diff options
-rw-r--r-- | README.md | 49 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/akonadi_control.profile | 45 | ||||
-rw-r--r-- | etc/disable-programs.inc | 9 | ||||
-rw-r--r-- | etc/gnome-recipes.profile | 45 | ||||
-rw-r--r-- | etc/kmail.profile | 22 | ||||
-rw-r--r-- | etc/knotes.profile | 10 | ||||
-rw-r--r-- | etc/openbox.profile | 3 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/firejail/run_files.c | 30 | ||||
-rw-r--r-- | src/lib/pid.c | 10 |
11 files changed, 219 insertions, 10 deletions
@@ -98,6 +98,52 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.53 | 99 | # Current development version: 0.9.53 |
100 | 100 | ||
101 | ## Spectre mitigation | ||
102 | |||
103 | If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration. | ||
104 | The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it | ||
105 | on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it: | ||
106 | ````` | ||
107 | $ ./configure --prefix=/usr | ||
108 | checking for gcc... gcc | ||
109 | checking whether the C compiler works... yes | ||
110 | checking for C compiler default output file name... a.out | ||
111 | checking for suffix of executables... | ||
112 | checking whether we are cross compiling... no | ||
113 | checking for suffix of object files... o | ||
114 | checking whether we are using the GNU C compiler... yes | ||
115 | checking whether gcc accepts -g... yes | ||
116 | checking for gcc option to accept ISO C89... none needed | ||
117 | checking for a BSD-compatible install... /usr/bin/install -c | ||
118 | checking for ranlib... ranlib | ||
119 | checking for Spectre mitigation support in gcc compiler... yes | ||
120 | [...] | ||
121 | Configuration options: | ||
122 | prefix: /usr | ||
123 | sysconfdir: /etc | ||
124 | seccomp: -DHAVE_SECCOMP | ||
125 | <linux/seccomp.h>: -DHAVE_SECCOMP_H | ||
126 | apparmor: | ||
127 | global config: -DHAVE_GLOBALCFG | ||
128 | chroot: -DHAVE_CHROOT | ||
129 | bind: -DHAVE_BIND | ||
130 | network: -DHAVE_NETWORK | ||
131 | user namespace: -DHAVE_USERNS | ||
132 | X11 sandboxing support: -DHAVE_X11 | ||
133 | whitelisting: -DHAVE_WHITELIST | ||
134 | private home support: -DHAVE_PRIVATE_HOME | ||
135 | file transfer support: -DHAVE_FILE_TRANSFER | ||
136 | overlayfs support: -DHAVE_OVERLAYFS | ||
137 | git install support: | ||
138 | busybox workaround: no | ||
139 | Spectre compiler patch: yes | ||
140 | EXTRA_LDFLAGS: | ||
141 | EXTRA_CFLAGS: -mindirect-branch=thunk | ||
142 | fatal warnings: | ||
143 | Gcov instrumentation: | ||
144 | Install contrib scripts: yes | ||
145 | ````` | ||
146 | |||
101 | ## AppImage development | 147 | ## AppImage development |
102 | 148 | ||
103 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. | 149 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. |
@@ -246,4 +292,5 @@ firefox-common-addons.inc in firefox-common.profile. | |||
246 | 292 | ||
247 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, | 293 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, |
248 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 294 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
249 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder | 295 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
296 | gnome-recipes, akonadi_control | ||
@@ -9,6 +9,7 @@ firejail (0.9.53) baseline; urgency=low | |||
9 | All users of Firefox-based browsers who use addons and plugins | 9 | All users of Firefox-based browsers who use addons and plugins |
10 | that read/write from ${HOME} will need to uncomment the includes for | 10 | that read/write from ${HOME} will need to uncomment the includes for |
11 | firefox-common-addons.inc in firefox-common.profile. | 11 | firefox-common-addons.inc in firefox-common.profile. |
12 | * Spectre mitigation patch for gcc compiler | ||
12 | * AppArmor support for overlayfs and chroot sandboxes | 13 | * AppArmor support for overlayfs and chroot sandboxes |
13 | * AppArmor support for AppImages | 14 | * AppArmor support for AppImages |
14 | * Enable AppArmor by default for Firefox, Chromium, Transmission | 15 | * Enable AppArmor by default for Firefox, Chromium, Transmission |
