diff options
141 files changed, 2538 insertions, 1800 deletions
diff --git a/.gitignore b/.gitignore index 60d06099f..408290b85 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -2,6 +2,7 @@ | |||
2 | *.so | 2 | *.so |
3 | *~ | 3 | *~ |
4 | *.swp | 4 | *.swp |
5 | *.rpm | ||
5 | Makefile | 6 | Makefile |
6 | config.log | 7 | config.log |
7 | config.status | 8 | config.status |
diff --git a/Makefile.in b/Makefile.in index 1de44c578..cf7ec6379 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -41,7 +41,7 @@ clean: | |||
41 | for dir in $(MYLIBS); do \ | 41 | for dir in $(MYLIBS); do \ |
42 | $(MAKE) -C $$dir clean; \ | 42 | $(MAKE) -C $$dir clean; \ |
43 | done | 43 | done |
44 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz | 44 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm |
45 | 45 | ||
46 | distclean: clean | 46 | distclean: clean |
47 | for dir in $(APPS); do \ | 47 | for dir in $(APPS); do \ |
@@ -75,6 +75,7 @@ realinstall: | |||
75 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 75 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
76 | install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 76 | install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
77 | install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 77 | install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
78 | install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
78 | install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 79 | install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
79 | install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 80 | install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
80 | install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 81 | install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
@@ -129,7 +130,16 @@ realinstall: | |||
129 | install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 130 | install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
130 | install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 131 | install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
131 | install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 132 | install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
132 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 133 | install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
134 | install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
135 | install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
136 | install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
137 | install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
138 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
139 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
140 | install -c -m 0644 .etc/disable-terminals.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
141 | install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
142 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | ||
133 | rm -fr .etc | 143 | rm -fr .etc |
134 | # man pages | 144 | # man pages |
135 | rm -f firejail.1.gz | 145 | rm -f firejail.1.gz |
@@ -190,6 +200,10 @@ dist: | |||
190 | deb: dist | 200 | deb: dist |
191 | ./mkdeb.sh $(NAME) $(VERSION) | 201 | ./mkdeb.sh $(NAME) $(VERSION) |
192 | 202 | ||
203 | .PHONY: rpms | ||
204 | rpms: | ||
205 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) | ||
206 | |||
193 | extras: all | 207 | extras: all |
194 | $(MAKE) -C extras/firetools | 208 | $(MAKE) -C extras/firetools |
195 | 209 | ||
@@ -18,6 +18,38 @@ License: GPL v2 | |||
18 | Firejail Authors: | 18 | Firejail Authors: |
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | jrabe (https://github.com/jrabe) | ||
22 | - Epiphany profile | ||
23 | jgriffiths (https://github.com/jgriffiths) | ||
24 | - make rpm packages support | ||
25 | Tom Mellor (https://github.com/kalegrill) | ||
26 | - mupen64plus profile | ||
27 | Martin Carpenter (https://github.com/mcarpenter) | ||
28 | - security audit and bug fixes | ||
29 | - Centos 6.x support | ||
30 | Aleksey Manevich (https://github.com/manevich) | ||
31 | - several profile fixes | ||
32 | - fix problem with relative path in storage_find function | ||
33 | - fix build for systems without bash | ||
34 | pszxzsd (https://github.com/pszxzsd) | ||
35 | -uGet profile | ||
36 | Rahiel Kasim (https://github.com/rahiel) | ||
37 | - Mathematica profile | ||
38 | creideiki (https://github.com/creideiki) | ||
39 | - make the sandbox process reap all children | ||
40 | curiosity-seeker (https://github.com/curiosity-seeker) | ||
41 | - tightening unbound and dnscrypt-proxy profiles | ||
42 | sinkuu (https://github.com/sinkuu) | ||
43 | - blacklisting kwalletd | ||
44 | - fix symlink invocation for programs placing symlinks in $PATH | ||
45 | Bader Zaidan (https://github.com/BaderSZ) | ||
46 | - Telegram profile | ||
47 | Holger Heinz (https://github.com/hheinz) | ||
48 | - manpage work | ||
49 | Andrey Alekseenko (https://github.com/al42and) | ||
50 | - fixing lintian warnings | ||
51 | mahdi1234 (https://github.com/mahdi1234) | ||
52 | - Seamonkey profiles | ||
21 | Ivan Kozik (https://github.com/ivan) | 53 | Ivan Kozik (https://github.com/ivan) |
22 | - speed up sandbox exit | 54 | - speed up sandbox exit |
23 | Christian Stadelmann (https://github.com/genodeftest) | 55 | Christian Stadelmann (https://github.com/genodeftest) |
@@ -31,97 +31,51 @@ Features: https://firejail.wordpress.com/features-3/ | |||
31 | Documentation: https://firejail.wordpress.com/documentation-2/ | 31 | Documentation: https://firejail.wordpress.com/documentation-2/ |
32 | 32 | ||
33 | FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | 33 | FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ |
34 | |||
35 | # Current development version: 0.9.37 | ||
36 | |||
37 | ## Symlink invocation | ||
38 | |||
39 | This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under | ||
40 | the name of the program you want to run, and put the link in the first $PATH position (for | ||
41 | example in /usr/local/bin). Example: | ||
42 | ````` | 34 | ````` |
43 | $ which -a transmission-gtk | ||
44 | /usr/bin/transmission-gtk | ||
45 | |||
46 | $ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk | ||
47 | 35 | ||
48 | $ which -a transmission-gtk | ||
49 | /usr/local/bin/transmission-gtk | ||
50 | /usr/bin/transmission-gtk | ||
51 | ````` | 36 | ````` |
52 | We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. | 37 | # Current development version: 0.9.39 |
53 | The second one is the real program. Starting transmission in this moment, invokes "firejail transmission-gtk" | ||
54 | ````` | 38 | ````` |
55 | $ transmission-gtk | ||
56 | Redirecting symlink to /usr/bin/transmission-gtk | ||
57 | Reading profile /etc/firejail/transmission-gtk.profile | ||
58 | Reading profile /etc/firejail/disable-mgmt.inc | ||
59 | Reading profile /etc/firejail/disable-secret.inc | ||
60 | Reading profile /etc/firejail/disable-common.inc | ||
61 | Reading profile /etc/firejail/disable-devel.inc | ||
62 | Parent pid 19343, child pid 19344 | ||
63 | Blacklist violations are logged to syslog | ||
64 | Child process initialized | ||
65 | ````` | ||
66 | |||
67 | 39 | ||
68 | ## IPv6 support: | ||
69 | ````` | 40 | ````` |
70 | --ip6=address | ||
71 | Assign IPv6 addresses to the last network interface defined by a | ||
72 | --net option. | ||
73 | |||
74 | Example: | ||
75 | $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox | ||
76 | 41 | ||
77 | --netfilter6=filename | 42 | ## Default seccomp filter update |
78 | Enable the IPv6 network filter specified by filename in the new | ||
79 | network namespace. The filter file format is the format of | ||
80 | ip6tables-save and ip6table-restore commands. New network | ||
81 | namespaces are created using --net option. If a new network | ||
82 | namespaces is not created, --netfilter6 option does nothing. | ||
83 | 43 | ||
84 | ````` | 44 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). |
85 | 45 | ||
86 | ## join command enhancements | 46 | ## STUN/WebRTC disabled in default netfilter configuration |
87 | 47 | ||
48 | The current netfilter configuration (--netfilter option) looks like this: | ||
88 | ````` | 49 | ````` |
89 | --join-filesystem=name | 50 | *filter |
90 | Join the mount namespace of the sandbox identified by name. By | 51 | :INPUT DROP [0:0] |
91 | default a /bin/bash shell is started after joining the sandbox. | 52 | :FORWARD DROP [0:0] |
92 | If a program is specified, the program is run in the sandbox. | 53 | :OUTPUT ACCEPT [0:0] |
93 | This command is available only to root user. Security filters, | 54 | -A INPUT -i lo -j ACCEPT |
94 | cgroups and cpus configurations are not applied to the process | 55 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
95 | joining the sandbox. | 56 | # allow ping |
96 | 57 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
