firejail --build vlc ~/Videos/test.mp4 | 117 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 |
118 | 118 | ||
119 | [...] | 119 | [...] |
120 | 120 | ||
121 | ############################################ | 121 | ############################################ |
122 | # vlc profile | 122 | # /usr/bin/vlc profile |
123 | ############################################ | 123 | ############################################ |
124 | # Persistent global definitions | 124 | # Persistent global definitions |
125 | # include /etc/firejail/globals.local | 125 | # include /etc/firejail/globals.local |
@@ -141,13 +141,14 @@ private-tmp | |||
141 | private-dev | 141 | private-dev |
142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | 142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, |
143 | whitelist /var/lib/menu-xdg | 143 | whitelist /var/lib/menu-xdg |
144 | # private-bin vlc, | ||
144 | 145 | ||
145 | ### security filters | 146 | ### security filters |
146 | caps.drop all | 147 | caps.drop all |
147 | nonewprivs | 148 | nonewprivs |
148 | seccomp | 149 | seccomp |
149 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create | 150 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create |
150 | # 82 syscalls total | 151 | # 76 syscalls total |
151 | # Probably you will need to add more syscalls to seccomp.keep. Look for | 152 | # Probably you will need to add more syscalls to seccomp.keep. Look for |
152 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | 153 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while |
153 | # running your sandbox. | 154 | # running your sandbox. |
@@ -178,4 +179,5 @@ amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, | |||
178 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | 179 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, |
179 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | 180 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, |
180 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | 181 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, |
181 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart | 182 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, |
183 | conky, arch-audit, ffmpeg | ||
@@ -1,5 +1,6 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * enhancement: support Firejail user config directory in firecfg | ||
3 | * feature: --writable-run-user | 4 | * feature: --writable-run-user |
4 | * feature: profile build tool (--build) | 5 | * feature: profile build tool (--build) |
5 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | 6 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile new file mode 100644 index 000000000..d8ed64811 --- /dev/null +++ b/etc/arch-audit.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for arch-audit | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/arch-audit.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | noblacklist /var/lib/pacman | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private | ||
34 | private-bin arch-audit | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | memory-deny-write-execute | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index bd2367fe0..52e701821 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
18 | nogroups | ||
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | notv | 21 | notv |
diff --git a/etc/conky.profile b/etc/conky.profile new file mode 100644 index 000000000..4ee25f099 --- /dev/null +++ b/etc/conky.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for conky | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/conky.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | netfilter | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | memory-deny-write-execute | ||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/corebird.profile b/etc/corebird.profile index 87f7a970b..99a3335ef 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -5,16 +5,30 @@ include /etc/firejail/corebird.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ~/.config/corebird | ||