@@ -27,7 +28,8 @@ firejail (0.9.53) baseline; urgency=low | |||
27 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, | 28 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, |
28 | * new profiles: discord-canary, pycharm-community, pycharm-professional, | 29 | * new profiles: discord-canary, pycharm-community, pycharm-professional, |
29 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, | 30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
30 | * new profiles: falkon, gnome-builder, asunder, VS Code, | 31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes |
32 | * new profiles: akonadi_control | ||
31 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 33 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
32 | 34 | ||
33 | firejail (0.9.52) baseline; urgency=low | 35 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile new file mode 100644 index 000000000..0443774dd --- /dev/null +++ b/etc/akonadi_control.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for akonadi_control | ||
2 | # Persistent local customizations | ||
3 | include /etc/firejail/akonadi_control.local | ||
4 | # Persistent global definitions | ||
5 | include /etc/firejail/globals.local | ||
6 | |||
7 | noblacklist ${HOME}/.cache/akonadi* | ||
8 | noblacklist ${HOME}/.config/akonadi* | ||
9 | noblacklist ${HOME}/.config/baloorc | ||
10 | noblacklist ${HOME}/.local/share/akonadi/* | ||
11 | noblacklist ${HOME}/.local/share/contacts | ||
12 | noblacklist ${HOME}/.local/share/local-mail | ||
13 | noblacklist /usr/sbin | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-devel.inc | ||
17 | include /etc/firejail/disable-passwdmgr.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | |||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
22 | # depending on your setup it might be possible to | ||
23 | # enable some of the commented options below | ||
24 | |||
25 | # apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | no3d | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | # nonewprivs | ||
33 | # noroot | ||
34 | nosound | ||
35 | notv | ||
36 | novideo | ||
37 | # protocol unix,inet,inet6 | ||
38 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
39 | tracelog | ||
40 | |||
41 | private-dev | ||
42 | # private-tmp - breaks programs that depend on akonadi | ||
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d542c6d8..3f0d7b337 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack | |||
73 | blacklist ${HOME}/.config/Thunar | 73 | blacklist ${HOME}/.config/Thunar |
74 | blacklist ${HOME}/.config/VirtualBox | 74 | blacklist ${HOME}/.config/VirtualBox |
75 | blacklist ${HOME}/.config/Wire | 75 | blacklist ${HOME}/.config/Wire |
76 | blacklist ${HOME}/.config/akonadi* | ||
76 | blacklist ${HOME}/.config/akregatorrc | 77 | blacklist ${HOME}/.config/akregatorrc |
77 | blacklist ${HOME}/.config/ardour4 | 78 | blacklist ${HOME}/.config/ardour4 |
78 | blacklist ${HOME}/.config/ardour5 | 79 | blacklist ${HOME}/.config/ardour5 |
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam | |||
106 | blacklist ${HOME}/.config/digikamrc | 107 | blacklist ${HOME}/.config/digikamrc |
107 | blacklist ${HOME}/.config/dolphinrc | 108 | blacklist ${HOME}/.config/dolphinrc |
108 | blacklist ${HOME}/.config/dragonplayerrc | 109 | blacklist ${HOME}/.config/dragonplayerrc |
110 | blacklist ${HOME}/.config/emailidentities | ||
109 | blacklist ${HOME}/.config/enchant | 111 | blacklist ${HOME}/.config/enchant |
110 | blacklist ${HOME}/.config/eog | 112 | blacklist ${HOME}/.config/eog |
111 | blacklist ${HOME}/.config/epiphany | 113 | blacklist ${HOME}/.config/epiphany |
@@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc | |||
144 | blacklist ${HOME}/.config/kdenliverc | 146 | blacklist ${HOME}/.config/kdenliverc |
145 | blacklist ${HOME}/.config/kgetrc | 147 | blacklist ${HOME}/.config/kgetrc |
146 | blacklist ${HOME}/.config/klipperrc | 148 | blacklist ${HOME}/.config/klipperrc |
149 | blacklist ${HOME}/.config/kmail2rc | ||
147 | blacklist ${HOME}/.config/kritarc | 150 | blacklist ${HOME}/.config/kritarc |