97 | --join-filesystem=pid | 58 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT |
98 | Join the mount namespace of the sandbox identified by process | 59 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
99 | ID. By default a /bin/bash shell is started after joining the | 60 | # drop STUN (WebRTC) requests |
100 | sandbox. If a program is specified, the program is run in the | 61 | -A OUTPUT -p udp --dport 3478 -j DROP |
101 | sandbox. This command is available only to root user. Security | 62 | -A OUTPUT -p udp --dport 3479 -j DROP |
102 | filters, cgroups and cpus configurations are not applied to the | 63 | -A OUTPUT -p tcp --dport 3478 -j DROP |
103 | process joining the sandbox. | 64 | -A OUTPUT -p tcp --dport 3479 -j DROP |
104 | 65 | COMMIT | |
105 | --join-network=name | ||
106 | Join the network namespace of the sandbox identified by name. By | ||
107 | default a /bin/bash shell is started after joining the sandbox. | ||
108 | If a program is specified, the program is run in the sandbox. | ||
109 | This command is available only to root user. Security filters, | ||
110 | cgroups and cpus configurations are not applied to the process | ||
111 | joining the sandbox. | ||
112 | |||
113 | --join-network=pid | ||
114 | Join the network namespace of the sandbox identified by process | ||
115 | ID. By default a /bin/bash shell is started after joining the | ||
116 | sandbox. If a program is specified, the program is run in the | ||
117 | sandbox. This command is available only to root user. Security | ||
118 | filters, cgroups and cpus configurations are not applied to the | ||
119 | process joining the sandbox. | ||
120 | |||
121 | ````` | 66 | ````` |
122 | 67 | ||
68 | The filter is loaded by default for Firefox if a network namespace is configured: | ||
69 | ````` | ||
70 | $ firejail --net=eth0 firefox | ||
71 | ````` | ||
123 | 72 | ||
124 | ## New profiles: KMail | 73 | ## Set sandbox nice value |
125 | 74 | ````` | |
75 | --nice=value | ||
76 | Set nice value for all processes running inside the sandbox. | ||
126 | 77 | ||
78 | Example: | ||
79 | $ firejail --nice=-5 firefox | ||
80 | ````` | ||
127 | 81 | ||
@@ -1,12 +1,31 @@ | |||
1 | firejail (0.9.37) baseline; urgency=low | 1 | firejail (0.9.39) baseline; urgency=low |
2 | * development version | 2 | * work in progress! |
3 | * security profiles fixes | 3 | * default seccomp filter update |
4 | * dynamic allocation of noblacklist buffer | 4 | * disable STUN/WebRTC in default netfilter configuration |
5 | * --ip6 option - IPv6 support | 5 | * added --nice option |
6 | * added KMail profile | 6 | * --version also prints compile options |
7 | * build rpm packages using "make rpms" | ||
8 | * new profiles: lxterminal, Epiphany | ||
9 | * bugfixes | ||
10 | -- netblue30 <netblue30@yahoo.com> Tue, 8 Feb 2016 10:00:00 -0500 | ||
11 | |||
12 | firejail (0.9.38) baseline; urgency=low | ||
13 | * IPv6 support (--ip6 and --netfilter6) | ||
7 | * --join command enhancement (--join-network, --join-filesystem) | 14 | * --join command enhancement (--join-network, --join-filesystem) |
15 | * added --user command | ||
16 | * added --disable-network and --disable-userns compile time flags | ||
17 | * Centos 6 support | ||
8 | * symlink invocation | 18 | * symlink invocation |
9 | -- netblue30 <netblue30@yahoo.com> | 19 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, |
20 | * and mupen64plus profiles | ||
21 | * --chroot in user mode allowed only if seccomp support is available | ||
22 | * in current Linux kernel | ||
23 | * deprecated --private-home feature | ||
24 | * the first protocol list installed takes precedence | ||
25 | * --tmpfs option allowed only running as root | ||
26 | * added --private-tmp option | ||
27 | * bugfixes | ||
28 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | ||
10 | 29 | ||
11 | firejail (0.9.36) baseline; urgency=low | 30 | firejail (0.9.36) baseline; urgency=low |
12 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, | 31 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.37. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.39. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.37' | 583 | PACKAGE_VERSION='0.9.39' |
584 | PACKAGE_STRING='firejail 0.9.37' | 584 | PACKAGE_STRING='firejail 0.9.39' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -629,6 +629,8 @@ EGREP | |||
629 | GREP | 629 | GREP |
630 | CPP | 630 | CPP |
631 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
632 | HAVE_USERNS | ||
633 | HAVE_NETWORK | ||
632 | HAVE_BIND | 634 | HAVE_BIND |
633 | HAVE_CHROOT | 635 | HAVE_CHROOT |
634 | HAVE_SECCOMP | 636 | HAVE_SECCOMP |
@@ -687,6 +689,8 @@ enable_option_checking | |||
687 | enable_seccomp | 689 | enable_seccomp |
688 | enable_chroot | 690 | enable_chroot |
689 | enable_bind | 691 | enable_bind |
692 | enable_network | ||
693 | enable_userns | ||
690 | enable_fatal_warnings | 694 | enable_fatal_warnings |
691 | ' | 695 | ' |
692 | ac_precious_vars='build_alias | 696 | ac_precious_vars='build_alias |
@@ -1238,7 +1242,7 @@ if test "$ac_init_help" = "long"; then | |||
1238 | # Omit some internal or obsolete options to make the list less imposing. | 1242 | # Omit some internal or obsolete options to make the list less imposing. |
1239 | # This message is too long to be a string in the A/UX 3.1 sh. | 1243 | # This message is too long to be a string in the A/UX 3.1 sh. |
1240 | cat <<_ACEOF | 1244 | cat <<_ACEOF |
1241 | \`configure' configures firejail 0.9.37 to adapt to many kinds of systems. | 1245 | \`configure' configures firejail 0.9.39 to adapt to many kinds of systems. |
1242 | 1246 | ||
1243 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1247 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1244 | 1248 | ||
@@ -1299,7 +1303,7 @@ fi | |||
1299 | 1303 | ||
1300 | if test -n "$ac_init_help"; then | 1304 | if test -n "$ac_init_help"; then |
1301 | case $ac_init_help in | 1305 | case $ac_init_help in |
1302 | short | recursive ) echo "Configuration of firejail 0.9.37:";; | 1306 | short | recursive ) echo "Configuration of firejail 0.9.39:";; |
1303 | esac | 1307 | esac |
1304 | cat <<\_ACEOF | 1308 | cat <<\_ACEOF |
1305 | 1309 | ||
@@ -1310,6 +1314,8 @@ Optional Features: | |||
1310 | --disable-seccomp disable seccomp | 1314 | --disable-seccomp disable seccomp |
1311 | --disable-chroot disable chroot | 1315 | --disable-chroot disable chroot |
1312 | --disable-bind disable bind | 1316 | --disable-bind disable bind |
1317 | --disable-network disable network | ||
1318 | --disable-userns disable user namespace | ||
1313 | --enable-fatal-warnings -W -Wall -Werror | 1319 | --enable-fatal-warnings -W -Wall -Werror |
1314 | 1320 | ||
1315 | Some influential environment variables: | 1321 | Some influential environment variables: |
@@ -1389,7 +1395,7 @@ fi | |||
1389 | test -n "$ac_init_help" && exit $ac_status | 1395 | test -n "$ac_init_help" && exit $ac_status |
1390 | if $ac_init_version; then | 1396 | if $ac_init_version; then |
1391 | cat <<\_ACEOF | 1397 | cat <<\_ACEOF |
1392 | firejail configure 0.9.37 | 1398 | firejail configure 0.9.39 |
1393 | generated by GNU Autoconf 2.69 | 1399 | generated by GNU Autoconf 2.69 |
1394 | 1400 | ||
1395 | Copyright (C) 2012 Free Software Foundation, Inc. | 1401 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1691,7 +1697,7 @@ cat >config.log <<_ACEOF | |||
1691 | This file contains any messages produced by compilers while | 1697 | This file contains any messages produced by compilers while |
1692 | running configure, to aid debugging if configure makes a mistake. | 1698 | running configure, to aid debugging if configure makes a mistake. |
1693 | 1699 | ||
1694 | It was created by firejail $as_me 0.9.37, which was | 1700 | It was created by firejail $as_me 0.9.39, which was |
1695 | generated by GNU Autoconf 2.69. Invocation command line was | 1701 | generated by GNU Autoconf 2.69. Invocation command line was |
1696 | 1702 | ||
1697 | $ $0 $@ | 1703 | $ $0 $@ |
@@ -3087,6 +3093,32 @@ if test "x$enable_bind" != "xno"; then : | |||
3087 | 3093 | ||
3088 | fi | 3094 | fi |
3089 | 3095 | ||
3096 | HAVE_NETWORK="" | ||
3097 | # Check whether --enable-network was given. | ||
3098 | if test "${enable_network+set}" = set; then : | ||
3099 | enableval=$enable_network; | ||
3100 | fi | ||
3101 | |||
3102 | if test "x$enable_network" != "xno"; then : | ||
3103 | |||
3104 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
3105 | |||
3106 | |||
3107 | fi | ||
3108 | |||
3109 | HAVE_USERNS="" | ||
3110 | # Check whether --enable-userns was given. | ||
3111 | if test "${enable_userns+set}" = set; then : | ||
3112 | enableval=$enable_userns; | ||
3113 | fi | ||
3114 | |||
3115 | if test "x$enable_userns" != "xno"; then : | ||
3116 | |||
3117 | HAVE_USERNS="-DHAVE_USERNS" | ||
3118 | |||
3119 | |||
3120 | fi | ||
3121 | |||
3090 | HAVE_FATAL_WARNINGS="" | 3122 | HAVE_FATAL_WARNINGS="" |