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
13 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
14 | caps.drop all | 17 | caps.drop all |
15 | netfilter | 18 | netfilter |
16 | nodvd | 19 | nodvd |
20 | nogroups | ||
21 | nonewprivs | ||
17 | noroot | 22 | noroot |
18 | notv | 23 | notv |
24 | novideo | ||
19 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
20 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | |||
29 | private-bin corebird | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ca6ba9710..abce0fe57 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -2,15 +2,14 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-common.local | 3 | include /etc/firejail/disable-common.local |
4 | 4 | ||
5 | # History files and clipboard managers in $HOME | 5 | # History files in $HOME and clipboard managers |
6 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
7 | blacklist-nolog ${HOME}/.adobe | 7 | blacklist-nolog ${HOME}/.adobe |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.cache/greenclip* |
9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
11 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
12 | blacklist-nolog /tmp/clipmenu* | 12 | blacklist-nolog /tmp/clipmenu* |
13 | blacklist-nolog ${HOME}/.cache/greenclip* | ||
14 | 13 | ||
15 | # X11 session autostart | 14 | # X11 session autostart |
16 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 15 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
@@ -229,7 +228,6 @@ blacklist ${HOME}/.mutt/muttrc | |||
229 | blacklist ${HOME}/.muttrc | 228 | blacklist ${HOME}/.muttrc |
230 | blacklist ${HOME}/.netrc | 229 | blacklist ${HOME}/.netrc |
231 | blacklist ${HOME}/.pki | 230 | blacklist ${HOME}/.pki |
232 | blacklist ${HOME}/.password-store | ||
233 | blacklist ${HOME}/.smbcredentials | 231 | blacklist ${HOME}/.smbcredentials |
234 | blacklist ${HOME}/.ssh | 232 | blacklist ${HOME}/.ssh |
235 | blacklist /etc/group+ | 233 | blacklist /etc/group+ |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 88b7e7d32..615e28172 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -82,6 +82,7 @@ blacklist ${HOME}/.config/chromium-dev | |||
82 | blacklist ${HOME}/.config/chromium-flags.conf | 82 | blacklist ${HOME}/.config/chromium-flags.conf |
83 | blacklist ${HOME}/.config/clipit | 83 | blacklist ${HOME}/.config/clipit |
84 | blacklist ${HOME}/.config/cmus | 84 | blacklist ${HOME}/.config/cmus |
85 | blacklist ${HOME}/.config/corebird | ||
85 | blacklist ${HOME}/.config/darktable | 86 | blacklist ${HOME}/.config/darktable |
86 | blacklist ${HOME}/.config/deadbeef | 87 | blacklist ${HOME}/.config/deadbeef |
87 | blacklist ${HOME}/.config/deluge | 88 | blacklist ${HOME}/.config/deluge |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile new file mode 100644 index 000000000..e098c95e3 --- /dev/null +++ b/etc/ffmpeg.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for default | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/ffmpeg.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | no3d | ||
17 | nodvd | ||
18 | nosound | ||
19 | notv | ||
20 | novideo | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | # protocol none - needs to be implemented! | ||
24 | seccomp | ||
25 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | ||
26 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | private-tmp | ||
31 | private-dev | ||
32 | private-bin ffmpeg | ||
33 | include /etc/firejail/whitelist-var-common.inc | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index f65b020a9..1f4a8e3f6 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -73,7 +73,8 @@ seccomp | |||
73 | shell none | 73 | shell none |
74 | tracelog | 74 | tracelog |
75 | 75 | ||
76 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | 76 | # firefox requires a shell to launch on Arch. We can possibly remove sh though. |
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash | ||
77 | private-dev | 78 | private-dev |
78 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
79 | private-tmp | 80 | private-tmp |