148 | blacklist ${HOME}/.config/kwriterc | 151 | blacklist ${HOME}/.config/kwriterc |
149 | blacklist ${HOME}/.config/kdeconnect | 152 | blacklist ${HOME}/.config/kdeconnect |
@@ -346,12 +349,14 @@ blacklist ${HOME}/.local/share/SuperHexagon | |||
346 | blacklist ${HOME}/.local/share/TelegramDesktop | 349 | blacklist ${HOME}/.local/share/TelegramDesktop |
347 | blacklist ${HOME}/.local/share/Terraria | 350 | blacklist ${HOME}/.local/share/Terraria |
348 | blacklist ${HOME}/.local/share/TpLogger | 351 | blacklist ${HOME}/.local/share/TpLogger |
352 | blacklist ${HOME}/.local/share/akonadi/* | ||
349 | blacklist ${HOME}/.local/share/akregator | 353 | blacklist ${HOME}/.local/share/akregator |
350 | blacklist ${HOME}/.local/share/aspyr-media | 354 | blacklist ${HOME}/.local/share/aspyr-media |
351 | blacklist ${HOME}/.local/share/baloo | 355 | blacklist ${HOME}/.local/share/baloo |
352 | blacklist ${HOME}/.local/share/caja-python | 356 | blacklist ${HOME}/.local/share/caja-python |
353 | blacklist ${HOME}/.local/share/cdprojektred | 357 | blacklist ${HOME}/.local/share/cdprojektred |
354 | blacklist ${HOME}/.local/share/clipit | 358 | blacklist ${HOME}/.local/share/clipit |
359 | blacklist ${HOME}/.local/share/contacts | ||
355 | blacklist ${HOME}/.local/share/data/Mumble | 360 | blacklist ${HOME}/.local/share/data/Mumble |
356 | blacklist ${HOME}/.local/share/data/MusE | 361 | blacklist ${HOME}/.local/share/data/MusE |
357 | blacklist ${HOME}/.local/share/data/MuseScore | 362 | blacklist ${HOME}/.local/share/data/MuseScore |
@@ -369,6 +374,7 @@ blacklist ${HOME}/.local/share/gnome-2048 | |||
369 | blacklist ${HOME}/.local/share/gnome-chess | 374 | blacklist ${HOME}/.local/share/gnome-chess |
370 | blacklist ${HOME}/.local/share/gnome-music | 375 | blacklist ${HOME}/.local/share/gnome-music |
371 | blacklist ${HOME}/.local/share/gnome-photos | 376 | blacklist ${HOME}/.local/share/gnome-photos |
377 | blacklist ${HOME}/.local/share/gnome-recipes | ||
372 | blacklist ${HOME}/.local/share/gnome-ring | 378 | blacklist ${HOME}/.local/share/gnome-ring |
373 | blacklist ${HOME}/.local/share/gnome-twitch | 379 | blacklist ${HOME}/.local/share/gnome-twitch |
374 | blacklist ${HOME}/.local/share/gwenview | 380 | blacklist ${HOME}/.local/share/gwenview |
@@ -376,11 +382,13 @@ blacklist ${HOME}/.local/share/kaffeine | |||
376 | blacklist ${HOME}/.local/share/kate | 382 | blacklist ${HOME}/.local/share/kate |
377 | blacklist ${HOME}/.local/share/kdenlive | 383 | blacklist ${HOME}/.local/share/kdenlive |
378 | blacklist ${HOME}/.local/share/kget | 384 | blacklist ${HOME}/.local/share/kget |
385 | blacklist ${HOME}/.local/share/kmail2 | ||
379 | blacklist ${HOME}/.local/share/krita | 386 | blacklist ${HOME}/.local/share/krita |
380 | blacklist ${HOME}/.local/share/ktorrentrc | 387 | blacklist ${HOME}/.local/share/ktorrentrc |
381 | blacklist ${HOME}/.local/share/ktorrent | 388 | blacklist ${HOME}/.local/share/ktorrent |
382 | blacklist ${HOME}/.local/share/kwrite | 389 | blacklist ${HOME}/.local/share/kwrite |
383 | blacklist ${HOME}/.local/share/liferea | 390 | blacklist ${HOME}/.local/share/liferea |
391 | blacklist ${HOME}/.local/share/local-mail | ||
384 | blacklist ${HOME}/.local/share/lollypop | 392 | blacklist ${HOME}/.local/share/lollypop |
385 | blacklist ${HOME}/.local/share/maps-places.json | 393 | blacklist ${HOME}/.local/share/maps-places.json |
386 | blacklist ${HOME}/.local/share/meld | 394 | blacklist ${HOME}/.local/share/meld |
@@ -495,6 +503,7 @@ blacklist ${HOME}/.cache/Franz | |||
495 | blacklist ${HOME}/.cache/INRIA | 503 | blacklist ${HOME}/.cache/INRIA |
496 | blacklist ${HOME}/.cache/MusicBrainz | 504 | blacklist ${HOME}/.cache/MusicBrainz |
497 | blacklist ${HOME}/.cache/QuiteRss | 505 | blacklist ${HOME}/.cache/QuiteRss |
506 | blacklist ${HOME}/.cache/akonadi* | ||
498 | blacklist ${HOME}/.cache/attic | 507 | blacklist ${HOME}/.cache/attic |
499 | blacklist ${HOME}/.cache/borg | 508 | blacklist ${HOME}/.cache/borg |
500 | blacklist ${HOME}/.cache/calibre | 509 | blacklist ${HOME}/.cache/calibre |