3091 | # Check whether --enable-fatal_warnings was given. | 3123 | # Check whether --enable-fatal_warnings was given. |
3092 | if test "${enable_fatal_warnings+set}" = set; then : | 3124 | if test "${enable_fatal_warnings+set}" = set; then : |
@@ -3100,6 +3132,7 @@ if test "x$enable_fatal_warnings" = "xyes"; then : | |||
3100 | 3132 | ||
3101 | fi | 3133 | fi |
3102 | 3134 | ||
3135 | |||
3103 | # checking pthread library | 3136 | # checking pthread library |
3104 | 3137 | ||
3105 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3138 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
@@ -4107,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4107 | # report actual input values of CONFIG_FILES etc. instead of their | 4140 | # report actual input values of CONFIG_FILES etc. instead of their |
4108 | # values after options handling. | 4141 | # values after options handling. |
4109 | ac_log=" | 4142 | ac_log=" |
4110 | This file was extended by firejail $as_me 0.9.37, which was | 4143 | This file was extended by firejail $as_me 0.9.39, which was |
4111 | generated by GNU Autoconf 2.69. Invocation command line was | 4144 | generated by GNU Autoconf 2.69. Invocation command line was |
4112 | 4145 | ||
4113 | CONFIG_FILES = $CONFIG_FILES | 4146 | CONFIG_FILES = $CONFIG_FILES |
@@ -4161,7 +4194,7 @@ _ACEOF | |||
4161 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4194 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4162 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4195 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4163 | ac_cs_version="\\ | 4196 | ac_cs_version="\\ |
4164 | firejail config.status 0.9.37 | 4197 | firejail config.status 0.9.39 |
4165 | configured by $0, generated by GNU Autoconf 2.69, | 4198 | configured by $0, generated by GNU Autoconf 2.69, |
4166 | with options \\"\$ac_cs_config\\" | 4199 | with options \\"\$ac_cs_config\\" |
4167 | 4200 | ||
@@ -4742,6 +4775,8 @@ echo " seccomp: $HAVE_SECCOMP" | |||
4742 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 4775 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
4743 | echo " chroot: $HAVE_CHROOT" | 4776 | echo " chroot: $HAVE_CHROOT" |
4744 | echo " bind: $HAVE_BIND" | 4777 | echo " bind: $HAVE_BIND" |
4778 | echo " network: $HAVE_NETWORK" | ||
4779 | echo " user namespace: $HAVE_USERNS" | ||
4745 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4780 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4746 | echo | 4781 | echo |
4747 | 4782 | ||
diff --git a/configure.ac b/configure.ac index 6d7a09bdf..f9d0a3f65 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.37, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.39, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
@@ -33,6 +33,22 @@ AS_IF([test "x$enable_bind" != "xno"], [ | |||
33 | AC_SUBST(HAVE_BIND) | 33 | AC_SUBST(HAVE_BIND) |
34 | ]) | 34 | ]) |
35 | 35 | ||
36 | HAVE_NETWORK="" | ||
37 | AC_ARG_ENABLE([network], | ||
38 | AS_HELP_STRING([--disable-network], [disable network])) | ||
39 | AS_IF([test "x$enable_network" != "xno"], [ | ||
40 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
41 | AC_SUBST(HAVE_NETWORK) | ||
42 | ]) | ||
43 | |||
44 | HAVE_USERNS="" | ||
45 | AC_ARG_ENABLE([userns], | ||
46 | AS_HELP_STRING([--disable-userns], [disable user namespace])) | ||
47 | AS_IF([test "x$enable_userns" != "xno"], [ | ||
48 | HAVE_USERNS="-DHAVE_USERNS" | ||
49 | AC_SUBST(HAVE_USERNS) | ||
50 | ]) | ||
51 | |||
36 | HAVE_FATAL_WARNINGS="" | 52 | HAVE_FATAL_WARNINGS="" |
37 | AC_ARG_ENABLE([fatal_warnings], | 53 | AC_ARG_ENABLE([fatal_warnings], |
38 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) | 54 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) |
@@ -41,6 +57,7 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [ | |||
41 | AC_SUBST(HAVE_FATAL_WARNINGS) | 57 | AC_SUBST(HAVE_FATAL_WARNINGS) |
42 | ]) | 58 | ]) |
43 | 59 | ||
60 | |||
44 | # checking pthread library | 61 | # checking pthread library |
45 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 62 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
46 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 63 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -62,6 +79,8 @@ echo " seccomp: $HAVE_SECCOMP" | |||
62 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 79 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
63 | echo " chroot: $HAVE_CHROOT" | 80 | echo " chroot: $HAVE_CHROOT" |
64 | echo " bind: $HAVE_BIND" | 81 | echo " bind: $HAVE_BIND" |
82 | echo " network: $HAVE_NETWORK" | ||
83 | echo " user namespace: $HAVE_USERNS" | ||
65 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 84 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
66 | echo | 85 | echo |
67 | 86 | ||
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile new file mode 100644 index 000000000..d1f4b1de1 --- /dev/null +++ b/etc/Mathematica.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Mathematica profile | ||
2 | whitelist ~/.Mathematica | ||
3 | whitelist ~/.Wolfram Research | ||
4 | whitelist ~/Documents/Wolfram Mathematica | ||
5 | include /etc/firejail/whitelist-common.inc | ||
6 | include /etc/firejail/disable-mgmt.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-terminals.inc | ||
11 | caps.drop all | ||
12 | seccomp | ||
13 | noroot | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index fa9cbbc52..f9a48f33c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 4cd24fd0a..5eeddb815 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -3,6 +3,7 @@ noblacklist /sbin | |||
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
7 | private | 8 | private |
8 | private-dev | 9 | private-dev |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 76dc6b234..af2c740a8 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/chromium | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,4 +13,5 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/chromium | 14 | whitelist ~/.config/chromium |
14 | whitelist ~/.cache/chromium | 15 | whitelist ~/.cache/chromium |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/clementine.profile b/etc/clementine.profile index e84d8f19a..c9c0ca724 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -2,7 +2,9 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 7c1384523..09f491c61 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.conkeror.mozdev.org | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | caps.drop all | 7 | caps.drop all |
7 | seccomp | 8 | seccomp |
8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
@@ -21,8 +22,4 @@ whitelist ~/.pentadactyl | |||
21 | whitelist ~/.conkerorrc | 22 | whitelist ~/.conkerorrc |
22 | 23 | ||
23 | # common | 24 | # common |
24 | whitelist ~/.fonts | 25 | include /etc/firejail/whitelist-common.inc |
25 | whitelist ~/.fonts.d | ||
26 | whitelist ~/.fontconfig | ||
27 | whitelist ~/.fonts.conf | ||
28 | whitelist ~/.fonts.conf.d | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 0d6e70a4a..35760bf13 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 4f76f3666..30e9f91ad 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index e7974f02d..d97740860 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -108,13 +108,19 @@ read-only ${HOME}/.csh_files | |||
108 | # Initialization files that allow arbitrary command execution | 108 | # Initialization files that allow arbitrary command execution |
109 | read-only ${HOME}/.mailcap | 109 | read-only ${HOME}/.mailcap |
110 | read-only ${HOME}/.exrc | 110 | read-only ${HOME}/.exrc |
111 | read-only ${HOME}/_exrc | ||
111 | read-only ${HOME}/.vimrc | 112 | read-only ${HOME}/.vimrc |
113 | read-only ${HOME}/_vimrc | ||
114 | read-only ${HOME}/.gvimrc | ||
115 | read-only ${HOME}/_gvimrc | ||
112 | read-only ${HOME}/.vim | 116 | read-only ${HOME}/.vim |
113 | read-only ${HOME}/.emacs | 117 | read-only ${HOME}/.emacs |
114 | read-only ${HOME}/.tmux.conf | 118 | read-only ${HOME}/.tmux.conf |
115 | read-only ${HOME}/.iscreenrc | 119 | read-only ${HOME}/.iscreenrc |
116 | read-only ${HOME}/.muttrc | 120 | read-only ${HOME}/.muttrc |
121 | read-only ${HOME}/.mutt/muttrc | ||
117 | read-only ${HOME}/.xmonad | 122 | read-only ${HOME}/.xmonad |
123 | read-only ${HOME}/.xscreensaver | ||
118 | 124 | ||
119 | # The user ~/bin directory can override commands such as ls | 125 | # The user ~/bin directory can override commands such as ls |
120 | read-only ${HOME}/bin | 126 | read-only ${HOME}/bin |
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc index 8336b6b52..7d29cda31 100644 --- a/etc/disable-secret.inc +++ b/etc/disable-secret.inc | |||
@@ -1,9 +1,9 @@ | |||
1 | # HOME directory | 1 | # HOME directory |
2 | blacklist ${HOME}/.ssh | 2 | blacklist ${HOME}/.ssh |
3 | tmpfs ${HOME}/.gnome2_private | ||
4 | blacklist ${HOME}/.gnome2/keyrings | 3 | blacklist ${HOME}/.gnome2/keyrings |
5 | blacklist ${HOME}/kde4/share/apps/kwallet | 4 | blacklist ${HOME}/kde4/share/apps/kwallet |