diff --git a/etc/geary.profile b/etc/geary.profile index 7878154a6..3ab4a21d8 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -14,7 +14,6 @@ noblacklist ~/.local/share/geary | |||
14 | mkdir ~/.gnupg | 14 | mkdir ~/.gnupg |
15 | mkdir ~/.local/share/geary | 15 | mkdir ~/.local/share/geary |
16 | whitelist ~/.gnupg | 16 | whitelist ~/.gnupg |
17 | whitelist ~/.local/share/applications | ||
18 | whitelist ~/.local/share/geary | 17 | whitelist ~/.local/share/geary |
19 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
20 | 19 | ||
diff --git a/etc/musescore.profile b/etc/musescore.profile index 3b5a0b13c..b039d07b2 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -19,6 +19,7 @@ caps.drop all | |||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | notv | 25 | notv |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 96fe04e83..f820b590e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/QuiteRss | |||
23 | whitelist ${HOME}/.config/QuiteRss/ | 23 | whitelist ${HOME}/.config/QuiteRss/ |
24 | whitelist ${HOME}/.config/QuiteRssrc | 24 | whitelist ${HOME}/.config/QuiteRssrc |
25 | whitelist ${HOME}/.local/share/data/QuiteRss | 25 | whitelist ${HOME}/.local/share/data/QuiteRss |
26 | whitelist ${HOME}/.local/share/QuiteRss | ||
26 | whitelist ${HOME}/quiterssfeeds.opml | 27 | whitelist ${HOME}/quiterssfeeds.opml |
27 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
28 | 29 | ||
diff --git a/smtube.profile b/etc/smtube.profile index 2694dd5b0..2694dd5b0 100644 --- a/smtube.profile +++ b/etc/smtube.profile | |||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 17bf51873..8e878eb1c 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -20,7 +20,6 @@ mkdir ~/.thunderbird | |||
20 | whitelist ~/.cache/thunderbird | 20 | whitelist ~/.cache/thunderbird |
21 | whitelist ~/.gnupg | 21 | whitelist ~/.gnupg |
22 | whitelist ~/.icedove | 22 | whitelist ~/.icedove |
23 | whitelist ~/.local/share/applications | ||
24 | whitelist ~/.thunderbird | 23 | whitelist ~/.thunderbird |
25 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
26 | 25 | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 5b6a257f6..fbc198cc3 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | netfilter | 17 | netfilter |
18 | no3d | 18 | no3d |
19 | nodvd | 19 | nodvd |
20 | nogroups | ||
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | notv | 23 | notv |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ef95a7e5e..310149ecd 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -35,10 +35,14 @@ whitelist ~/.gtkrc-2.0 | |||
35 | whitelist ~/.gtk-2.0 | 35 | whitelist ~/.gtk-2.0 |
36 | whitelist ~/.config/gtk-2.0 | 36 | whitelist ~/.config/gtk-2.0 |
37 | whitelist ~/.config/gtk-3.0 | 37 | whitelist ~/.config/gtk-3.0 |
38 | whitelist ~/.config/gtkrc | ||
39 | whitelist ~/.config/gtkrc-2.0 | ||
38 | whitelist ~/.themes | 40 | whitelist ~/.themes |
39 | whitelist ~/.local/share/themes | 41 | whitelist ~/.local/share/themes |
40 | whitelist ~/.kde/share/config/gtkrc | 42 | whitelist ~/.kde/share/config/gtkrc |
41 | whitelist ~/.kde/share/config/gtkrc-2.0 | 43 | whitelist ~/.kde/share/config/gtkrc-2.0 |
44 | whitelist ~/.kde4/share/config/gtkrc | ||
45 | whitelist ~/.kde4/share/config/gtkrc-2.0 | ||
42 | whitelist ~/.gnome2 | 46 | whitelist ~/.gnome2 |
43 | whitelist ~/.gnome2-private | 47 | whitelist ~/.gnome2-private |
44 | 48 | ||
@@ -51,3 +55,6 @@ whitelist ~/.config/kdeglobals | |||
51 | whitelist ~/.kde/share/config/oxygenrc | 55 | whitelist ~/.kde/share/config/oxygenrc |
52 | whitelist ~/.kde/share/config/kdeglobals | 56 | whitelist ~/.kde/share/config/kdeglobals |
53 | whitelist ~/.kde/share/icons | 57 | whitelist ~/.kde/share/icons |
58 | whitelist ~/.kde4/share/config/oxygenrc | ||
59 | whitelist ~/.kde4/share/config/kdeglobals | ||
60 | whitelist ~/.kde4/share/icons | ||
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index bd3473acc..024995f20 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc | |||
@@ -8,3 +8,4 @@ whitelist /var/lib/menu-xdg | |||