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile new file mode 100644 index 000000000..2392440a6 --- /dev/null +++ b/etc/gnome-recipes.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for gnome-recipes | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-recipes.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-recipes | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.cache/gnome-recipes | ||
17 | whitelist ${HOME}/.cache/gnome-recipes | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin gnome-recipes,tar | ||
37 | private-dev | ||
38 | private-etc ca-certificates,fonts,ssl | ||
39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) | ||
40 | # not widely tested though, leaving it to devs discretion to enable it later | ||
41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 | ||
42 | private-tmp | ||
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index ca774f4ec..3ee8370cb 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,6 +5,18 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail | ||
9 | # one solution is to have akonadi already running when kmail is launched | ||
10 | |||
11 | noblacklist ${HOME}/.cache/akonadi* | ||
12 | noblacklist ${HOME}/.config/akonadi* | ||
13 | noblacklist ${HOME}/.config/baloorc | ||
14 | noblacklist ${HOME}/.config/emailidentities | ||
15 | noblacklist ${HOME}/.config/kmail2rc | ||
16 | noblacklist ${HOME}/.local/share/akonadi/* | ||
17 | noblacklist ${HOME}/.local/share/contacts | ||
18 | noblacklist ${HOME}/.local/share/kmail2 | ||
19 | noblacklist ${HOME}/.local/share/local-mail | ||
8 | noblacklist ${HOME}/.gnupg | 20 | noblacklist ${HOME}/.gnupg |
9 | 21 | ||
10 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
@@ -12,6 +24,7 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 24 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 25 | include /etc/firejail/disable-programs.inc |
14 | 26 | ||
27 | # apparmor | ||
15 | caps.drop all | 28 | caps.drop all |
16 | netfilter | 29 | netfilter |
17 | nodvd | 30 | nodvd |
@@ -22,11 +35,14 @@ nosound | |||
22 | notv | 35 | notv |
23 | novideo | 36 | novideo |
24 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
25 | # blacklisting of chroot system calls breaks kmail | 38 | # we need to allow chroot and ioprio_set system calls |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
27 | # tracelog | 40 | # tracelog |
28 | # writable-run-user is needed for signing and encrypting emails | 41 | # writable-run-user is needed for signing and encrypting emails |
29 | writable-run-user | 42 | writable-run-user |
30 | 43 | ||
31 | private-dev | 44 | private-dev |
32 | # private-tmp - breaks akonadi and opening of email attachments | 45 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
46 | |||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/knotes.profile b/etc/knotes.profile index 94ada7855..091c3a8e5 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -5,10 +5,12 @@ include /etc/firejail/knotes.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/akonadi* | ||
8 | noblacklist ${HOME}/.config/knotesrc | 9 | noblacklist ${HOME}/.config/knotesrc |
10 | noblacklist ${HOME}/.local/share/akonadi/* | ||
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
11 | # include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
14 | 16 | ||
@@ -22,10 +24,14 @@ nonewprivs | |||
22 | noroot | 24 | noroot |
23 | nosound | 25 | nosound |
24 | notv | 26 | notv |
27 | novideo | ||
25 | protocol unix | 28 | protocol unix |
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
28 | tracelog | 31 | tracelog |
29 | 32 | ||
30 | private-dev | 33 | private-dev |
31 | #private-tmp - problems on kubuntu 17.04 | 34 | # private-tmp - interrupts connection to akonadi |
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/openbox.profile b/etc/openbox.profile index 5bab7ce7d..ec4b47c29 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -14,3 +14,6 @@ netfilter | |||
14 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | |||
18 | read-only ${HOME}/.config/openbox/autostart | ||
19 | read-only ${HOME}/.config/openbox/environment | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e29f95886..2ffaa8b98 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -16,6 +16,7 @@ VirtualBox | |||