6 | blacklist ${HOME}/kde/share/apps/kwallet | 5 | blacklist ${HOME}/kde/share/apps/kwallet |
6 | blacklist ${HOME}/.local/share/kwalletd | ||
7 | blacklist ${HOME}/.netrc | 7 | blacklist ${HOME}/.netrc |
8 | blacklist ${HOME}/.gnupg | 8 | blacklist ${HOME}/.gnupg |
9 | blacklist ${HOME}/*.kdbx | 9 | blacklist ${HOME}/*.kdbx |
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc new file mode 100644 index 000000000..9631e7f62 --- /dev/null +++ b/etc/disable-terminals.inc | |||
@@ -0,0 +1,6 @@ | |||
1 | # disable terminals running as server | ||
2 | blacklist ${PATH}/lxterminal | ||
3 | blacklist ${PATH}/gnome-terminal | ||
4 | blacklist ${PATH}/gnome-terminal.wrapper | ||
5 | blacklist ${PATH}/xfce4-terminal | ||
6 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e0c5c93a3..0bc7ac78e 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -2,6 +2,10 @@ | |||
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-terminals.inc | ||
5 | private | 9 | private |
6 | private-dev | 10 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 248e3ac9e..9d2c612de 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | ||
5 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
6 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
7 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 984bbc58e..7c96dc6fa 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile new file mode 100644 index 000000000..e86a35258 --- /dev/null +++ b/etc/epiphany.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Epiphany browser profile | ||
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-terminals.inc | ||
7 | whitelist ${DOWNLOADS} | ||
8 | whitelist ${HOME}/.local/share/epiphany | ||
9 | whitelist ${HOME}/.config/epiphany | ||
10 | whitelist ${HOME}/.cache/epiphany | ||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | caps.drop all | ||
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | ||
16 | |||
diff --git a/etc/evince.profile b/etc/evince.profile index 34d8162b3..070dc7be7 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f94fc28df..a79f36398 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index ba8649067..1462d134e 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | ||
8 | blacklist ${HOME}/.wine | 9 | blacklist ${HOME}/.wine |
9 | caps.drop all | 10 | caps.drop all |
10 | seccomp | 11 | seccomp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index a21093313..0946ebfbe 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl | |||
23 | whitelist ~/.keysnail.js | 24 | whitelist ~/.keysnail.js |
24 | whitelist ~/.config/gnome-mplayer | 25 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 26 | whitelist ~/.cache/gnome-mplayer/plugin |
27 | whitelist ~/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
27 | 29 | ||
28 | # experimental features | 30 | # experimental features |
diff --git a/etc/generic.profile b/etc/generic.profile index cc40ad27e..5618a555e 100644 --- a/etc/generic.profile +++ b/etc/generic.profile | |||
@@ -4,6 +4,7 @@ | |||
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 0a495b0b0..8062c859a 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 6122876bf..f6b96575e 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-beta | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,5 +13,6 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome-beta | 14 | whitelist ~/.config/google-chrome-beta |
14 | whitelist ~/.cache/google-chrome-beta | 15 | whitelist ~/.cache/google-chrome-beta |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
16 | 18 | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 7b8b12d04..3054a63db 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-unstable | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,5 +13,6 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome-unstable | 14 | whitelist ~/.config/google-chrome-unstable |
14 | whitelist ~/.cache/google-chrome-unstable | 15 | whitelist ~/.cache/google-chrome-unstable |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
16 | 18 | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 351490d7f..3d5a6ebbd 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,4 +13,5 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome | 14 | whitelist ~/.config/google-chrome |
14 | whitelist ~/.cache/google-chrome | 15 | whitelist ~/.cache/google-chrome |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 61c9ac5bb..35b98fde6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 05713755e..ca29675a0 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile new file mode 100644 index 000000000..a614a8dbf --- /dev/null +++ b/etc/lxterminal.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # lxterminal (LXDE) profile | ||
2 | |||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | ||
7 | blacklist ${HOME}/.lastpass | ||
8 | blacklist ${HOME}/.keepassx | ||
9 | blacklist ${HOME}/.password-store | ||
10 | caps.drop all | ||
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | ||
14 | |||
15 | #noroot - somehow this breaks on Debian Jessie! | ||
16 | |||
17 | # lxterminal is a single-instence program | ||
18 | # blacklist any existing lxterminal socket in order to force a second process instance | ||
19 | blacklist /tmp/.lxterminal-socket* | ||
diff --git a/etc/mathematica.profile b/etc/mathematica.profile new file mode 100644 index 000000000..9410054ae --- /dev/null +++ b/etc/mathematica.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Mathematica profile | ||
2 | include /etc/firejail/Mathematica.profile | ||
diff --git a/etc/midori.profile b/etc/midori.profile index 77a6fb984..e46a6baa2 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile new file mode 100644 index 000000000..830531c04 --- /dev/null +++ b/etc/mupen64plus.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # mupen64plus profile | ||
2 | # manually whitelist ROM files | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | whitelist ${HOME}/.local/share/mupen64plus/ | ||
9 | whitelist ${HOME}/.config/mupen64plus/ | ||
10 | noroot | ||
11 | caps.drop all | ||
12 | seccomp | ||
13 | net none | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index c1672abce..783e8b0ef 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -4,10 +4,12 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | netfilter | 8 | netfilter |
8 | whitelist ~/.config/opera-beta | 9 | whitelist ~/.config/opera-beta |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera-beta | 11 | whitelist ~/.cache/opera-beta |
12 | whitelist ~/.pki | ||
11 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
12 | 14 | ||
13 | 15 | ||
diff --git a/etc/opera.profile b/etc/opera.profile index a76806ed0..dd710a8fe 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -4,10 +4,12 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | netfilter | 8 | netfilter |
8 | whitelist ~/.config/opera | 9 | whitelist ~/.config/opera |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera | 11 | whitelist ~/.cache/opera |
12 | whitelist ~/.pki | ||
11 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
12 | 14 | ||
13 | 15 | ||
diff --git a/etc/parole.profile b/etc/parole.profile index 24181c8d6..fd49bcf07 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | private-etc passwd,group,fonts | 7 | private-etc passwd,group,fonts |
7 | private-bin parole,dbus-launch | 8 | private-bin parole,dbus-launch |
8 | blacklist ${HOME}/.pki/nssdb | 9 | blacklist ${HOME}/.pki/nssdb |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3dd57b623..54bedccc8 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | seccomp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd50c779e..c68eb716b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/quassel.profile b/etc/quassel.profile index cb97d0752..e8db77973 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9fc1fcb80..3326a34ed 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c2c0356d9..7ba5677e9 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | caps.drop all | 7 | caps.drop all |
7 | seccomp | 8 | seccomp |
8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index 55b64bdae..d585c719b 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl | |||
23 | whitelist ~/.keysnail.js | 24 | whitelist ~/.keysnail.js |
24 | whitelist ~/.config/gnome-mplayer | 25 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 26 | whitelist ~/.cache/gnome-mplayer/plugin |
27 | whitelist ~/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
27 | 29 | ||
28 | # experimental features | 30 | # experimental features |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 55b64bdae..d585c719b 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl | |||
23 | whitelist ~/.keysnail.js | 24 | whitelist ~/.keysnail.js |
24 | whitelist ~/.config/gnome-mplayer | 25 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 26 | whitelist ~/.cache/gnome-mplayer/plugin |
27 | whitelist ~/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
27 | 29 | ||