8 | whitelist /var/cache/fontconfig | 8 | whitelist /var/cache/fontconfig |
9 | whitelist /var/tmp | 9 | whitelist /var/tmp |
10 | whitelist /var/run | 10 | whitelist /var/run |
11 | whitelist /var/lock | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index af6547f7f..27623aee3 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -358,3 +358,4 @@ | |||
358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
359 | /etc/firejail/itch.profile | 359 | /etc/firejail/itch.profile |
360 | /etc/firejail/whitelist-var-common.inc | 360 | /etc/firejail/whitelist-var-common.inc |
361 | /etc/firejail/ffmpeg | ||
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c new file mode 100644 index 000000000..7d0e2cb7c --- /dev/null +++ b/src/fbuilder/build_bin.c | |||
@@ -0,0 +1,121 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fbuilder.h" | ||
21 | |||
22 | static FileDB *bin_out = NULL; | ||
23 | |||
24 | static void process_bin(const char *fname) { | ||
25 | assert(fname); | ||
26 | |||
27 | // process trace file | ||
28 | FILE *fp = fopen(fname, "r"); | ||
29 | if (!fp) { | ||
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
31 | exit(1); | ||
32 | } | ||
33 | |||
34 | char buf[MAX_BUF]; | ||
35 | while (fgets(buf, MAX_BUF, fp)) { | ||
36 | // remove \n | ||
37 | char *ptr = strchr(buf, '\n'); | ||
38 | if (ptr) | ||
39 | *ptr = '\0'; | ||
40 | |||
41 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
42 | // number followed by : | ||
43 | ptr = buf; | ||
44 | if (!isdigit(*ptr)) | ||
45 | continue; | ||
46 | while (isdigit(*ptr)) | ||
47 | ptr++; | ||
48 | if (*ptr != ':') | ||
49 | continue; | ||
50 | ptr++; | ||
51 | |||
52 | // next : | ||
53 | ptr = strchr(ptr, ':'); | ||
54 | if (!ptr) | ||
55 | continue; | ||
56 | ptr++; | ||
57 | if (strncmp(ptr, "exec ", 5) == 0) | ||
58 | ptr += 5; | ||
59 | else | ||
60 | continue; | ||
61 | if (strncmp(ptr, "/bin/", 5) == 0) | ||
62 | ptr += 5; | ||
63 | else if (strncmp(ptr, "/sbin/", 6) == 0) | ||
64 | ptr += 6; | ||
65 | else if (strncmp(ptr, "/usr/bin/", 9) == 0) | ||
66 | ptr += 9; | ||
67 | else if (strncmp(ptr, "/usr/sbin/", 10) == 0) | ||
68 | ptr += 10; | ||
69 | else if (strncmp(ptr, "/usr/local/bin/", 15) == 0) | ||
70 | ptr += 15; | ||
71 | else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) | ||
72 | ptr += 16; | ||
73 | else if (strncmp(ptr, "/usr/games/", 11) == 0) | ||
74 | ptr += 12; | ||
75 | else if (strncmp(ptr, "/usr/local/games/", 17) == 0) | ||
76 | ptr += 17; | ||
77 | else | ||
78 | continue; | ||
79 | |||
80 | // end of filename | ||
81 | char *ptr2 = strchr(ptr, ':'); | ||
82 | if (!ptr2) | ||
83 | continue; | ||
84 | *ptr2 = '\0'; | ||
85 | |||
86 | bin_out = filedb_add(bin_out, ptr); | ||
87 | } | ||
88 | |||
89 | fclose(fp); | ||
90 | } | ||
91 | |||
92 | |||
93 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
94 | void build_bin(const char *fname) { | ||
95 | assert(fname); | ||
96 | |||
97 | // run fname | ||
98 | process_bin(fname); | ||
99 | |||
100 | // run all the rest | ||
101 | struct stat s; | ||
102 | int i; | ||
103 | for (i = 1; i <= 5; i++) { | ||
104 | char *newname; | ||
105 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
106 | errExit("asprintf"); | ||
107 | if (stat(newname, &s) == 0) | ||
108 | process_bin(newname); | ||
109 | free(newname); | ||
110 | } | ||
111 | |||
112 | if (bin_out) { | ||
113 | printf("# private-bin "); | ||
114 | FileDB *ptr = bin_out; | ||
115 | while (ptr) { | ||
116 | printf("%s,", ptr->fname); | ||
117 | ptr = ptr->next; | ||
118 | } | ||
119 | printf("\n"); | ||
120 | } | ||
121 | } | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5fca22648..3f5fe48ca 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -33,6 +33,7 @@ static char *cmdlist[] = { | |||
33 | "--caps.drop=all", | 33 | "--caps.drop=all", |
34 | "--nonewprivs", | 34 | "--nonewprivs", |
35 | "--trace", | 35 | "--trace", |
36 | "--shell=none", | ||
36 | "/usr/bin/strace", // also used as a marker in build_profile() | 37 | "/usr/bin/strace", // also used as a marker in build_profile() |