16 | Wire | 16 | Wire |
17 | Xephyr | 17 | Xephyr |
18 | abrowser | 18 | abrowser |
19 | akonadi_control | ||
19 | akregator | 20 | akregator |
20 | amarok | 21 | amarok |
21 | amule | 22 | amule |
@@ -154,6 +155,7 @@ gnome-maps | |||
154 | gnome-mplayer | 155 | gnome-mplayer |
155 | gnome-music | 156 | gnome-music |
156 | gnome-photos | 157 | gnome-photos |
158 | gnome-recipes | ||
157 | gnome-twitch | 159 | gnome-twitch |
158 | gnome-weather | 160 | gnome-weather |
159 | goobox | 161 | goobox |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 57a0e19df..361ad1414 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/pid.h" | 22 | #include "../include/pid.h" |
23 | #define BUFLEN 4096 | ||
23 | 24 | ||
24 | static void delete_x11_run_file(pid_t pid) { | 25 | static void delete_x11_run_file(pid_t pid) { |
25 | char *fname; | 26 | char *fname; |
@@ -74,7 +75,36 @@ void delete_run_files(pid_t pid) { | |||
74 | delete_profile_run_file(pid); | 75 | delete_profile_run_file(pid); |
75 | } | 76 | } |
76 | 77 | ||
78 | static char *newname(char *name) { | ||
79 | char *rv; | ||
80 | pid_t pid; | ||
81 | |||
82 | // try the name | ||
83 | if (name2pid(name, &pid)) | ||
84 | return name; | ||
85 | |||
86 | // try name-1 to 9 | ||
87 | int i; | ||
88 | for (i = 1; i < 10; i++) { | ||
89 | if (asprintf(&rv, "%s-%d", name, i) == -1) | ||
90 | errExit("asprintf"); | ||
91 | if (name2pid(rv, &pid)) { | ||
92 | fwarning("Sandbox name changed to %s\n", rv); | ||
93 | return rv; | ||
94 | } | ||
95 | free(rv); | ||
96 | } | ||
97 | |||
98 | // return name-pid | ||
99 | if (asprintf(&rv, "%s-%d", name, getpid()) == -1) | ||
100 | errExit("asprintf"); | ||
101 | return rv; | ||
102 | } | ||
103 | |||
104 | |||
77 | void set_name_run_file(pid_t pid) { | 105 | void set_name_run_file(pid_t pid) { |
106 | cfg.name = newname(cfg.name); | ||
107 | |||
78 | char *fname; | 108 | char *fname; |
79 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) | 109 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) |
80 | errExit("asprintf"); | 110 | errExit("asprintf"); |
diff --git a/src/lib/pid.c b/src/lib/pid.c index f138efc8c..3c804716d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -188,10 +188,11 @@ static void print_elem(unsigned index, int nowrap) { | |||
188 | uid_t uid = pids[index].uid; | 188 | uid_t uid = pids[index].uid; |
189 | char *cmd = pid_proc_cmdline(index); | 189 | char *cmd = pid_proc_cmdline(index); |
190 | char *user = pid_get_user_name(uid); | 190 | char *user = pid_get_user_name(uid); |
191 | char *allocated = user; | 191 | char *user_allocated = user; |
192 | 192 | ||
193 | // extract sandbox name - pid == index | 193 | // extract sandbox name - pid == index |
194 | char *sandbox_name = ""; | 194 | char *sandbox_name = ""; |
195 | char *sandbox_name_allocated = NULL; | ||
195 | char *fname; | 196 | char *fname; |
196 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) | 197 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) |
197 | errExit("asprintf"); | 198 | errExit("asprintf"); |
@@ -202,6 +203,7 @@ static void print_elem(unsigned index, int nowrap) { | |||
202 | sandbox_name = malloc(s.st_size + 1); | 203 | sandbox_name = malloc(s.st_size + 1); |
203 | if (!sandbox_name) | 204 | if (!sandbox_name) |
204 | errExit("malloc"); | 205 | errExit("malloc"); |
206 | sandbox_name_allocated = sandbox_name; | ||
205 | char *rv = fgets(sandbox_name, s.st_size + 1, fp); | 207 | char *rv = fgets(sandbox_name, s.st_size + 1, fp); |
206 | if (!rv) | 208 | if (!rv) |
207 | *sandbox_name = '\0'; | 209 | *sandbox_name = '\0'; |
@@ -241,8 +243,10 @@ static void print_elem(unsigned index, int nowrap) { | |||
241 | else | 243 | else |
242 | printf("%s%u:\n", indent, index); | 244 | printf("%s%u:\n", indent, index); |
243 | } | 245 | } |
244 | if (allocated) | 246 | if (user_allocated) |
245 | free(allocated); | 247 | free(user_allocated); |
248 | if (sandbox_name_allocated) | ||
249 | free(sandbox_name_allocated); | ||
246 | } | 250 | } |
247 | 251 | ||
248 | // recursivity!!! | 252 | // recursivity!!! |