28 | # experimental features | 30 | # experimental features |
diff --git a/etc/server.profile b/etc/server.profile index 5b706df9a..5471aed91 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -5,5 +5,6 @@ noblacklist /usr/sbin | |||
5 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
6 | private | 6 | private |
7 | private-dev | 7 | private-dev |
8 | private-tmp | ||
8 | seccomp | 9 | seccomp |
9 | 10 | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 4d2d042cc..a33cc339d 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | netfilter | 9 | netfilter |
9 | noroot | 10 | noroot |
diff --git a/etc/steam.profile b/etc/steam.profile index 5b9244567..dc17c7a0f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | ||
8 | caps.drop all | 9 | caps.drop all |
9 | netfilter | 10 | netfilter |
10 | noroot | 11 | noroot |
diff --git a/etc/telegram.profile b/etc/telegram.profile new file mode 100644 index 000000000..261da6397 --- /dev/null +++ b/etc/telegram.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Telegram profile | ||
2 | noblacklist ${HOME}/.TelegramDesktop | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | |||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | noroot | ||
13 | |||
14 | whitelist ~/Downloads/Telegram Desktop | ||
15 | whitelist ~/.TelegramDesktop | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 52b9450c3..65c62695e 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index a66ab0d63..290de9445 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index ad23c62dc..6ff49e476 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile new file mode 100644 index 000000000..0430f12b4 --- /dev/null +++ b/etc/uget-gtk.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # uGet profile | ||
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | ||
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | ||
11 | noroot | ||
12 | whitelist ${DOWNLOADS} | ||
13 | whitelist ~/.config/uGet | ||
14 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 4dd00178b..c4f009159 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -2,6 +2,10 @@ | |||
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-terminals.inc | ||
5 | private | 9 | private |
6 | private-dev | 10 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 37ff29308..028de0ad1 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 79e3ae774..218df3b33 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.weechat | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | caps.drop all | 7 | caps.drop all |
7 | seccomp | 8 | seccomp |
8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 97105e0b4..5a96c7fc4 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -4,6 +4,7 @@ whitelist ~/.config/mimeapps.list | |||
4 | whitelist ~/.icons | 4 | whitelist ~/.icons |
5 | whitelist ~/.config/user-dirs.dirs | 5 | whitelist ~/.config/user-dirs.dirs |
6 | read-only ~/.config/user-dirs.dirs | 6 | read-only ~/.config/user-dirs.dirs |
7 | whitelist ~/.asoundrc | ||
7 | 8 | ||
8 | # fonts | 9 | # fonts |
9 | whitelist ~/.fonts | 10 | whitelist ~/.fonts |
@@ -12,6 +13,7 @@ whitelist ~/.fontconfig | |||
12 | whitelist ~/.fonts.conf | 13 | whitelist ~/.fonts.conf |
13 | whitelist ~/.fonts.conf.d | 14 | whitelist ~/.fonts.conf.d |
14 | whitelist ~/.config/fontconfig | 15 | whitelist ~/.config/fontconfig |
16 | whitelist ~/.cache/fontconfig | ||
15 | 17 | ||
16 | # gtk | 18 | # gtk |
17 | whitelist ~/.gtkrc | 19 | whitelist ~/.gtkrc |
diff --git a/etc/wine.profile b/etc/wine.profile index 8a7f66773..ae1f5d1b6 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-mgmt.inc | |||
6 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
7 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
9 | caps.drop all | 10 | caps.drop all |
10 | netfilter | 11 | netfilter |
11 | noroot | 12 | noroot |
diff --git a/etc/xchat.profile b/etc/xchat.profile index 37e1371e6..be68e0add 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | seccomp |
diff --git a/install.sh b/install.sh index b3ddf0423..a8a506096 100755 --- a/install.sh +++ b/install.sh | |||
@@ -1,2 +1,2 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | echo "installing..." | 2 | echo "installing..." |
@@ -1,4 +1,4 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | 2 | ||
3 | echo "Calculationg SHA256 for all files in /transfer - firejail version $1" | 3 | echo "Calculationg SHA256 for all files in /transfer - firejail version $1" |
4 | 4 | ||
@@ -1,12 +1,12 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ | 2 | # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ |
3 | # a code archive should already be available | 3 | # a code archive should already be available |
4 | 4 | ||
5 | TOP=`pwd` | 5 | TOP=`pwd` |
6 | CODE_ARCHIVE="$1-$2.tar.bz2" | 6 | CODE_ARCHIVE="$1-$2.tar.bz2" |
7 | CODE_DIR="$1-$2" | 7 | CODE_DIR="$1-$2" |
8 | INSTALL_DIR+="$CODE_DIR/debian" | 8 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" |
9 | DEBIAN_CTRL_DIR+="$CODE_DIR/debian/DEBIAN" | 9 | DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" |
10 | 10 | ||
11 | echo "*****************************************" | 11 | echo "*****************************************" |
12 | echo "code archive: $CODE_ARCHIVE" | 12 | echo "code archive: $CODE_ARCHIVE" |
@@ -36,6 +36,8 @@ cp platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. | |||
36 | mkdir -p $DEBIAN_CTRL_DIR | 36 | mkdir -p $DEBIAN_CTRL_DIR |
37 | sed "s/FIREJAILVER/$2/g" platform/debian/control > $DEBIAN_CTRL_DIR/control | 37 | sed "s/FIREJAILVER/$2/g" platform/debian/control > $DEBIAN_CTRL_DIR/control |
38 | 38 | ||
39 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ | ||
40 | cp platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail | ||
39 | 41 | ||
40 | cp platform/debian/conffiles $DEBIAN_CTRL_DIR/. | 42 | cp platform/debian/conffiles $DEBIAN_CTRL_DIR/. |
41 | find $INSTALL_DIR -type d | xargs chmod 755 | 43 | find $INSTALL_DIR -type d | xargs chmod 755 |
@@ -1,4 +1,4 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | rm -fr .etc | 2 | rm -fr .etc |
3 | mkdir .etc | 3 | mkdir .etc |
4 | 4 | ||
@@ -1,4 +1,4 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | 2 | ||
3 | sed "s/VERSION/$1/g" $2 > $3 | 3 | sed "s/VERSION/$1/g" $2 > $3 |
4 | MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` | 4 | MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 83a4404cf..a2c3727ce 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -21,6 +21,7 @@ | |||
21 | /etc/firejail/vlc.profile | 21 | /etc/firejail/vlc.profile |
22 | /etc/firejail/audacious.profile | 22 | /etc/firejail/audacious.profile |
23 | /etc/firejail/clementine.profile | 23 | /etc/firejail/clementine.profile |
24 | /etc/firejail/epiphany.profile | ||
24 | /etc/firejail/gnome-mplayer.profile | 25 | /etc/firejail/gnome-mplayer.profile |
25 | /etc/firejail/rhythmbox.profile | 26 | /etc/firejail/rhythmbox.profile |
26 | /etc/firejail/totem.profile | 27 | /etc/firejail/totem.profile |
@@ -55,3 +56,12 @@ | |||
55 | /etc/firejail/rtorrent.profile | 56 | /etc/firejail/rtorrent.profile |
56 | /etc/firejail/parole.profile | 57 | /etc/firejail/parole.profile |
57 | /etc/firejail/kmail.profile | 58 | /etc/firejail/kmail.profile |
59 | /etc/firejail/seamonkey.profile | ||
60 | /etc/firejail/seamonkey-bin.profile | ||
61 | /etc/firejail/telegram.profile | ||
62 | /etc/firejail/mathematica.profile | ||
63 | /etc/firejail/Mathematica.profile | ||
64 | /etc/firejail/uget-gtk.profile | ||
65 | /etc/firejail/mupen64plus.profile | ||
66 | /etc/disable-terminals.inc | ||
67 | /etc/lxterminal.profile | ||
diff --git a/platform/debian/firejail.lintian-overrides b/platform/debian/firejail.lintian-overrides new file mode 100644 index 000000000..5b5f7e7ef --- /dev/null +++ b/platform/debian/firejail.lintian-overrides | |||
@@ -0,0 +1,2 @@ | |||
1 | # Firejail binary should be setuid | ||
2 | firejail binary: setuid-binary usr/bin/firejail 4755 root/root | ||
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index f1bf7ad7b..e365af2d6 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -1,5 +1,5 @@ | |||
1 | Name: firejail | 1 | Name: __NAME__ |
2 | Version: 0.9.30 | 2 | Version: __VERSION__ |
3 | Release: 1 | 3 | Release: 1 |
4 | Summary: Linux namepaces sandbox program | 4 | Summary: Linux namepaces sandbox program |
5 | 5 | ||
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | |||
19 | %setup -q | 19 | %setup -q |
20 | 20 | ||
21 | %build | 21 | %build |
22 | %configure | 22 | %configure --disable-userns |
23 | make %{?_smp_mflags} | 23 | make %{?_smp_mflags} |
24 | 24 | ||
25 | %install | 25 | %install |
@@ -29,156 +29,21 @@ rm -rf %{buildroot} | |||
29 | %clean | 29 | %clean |
30 | rm -rf %{buildroot} | 30 | rm -rf %{buildroot} |
31 | 31 | ||
32 | |||
33 | %files | 32 | %files |
34 | %doc | 33 | %doc |
35 | %defattr(-, root, root, -) | 34 | %defattr(-, root, root, -) |
36 | %attr(4755, -, -) %{_bindir}/firejail | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