37 | "-c", | 38 | "-c", |
38 | "-f", | 39 | "-f", |
@@ -56,8 +57,6 @@ static void clear_tmp_files(void) { | |||
56 | } | 57 | } |
57 | 58 | ||
58 | void build_profile(int argc, char **argv, int index) { | 59 | void build_profile(int argc, char **argv, int index) { |
59 | unlink("/tmp/strace-output"); | ||
60 | |||
61 | // next index is the application name | 60 | // next index is the application name |
62 | if (index >= argc) { | 61 | if (index >= argc) { |
63 | fprintf(stderr, "Error: application name missing\n"); | 62 | fprintf(stderr, "Error: application name missing\n"); |
@@ -136,6 +135,7 @@ void build_profile(int argc, char **argv, int index) { | |||
136 | build_dev(TRACE_OUTPUT); | 135 | build_dev(TRACE_OUTPUT); |
137 | build_etc(TRACE_OUTPUT); | 136 | build_etc(TRACE_OUTPUT); |
138 | build_var(TRACE_OUTPUT); | 137 | build_var(TRACE_OUTPUT); |
138 | build_bin(TRACE_OUTPUT); | ||
139 | printf("\n"); | 139 | printf("\n"); |
140 | 140 | ||
141 | printf("### security filters\n"); | 141 | printf("### security filters\n"); |
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index a9049ea2d..c448f3e06 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -44,6 +44,9 @@ void build_var(const char *fname); | |||
44 | void build_tmp(const char *fname); | 44 | void build_tmp(const char *fname); |
45 | void build_dev(const char *fname); | 45 | void build_dev(const char *fname); |
46 | 46 | ||
47 | // build_bin.c | ||
48 | void build_bin(const char *fname); | ||
49 | |||
47 | // build_home.c | 50 | // build_home.c |
48 | void build_home(const char *fname); | 51 | void build_home(const char *fname); |
49 | 52 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5d6afe68b..5a36f5e3e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -20,6 +20,7 @@ amarok | |||
20 | amule | 20 | amule |
21 | android-studio | 21 | android-studio |
22 | apktool | 22 | apktool |
23 | arch-audit | ||
23 | ardour4 | 24 | ardour4 |
24 | ardour5 | 25 | ardour5 |
25 | arduino | 26 | arduino |
@@ -65,6 +66,7 @@ clementine | |||
65 | clipit | 66 | clipit |
66 | cmus | 67 | cmus |
67 | conkeror | 68 | conkeror |
69 | conky | ||
68 | corebird | 70 | corebird |
69 | cvlc | 71 | cvlc |
70 | cyberfox | 72 | cyberfox |
@@ -97,6 +99,7 @@ evolution | |||
97 | exiftool | 99 | exiftool |
98 | fbreader | 100 | fbreader |
99 | feh | 101 | feh |
102 | ffmpeg | ||
100 | file-roller | 103 | file-roller |
101 | filezilla | 104 | filezilla |
102 | firefox | 105 | firefox |
@@ -290,7 +293,7 @@ soundconverter | |||
290 | spotify | 293 | spotify |
291 | sqlitebrowser | 294 | sqlitebrowser |
292 | ssh | 295 | ssh |
293 | ssh-agent | 296 | # ssh-agent - problems on Arch with Fish shell (#1568) |
294 | start-tor-browser | 297 | start-tor-browser |
295 | steam | 298 | steam |
296 | stellarium | 299 | stellarium |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 1ecfbf524..5928b9ae5 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -31,6 +31,7 @@ | |||
31 | #include <errno.h> | 31 | #include <errno.h> |
32 | #include <sys/mman.h> | 32 | #include <sys/mman.h> |
33 | #include <pwd.h> | 33 | #include <pwd.h> |
34 | #include <dirent.h> | ||
34 | 35 | ||
35 | #include "../include/common.h" | 36 | #include "../include/common.h" |
36 | static int arg_debug = 0; | 37 | static int arg_debug = 0; |
@@ -277,7 +278,8 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
277 | free(fname); | 278 | free(fname); |
278 | } | 279 | } |
279 | 280 | ||
280 | static void set_links(void) { | 281 | // parse /usr/lib/firejail/firecfg.cfg file |
282 | static void set_links_firecfg(void) { | ||
281 | char *cfgfile; | 283 | char *cfgfile; |
282 | if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1) | 284 | if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1) |
283 | errExit("asprintf"); | 285 | errExit("asprintf"); |
@@ -286,12 +288,13 @@ static void set_links(void) { | |||
286 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | 288 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) |
287 | errExit("asprintf"); | 289 | errExit("asprintf"); |