37 | %{_bindir}/firemon | 36 | %{_bindir}/firemon |
38 | %{_libdir}/firejail/ftee | 37 | %{_libdir}/__NAME__/ftee |
39 | %{_libdir}/firejail/fshaper.sh | 38 | %{_libdir}/__NAME__/fshaper.sh |
40 | %{_libdir}/firejail/libtrace.so | 39 | %{_libdir}/__NAME__/libtrace.so |
41 | %{_datarootdir}/bash-completion/completions/firejail | 40 | %{_libdir}/__NAME__/libtracelog.so |
41 | %{_datarootdir}/bash-completion/completions/__NAME__ | ||
42 | %{_datarootdir}/bash-completion/completions/firemon | 42 | %{_datarootdir}/bash-completion/completions/firemon |
43 | %{_docdir}/firejail | 43 | %{_docdir}/__NAME__ |
44 | %{_mandir}/man1/firejail.1.gz | 44 | %{_mandir}/man1/__NAME__.1.gz |
45 | %{_mandir}/man1/firemon.1.gz | 45 | %{_mandir}/man1/firemon.1.gz |
46 | %{_mandir}/man5/firejail-login.5.gz | 46 | %{_mandir}/man5/__NAME__-login.5.gz |
47 | %{_mandir}/man5/firejail-profile.5.gz | 47 | %{_mandir}/man5/__NAME__-profile.5.gz |
48 | %config %{_sysconfdir}/firejail | 48 | %config %{_sysconfdir}/__NAME__ |
49 | |||
50 | %changelog | ||
51 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
52 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
53 | disable-history.inc included in all default profiles | ||
54 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
55 | - added --private-etc option | ||
56 | - added --env option | ||
57 | - added --whitelist option | ||
58 | - support ${HOME} token in include directive in profile files | ||
59 | - --private.keep is transitioned to --private-home | ||
60 | - support ~ and blanks in blacklist option | ||
61 | - support "net none" command in profile files | ||
62 | - using /etc/firejail/generic.profile by default for user sessions | ||
63 | - using /etc/firejail/server.profile by default for root sessions | ||
64 | - added build --enable-fatal-warnings configure option | ||
65 | - added persistence to --overlay option | ||
66 | - added --overlay-tmpfs option | ||
67 | - make install-strip implemented, make install renamed | ||
68 | - bugfixes | ||
69 | |||
70 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
71 | - network scanning, --scan option | ||
72 | - interface MAC address support, --mac option | ||
73 | - IP address range, --iprange option | ||
74 | - traffic shaping, --bandwidth option | ||
75 | - reworked printing of network status at startup | ||
76 | - man pages rework | ||
77 | - added firejail-login man page | ||
78 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
79 | profiles | ||
80 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
81 | blacklists | ||
82 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
83 | - support noroot option for profile files | ||
84 | - enabled noroot in default profile files | ||
85 | - bugfixes | ||
86 | |||
87 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
88 | - private dev directory | ||
89 | - private.keep option for whitelisting home files in a new private directory | ||
90 | - user namespaces support, noroot option | ||
91 | - added Deluge and qBittorent profiles | ||
92 | - bugfixes | ||
93 | |||
94 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
95 | - whitelist and blacklist seccomp filters | ||
96 | - doubledash option | ||
97 | - --shell=none support | ||
98 | - netfilter file support in profile files | ||
99 | - dns server support in profile files | ||
100 | - added --dns.print option | ||
101 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
102 | - added --caps.drop=all in default profiles | ||
103 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
104 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
105 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
106 | - two build patches from Reiner Herman (tickets 11, 12) | ||
107 | - man page patch from Reiner Herman (ticket 13) | ||
108 | - output patch (ticket 15) from sshirokov | ||
109 | |||
110 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
111 | - Replaced --noip option with --ip=none | ||
112 | - Container stdout logging and log rotation | ||
113 | - Added process_vm_readv, process_vm_writev and mknod to | ||
114 | default seccomp blacklist | ||
115 | - Added CAP_MKNOD to default caps blacklist | ||
116 | - Blacklist and whitelist custom Linux capabilities filters | ||
117 | - macvlan device driver support for --net option | ||
118 | - DNS server support, --dns option | ||
119 | - Netfilter support | ||
120 | - Monitor network statistics, --netstats option | ||
121 | - Added profile for Mozilla Thunderbird/Icedove | ||
122 | - --overlay support for Linux kernels 3.18+ | ||
123 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
124 | - Bugfix: check uid/gid for cgroup | ||
125 | |||
126 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
127 | - utmp, btmp and wtmp enhancements | ||
128 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
129 | - generate a new /var/run/utmp file in sandbox | ||
130 | - CPU affinity, --cpu option | ||
131 | - Linux control groups support, --cgroup option | ||
132 | - Opera web browser support | ||
133 | - VLC support | ||
134 | - Added "empty" attribute to seccomp command to remove the default | ||
135 | - syscall list form seccomp blacklist | ||
136 | - Added --nogroups option to disable supplementary groups for regular | ||
137 | - users. root user always runs without supplementary groups. | ||
138 | - firemon enhancements | ||
139 | - display the command that started the sandbox | ||
140 | - added --caps option to display capabilities for all sandboxes | ||
141 | - added --cgroup option to display the control groups for all sandboxes | ||
142 | - added --cpu option to display CPU affinity for all sandboxes | ||
143 | - added --seccomp option to display seccomp setting for all sandboxes | ||
144 | - New compile time options: --disable-chroot, --disable-bind | ||
145 | - bugfixes | ||
146 | |||
147 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
148 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
149 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
150 | - Added profiles for transmission-gtk and transmission-qt | ||
151 | - bugfixes | ||
152 | |||
153 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
154 | - Configurable private home directory | ||
155 | - Configurable default user shell | ||
156 | - Software configuration support for --docdir and DESTDIR | ||
157 | - Profile file support for include, caps, seccomp and private keywords | ||
158 | - Dropbox profile file | ||
159 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
160 | Midori, Evince and Dropbox | ||
161 | - bugfixes | ||
162 | |||
163 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | ||
164 | - Linux capabilities and seccomp filters are automatically enabled in | ||
165 | chroot mode (--chroot option) if the sandbox is started as regular | ||
166 | user | ||
167 | - Added support for user defined seccomp blacklists | ||
168 | - Added syscall trace support | ||
169 | - Added --tmpfs option | ||
170 | - Added --balcklist option | ||
171 | - Added --read-only option | ||
172 | - Added --bind option | ||
173 | - Logging enhancements | ||
174 | - --overlay option was reactivated | ||
175 | - Added firemon support to print the ARP table for each sandbox | ||
176 | - Added firemon support to print the route table for each sandbox | ||
177 | - Added firemon support to print interface information for each sandbox | ||
178 | - bugfixes | ||
179 | |||
180 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | ||
181 | - Added capabilities support | ||
182 | - Added support for CentOS 7 | ||
183 | - bugfixes | ||
184 | 49 | ||
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 3daede84c..e600c6bdd 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -1,296 +1,41 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # Usage: ./mkrpm.sh | 3 | # Usage: ./platform/rpm/mkrpm.sh firejail <version> |
4 | # ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz | ||
5 | # | 4 | # |
6 | # Script builds rpm in a temporary directory and places the built rpm in the | 5 | # Builds rpms in a temporary directory then places the result in the |
7 | # current working directory. | 6 | # current working directory. |
8 | 7 | ||
8 | name=$1 | ||
9 | version=$2 | ||
9 | 10 | ||
10 | source=$1 | 11 | if [[ ! -f platform/rpm/${name}.spec ]]; then |
11 | 12 | echo error: spec file not found for name \"${name}\" | |
12 | create_tmp_dir() { | ||
13 | tmpdir=$(mktemp -d) | ||
14 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | ||
15 | } | ||
16 | |||
17 | |||
18 | # copy or download source | ||
19 | if [[ $source ]]; then | ||
20 | |||
21 | # check file exists | ||
22 | if [[ ! -f $source ]]; then | ||
23 | echo "$source does not exist!" | ||
24 | exit 1 | ||
25 | fi | ||
26 | |||
27 | name=$(awk '/Name:/ {print $2}' firejail.spec) | ||
28 | version=$(awk '/Version:/ {print $2}' firejail.spec) | ||
29 | expected_filename="${name}-${version}.tar.gz" | ||
30 | |||
31 | # ensure file name matches spec file expets | ||
32 | if [[ $(basename $source) != $expected_filename ]]; then | ||
33 | echo "source ($source) does not match expected filename ($(basename $expected_filename))" | ||
34 | exit 1 | ||
35 | fi | ||
36 | |||
37 | create_tmp_dir | ||
38 | cp ${source} ${tmpdir}/SOURCES | ||
39 | else | ||
40 | create_tmp_dir | ||
41 | if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then | ||
42 | echo "Failed to fetch firejail source code" | ||
43 | exit 1 | 13 | exit 1 |
44 | fi | ||
45 | fi | 14 | fi |
46 | 15 | ||
47 | cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec" | 16 | if [[ -z "${version}" ]]; then |
48 | 17 | echo error: version must be given | |
49 | <<<<<<< HEAD | 18 | exit 1 |
50 | echo "building tar.gz archive" | 19 | fi |
51 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | ||
52 | |||
53 | cp firejail-$VERSION.tar.gz SOURCES/. | ||
54 | |||
55 | echo "building config spec" | ||
56 | cat <<EOF > SPECS/firejail.spec | ||
57 | %define __spec_install_post %{nil} | ||
58 | %define debug_package %{nil} | ||
59 | %define __os_install_post %{_dbpath}/brp-compress | ||
60 | |||
61 | Summary: Linux namepaces sandbox program | ||
62 | Name: firejail | ||
63 | Version: $VERSION | ||
64 | Release: 1 | ||
65 | License: GPL+ | ||
66 | Group: Development/Tools | ||
67 | SOURCE0 : %{name}-%{version}.tar.gz | ||
68 | URL: http://github.com/netblue30/firejail | ||
69 | |||
70 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
71 | |||
72 | %description | ||
73 | Firejail is a SUID sandbox program that reduces the risk of security | ||
74 | breaches by restricting the running environment of untrusted applications | ||
75 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
76 | |||
77 | %prep | ||
78 | %setup -q | ||
79 | |||
80 | %build | ||
81 | |||
82 | %install | ||
83 | rm -rf %{buildroot} | ||
84 | mkdir -p %{buildroot} | ||
85 | |||
86 | cp -a * %{buildroot} | ||
87 | |||
88 | |||
89 | %clean | ||
90 | rm -rf %{buildroot} | ||
91 | |||
92 | |||
93 | %files | ||
94 | %defattr(-,root,root,-) | ||
95 | %config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile | ||
96 | %config(noreplace) %{_sysconfdir}/%{name}/chromium.profile | ||
97 | %config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc | ||
98 | %config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc | ||
99 | %config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile | ||
100 | %config(noreplace) %{_sysconfdir}/%{name}/evince.profile | ||
101 | %config(noreplace) %{_sysconfdir}/%{name}/firefox.profile | ||
102 | %config(noreplace) %{_sysconfdir}/%{name}/icedove.profile | ||
103 | %config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile | ||
104 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | ||
105 | %config(noreplace) %{_sysconfdir}/%{name}/midori.profile | ||
106 | %config(noreplace) %{_sysconfdir}/%{name}/opera.profile | ||
107 | %config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile | ||
108 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile | ||
109 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile | ||
110 | %config(noreplace) %{_sysconfdir}/%{name}/vlc.profile | ||
111 | %config(noreplace) %{_sysconfdir}/%{name}/audacious.profile | ||
112 | %config(noreplace) %{_sysconfdir}/%{name}/clementine.profile | ||
113 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile | ||
114 | %config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile | ||
115 | %config(noreplace) %{_sysconfdir}/%{name}/totem.profile | ||
116 | %config(noreplace) %{_sysconfdir}/%{name}/deluge.profile | ||
117 | %config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile | ||
118 | %config(noreplace) %{_sysconfdir}/%{name}/generic.profile | ||
119 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | ||
120 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | ||
121 | %config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc | ||
122 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | ||
123 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | ||
124 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | ||
125 | %config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile | ||
126 | %config(noreplace) %{_sysconfdir}/%{name}/quassel.profile | ||
127 | %config(noreplace) %{_sysconfdir}/%{name}/server.profile | ||
128 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | ||
129 | |||
130 | /usr/bin/firejail | ||
131 | /usr/bin/firemon | ||
132 | /usr/lib/firejail/libtrace.so | ||
133 | /usr/lib/firejail/ftee | ||
134 | /usr/lib/firejail/fshaper.sh | ||
135 | /usr/share/doc/packages/firejail/COPYING | ||
136 | /usr/share/doc/packages/firejail/README | ||
137 | /usr/share/doc/packages/firejail/RELNOTES | ||
138 | /usr/share/man/man1/firejail.1.gz | ||
139 | /usr/share/man/man1/firemon.1.gz | ||
140 | /usr/share/man/man5/firejail-profile.5.gz | ||
141 | /usr/share/man/man5/firejail-login.5.gz | ||
142 | /usr/share/bash-completion/completions/firejail | ||
143 | /usr/share/bash-completion/completions/firemon | ||
144 | |||
145 | %post | ||
146 | chmod u+s /usr/bin/firejail | ||
147 | |||
148 | %changelog | ||
149 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
150 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
151 | disable-history.inc included in all default profiles | ||
152 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
153 | - added --private-etc option | ||
154 | - added --env option | ||
155 | - added --whitelist option | ||
156 | - support ${HOME} token in include directive in profile files | ||
157 | - --private.keep is transitioned to --private-home | ||
158 | - support ~ and blanks in blacklist option | ||
159 | - support "net none" command in profile files | ||
160 | - using /etc/firejail/generic.profile by default for user sessions | ||
161 | - using /etc/firejail/server.profile by default for root sessions | ||
162 | - added build --enable-fatal-warnings configure option | ||
163 | - added persistence to --overlay option | ||
164 | - added --overlay-tmpfs option | ||
165 | - make install-strip implemented, make install renamed | ||
166 | - bugfixes | ||
167 | |||
168 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
169 | - network scanning, --scan option | ||
170 | - interface MAC address support, --mac option | ||
171 | - IP address range, --iprange option | ||
172 | - traffic shaping, --bandwidth option | ||
173 | - reworked printing of network status at startup | ||
174 | - man pages rework | ||
175 | - added firejail-login man page | ||
176 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
177 | profiles | ||
178 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
179 | blacklists | ||
180 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
181 | - support noroot option for profile files | ||
182 | - enabled noroot in default profile files | ||
183 | - bugfixes | ||
184 | |||
185 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
186 | - private dev directory | ||
187 | - private.keep option for whitelisting home files in a new private directory | ||
188 | - user namespaces support, noroot option | ||
189 | - added Deluge and qBittorent profiles | ||
190 | - bugfixes | ||
191 | |||
192 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
193 | - whitelist and blacklist seccomp filters | ||
194 | - doubledash option | ||
195 | - --shell=none support | ||
196 | - netfilter file support in profile files | ||
197 | - dns server support in profile files | ||
198 | - added --dns.print option | ||
199 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
200 | - added --caps.drop=all in default profiles | ||
201 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
202 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
203 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
204 | - two build patches from Reiner Herman (tickets 11, 12) | ||
205 | - man page patch from Reiner Herman (ticket 13) | ||
206 | - output patch (ticket 15) from sshirokov | ||
207 | |||
208 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
209 | - Replaced --noip option with --ip=none | ||
210 | - Container stdout logging and log rotation | ||
211 | - Added process_vm_readv, process_vm_writev and mknod to | ||
212 | default seccomp blacklist | ||
213 | - Added CAP_MKNOD to default caps blacklist | ||
214 | - Blacklist and whitelist custom Linux capabilities filters | ||
215 | - macvlan device driver support for --net option | ||
216 | - DNS server support, --dns option | ||
217 | - Netfilter support | ||
218 | - Monitor network statistics, --netstats option | ||
219 | - Added profile for Mozilla Thunderbird/Icedove | ||
220 | - --overlay support for Linux kernels 3.18+ | ||
221 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
222 | - Bugfix: check uid/gid for cgroup | ||
223 | |||
224 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
225 | - utmp, btmp and wtmp enhancements | ||