288 | 290 | ||
291 | // parse /usr/lib/firejail/firecfg.cfg file | ||
289 | FILE *fp = fopen(cfgfile, "r"); | 292 | FILE *fp = fopen(cfgfile, "r"); |
290 | if (!fp) { | 293 | if (!fp) { |
291 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); | 294 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); |
292 | exit(1); | 295 | exit(1); |
293 | } | 296 | } |
294 | printf("Configuring symlinks in /usr/local/bin\n"); | 297 | printf("Configuring symlinks in /usr/local/bin based on firecfg.config\n"); |
295 | 298 | ||
296 | char buf[MAX_BUF]; | 299 | char buf[MAX_BUF]; |
297 | int lineno = 0; | 300 | int lineno = 0; |
@@ -330,7 +333,69 @@ static void set_links(void) { | |||
330 | free(firejail_exec); | 333 | free(firejail_exec); |
331 | } | 334 | } |
332 | 335 | ||
333 | int have_profile(const char *filename) { | 336 | // parse ~/.config/firejail/ directory |
337 | static void set_links_homedir(const char *homedir) { | ||
338 | assert(homedir); | ||
339 | |||
340 | // check firejail config directory | ||
341 | char *dirname; | ||
342 | if (asprintf(&dirname, "%s/.config/firejail", homedir) == -1) | ||
343 | errExit("asprintf"); | ||
344 | struct stat s; | ||
345 | if (stat(dirname, &s) != 0) { | ||
346 | free(dirname); | ||
347 | return; | ||
348 | } | ||
349 | |||
350 | char *firejail_exec; | ||
351 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
352 | errExit("asprintf"); | ||
353 | |||
354 | // parse ~/.config/firejail/ directory | ||
355 | printf("\nConfiguring symlinks in /usr/local/bin based on local firejail config directory\n"); | ||
356 | |||
357 | DIR *dir = opendir(dirname); | ||
358 | if (!dir) { | ||
359 | fprintf(stderr, "Error: cannot open ~/.config/firejail directory\n"); | ||
360 | free(dirname); | ||
361 | return; | ||
362 | } | ||
363 | |||
364 | struct dirent *entry; | ||
365 | while ((entry = readdir(dir))) { | ||
366 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
367 | continue; | ||
368 | |||
369 | char *exec = strdup(entry->d_name); | ||
370 | if (!exec) | ||
371 | errExit("strdup"); | ||
372 | char *ptr = strrchr(exec, '.'); | ||
373 | if (!ptr) { | ||
374 | free(exec); | ||
375 | continue; | ||
376 | } | ||
377 | if (strcmp(ptr, ".profile") != 0) { | ||
378 | free(exec); | ||
379 | continue; | ||
380 | } | ||
381 | |||
382 | *ptr = '\0'; | ||
383 | set_file(exec, firejail_exec); | ||
384 | free(exec); | ||
385 | } | ||
386 | closedir(dir); | ||
387 | |||
388 | free(firejail_exec); | ||
389 | } | ||
390 | |||
391 | // look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory | ||
392 | static int have_profile(const char *filename, const char *homedir) { | ||
393 | assert(filename); | ||
394 | assert(homedir); | ||
395 | |||
396 | if (arg_debug) | ||
397 | printf("checking profile for %s\n", filename); | ||
398 | |||
334 | // remove .desktop extension | 399 | // remove .desktop extension |
335 | char *f1 = strdup(filename); | 400 | char *f1 = strdup(filename); |
336 | if (!f1) | 401 | if (!f1) |
@@ -338,15 +403,29 @@ int have_profile(const char *filename) { | |||
338 | f1[strlen(filename) - 8] = '\0'; | 403 | f1[strlen(filename) - 8] = '\0'; |
339 | 404 | ||
340 | // build profile name | 405 | // build profile name |
341 | char *profname; | 406 | char *profname1; |
342 | if (asprintf(&profname, "%s/%s.profile", SYSCONFDIR, f1) == -1) | 407 | char *profname2; |
408 | if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1) | ||
409 | errExit("asprintf"); | ||
410 | if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, f1) == -1) | ||
343 | errExit("asprintf"); | 411 | errExit("asprintf"); |
344 | 412 | ||
345 | struct stat s; | 413 | int rv = 0; |
346 | int rv = stat(profname, &s); | 414 | if (access(profname1, R_OK) == 0) { |
415 | if (arg_debug) | ||
416 | printf("found %s\n", profname1); | ||
417 | rv = 1; | ||
418 | } | ||
419 | else if (access(profname2, R_OK) == 0) { | ||
420 | if (arg_debug) | ||
421 | printf("found %s\n", profname2); | ||
422 | rv = 1; | ||
423 | } | ||
424 | |||
347 | free(f1); | 425 | free(f1); |
348 | free(profname); | 426 | free(profname1); |
349 | return (rv == 0)? 1: 0; | 427 | free(profname2); |
428 | return rv; | ||
350 | } | 429 | } |
351 | 430 | ||
352 | static void fix_desktop_files(char *homedir) { | 431 | static void fix_desktop_files(char *homedir) { |
@@ -411,7 +490,7 @@ static void fix_desktop_files(char *homedir) { | |||
411 | errExit("stat"); | 490 | errExit("stat"); |
412 | 491 | ||
413 | // no profile in /etc/firejail, no desktop file fixing | 492 | // no profile in /etc/firejail, no desktop file fixing |
414 | if (!have_profile(filename)) | 493 | if (!have_profile(filename, homedir)) |
415 | continue; | 494 | continue; |
416 | 495 | ||
417 | /* coverity[toctou] */ | 496 | /* coverity[toctou] */ |
@@ -599,7 +678,7 @@ int main(int argc, char **argv) { | |||
599 | } | 678 | } |
600 | } | 679 | } |
601 | } | 680 | } |
602 | set_links(); | 681 | set_links_firecfg(); |
603 | 682 | ||
604 | 683 | ||
605 | 684 | ||
@@ -623,6 +702,9 @@ int main(int argc, char **argv) { | |||
623 | goto errexit; | 702 | goto errexit; |
624 | } | 703 | } |
625 | 704 | ||
705 | // running as root | ||
706 | set_links_homedir(home); | ||
707 | |||
626 | // drop permissions | 708 | // drop permissions |
627 | if (setgroups(0, NULL) < 0) | 709 | if (setgroups(0, NULL) < 0) |
628 | errExit("setgroups"); | 710 | errExit("setgroups"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3e0729620..4d1c94c25 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -196,7 +196,7 @@ static int copy_file_by_fd(int src, int dst) { | |||
196 | done += rv; | 196 | done += rv; |
197 | } | 197 | } |
198 | } | 198 | } |
199 | fflush(0); | 199 | // fflush(0); |
200 | return 0; | 200 | return 0; |
201 | } | 201 | } |
202 | 202 | ||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 5cdb254a3..04cf64997 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -673,3 +673,15 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { | |||
673 | 673 | ||
674 | return rv; | 674 | return rv; |
675 | } | 675 | } |
676 | |||
677 | // every time a new process is started, this gets called | ||
678 | // it can be used to build things like private-bin | ||
679 | __attribute__((constructor)) | ||
680 | static void log_exec(int argc, char** argv) { | ||
681 | static char buf[PATH_MAX + 1]; | ||
682 | int rv = readlink("/proc/self/exe", buf, PATH_MAX); | ||
683 | if (rv != -1) { | ||
684 | buf[rv] = '\0'; // readlink does not add a '\0' at the end | ||
685 | printf("%u:%s:exec %s:0\n", pid(), name(), buf); | ||
686 | } | ||
687 | } | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f205bfa30..9bbb224e1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1338,13 +1338,13 @@ $ ps | |||
1338 | .br | 1338 | .br |
1339 | 48 pts/0 00:00:00 ps | 1339 | 48 pts/0 00:00:00 ps |
1340 | .br | 1340 | .br |
1341 | $ | 1341 | $ |
1342 | .br | 1342 | .br |
1343 | 1343 | ||
1344 | 1344 | ||
1345 | .TP | 1345 | .TP |
1346 | \fB\-\-private-dev | 1346 | \fB\-\-private-dev |
1347 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. | 1347 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. |
1348 | .br | 1348 | .br |
1349 | 1349 | ||
1350 | .br | 1350 | .br |
@@ -1358,7 +1358,7 @@ Child process initialized | |||
1358 | .br | 1358 | .br |
1359 | $ ls /dev | 1359 | $ ls /dev |
1360 | .br | 1360 | .br |
1361 | dri full log null ptmx pts random shm snd tty urandom zero | 1361 | cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 tty urandom zero |
1362 | .br | 1362 | .br |
1363 | $ | 1363 | $ |
1364 | .TP | 1364 | .TP |
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 5ff11174d..29781c21a 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -7,14 +7,14 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail less ../../Makefile.in\r" | 10 | send -- "firejail less sysutils.sh\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "MYLIBS" | 13 | "MALLOC_CHECK" |
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
17 | "APPS" | 17 | "./cpio.exp" |
18 | } | 18 | } |
19 | 19 | ||
20 | puts "\nall done\n" | 20 | puts "\nall done\n" |