226 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
227 | - generate a new /var/run/utmp file in sandbox | ||
228 | - CPU affinity, --cpu option | ||
229 | - Linux control groups support, --cgroup option | ||
230 | - Opera web browser support | ||
231 | - VLC support | ||
232 | - Added "empty" attribute to seccomp command to remove the default | ||
233 | - syscall list form seccomp blacklist | ||
234 | - Added --nogroups option to disable supplementary groups for regular | ||
235 | - users. root user always runs without supplementary groups. | ||
236 | - firemon enhancements | ||
237 | - display the command that started the sandbox | ||
238 | - added --caps option to display capabilities for all sandboxes | ||
239 | - added --cgroup option to display the control groups for all sandboxes | ||
240 | - added --cpu option to display CPU affinity for all sandboxes | ||
241 | - added --seccomp option to display seccomp setting for all sandboxes | ||
242 | - New compile time options: --disable-chroot, --disable-bind | ||
243 | - bugfixes | ||
244 | |||
245 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
246 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
247 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
248 | - Added profiles for transmission-gtk and transmission-qt | ||
249 | - bugfixes | ||
250 | |||
251 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
252 | - Configurable private home directory | ||
253 | - Configurable default user shell | ||
254 | - Software configuration support for --docdir and DESTDIR | ||
255 | - Profile file support for include, caps, seccomp and private keywords | ||
256 | - Dropbox profile file | ||
257 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
258 | Midori, Evince and Dropbox | ||
259 | - bugfixes | ||
260 | 20 | ||
261 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | 21 | # Make a temporary directory and arrange to clean up on exit |
262 | - Linux capabilities and seccomp filters are automatically enabled in | 22 | tmpdir=$(mktemp -d) |
263 | chroot mode (--chroot option) if the sandbox is started as regular | 23 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} |
264 | user | 24 | function cleanup { |
265 | - Added support for user defined seccomp blacklists | 25 | rm -rf ${tmpdir} |
266 | - Added syscall trace support | 26 | } |
267 | - Added --tmpfs option | 27 | trap cleanup EXIT |
268 | - Added --balcklist option | ||
269 | - Added --read-only option | ||
270 | - Added --bind option | ||
271 | - Logging enhancements | ||
272 | - --overlay option was reactivated | ||
273 | - Added firemon support to print the ARP table for each sandbox | ||
274 | - Added firemon support to print the route table for each sandbox | ||
275 | - Added firemon support to print interface information for each sandbox | ||
276 | - bugfixes | ||
277 | 28 | ||
278 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | 29 | # Create the spec file |
279 | - Added capabilities support | 30 | tmp_spec_file=${tmpdir}/SPECS/${name}.spec |
280 | - Added support for CentOS 7 | 31 | sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file} |
281 | - bugfixes | 32 | # FIXME: We could parse RELNOTES and create a %changelog section here |
282 | 33 | ||
283 | EOF | 34 | # Copy the source to build into a tarball |
35 | tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*' | ||
284 | 36 | ||
285 | echo "building rpm" | 37 | # Build the files (rpm, debug rpm and source rpm) |
286 | rpmbuild -ba SPECS/firejail.spec | 38 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} |
287 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | ||
288 | cd .. | ||
289 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
290 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | ||
291 | ======= | ||
292 | rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec" | ||
293 | >>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd | ||
294 | 39 | ||
295 | cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm . | 40 | # Copy the results to cwd |
296 | rm -rf "${tmpdir}" | 41 | mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm . |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh deleted file mode 100755 index 5775783af..000000000 --- a/platform/rpm/old-mkrpm.sh +++ /dev/null | |||
@@ -1,417 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | VERSION="0.9.36" | ||
3 | rm -fr ~/rpmbuild | ||
4 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
5 | |||
6 | mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} | ||
7 | cat <<EOF >~/.rpmmacros | ||
8 | %_topdir %(echo $HOME)/rpmbuild | ||
9 | %_tmppath %{_topdir}/tmp | ||
10 | EOF | ||
11 | |||
12 | cd ~/rpmbuild | ||
13 | echo "building directory tree" | ||
14 | |||
15 | mkdir -p firejail-$VERSION/usr/bin | ||
16 | install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. | ||
17 | install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. | ||
18 | |||
19 | mkdir -p firejail-$VERSION/usr/lib/firejail | ||
20 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | ||
21 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | ||
22 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | ||
23 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | ||
24 | |||
25 | mkdir -p firejail-$VERSION/usr/share/man/man1 | ||
26 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
27 | install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
28 | |||
29 | mkdir -p firejail-$VERSION/usr/share/man/man5 | ||
30 | install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
31 | install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
32 | |||
33 | mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail | ||
34 | install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
35 | install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
36 | install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
37 | |||
38 | mkdir -p firejail-$VERSION/etc/firejail | ||
39 | install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/xchat.profile | ||
40 | install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/server.profile | ||
41 | install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/quassel.profile | ||
42 | install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/pidgin.profile | ||
43 | install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/icecat.profile | ||
44 | install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/filezilla.profile | ||
45 | install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/chromium-browser.profile | ||
46 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile | ||
47 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile | ||
48 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc | ||
49 | install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc | ||
50 | install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc | ||
51 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile | ||
52 | install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/firefox.profile | ||
53 | install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/icedove.profile | ||
54 | install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/iceweasel.profile | ||
55 | install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/midori.profile | ||
56 | install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/thunderbird.profile | ||
57 | install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/opera.profile | ||
58 | install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/transmission-gtk.profile | ||
59 | install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/transmission-qt.profile | ||
60 | install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/vlc.profile | ||
61 | install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/audacious.profile | ||
62 | install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/clementine.profile | ||
63 | install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/gnome-mplayer.profile | ||
64 | install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/rhythmbox.profile | ||
65 | install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/totem.profile | ||
66 | install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/deluge.profile | ||
67 | install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/qbittorrent.profile | ||
68 | install -m 644 /etc/firejail/generic.profile firejail-$VERSION/etc/firejail/generic.profile | ||
69 | install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/login.users | ||
70 | install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/deadbeef.profile | ||
71 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile | ||
72 | install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/fbreader.profile | ||
73 | install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/spotify.profile | ||
74 | install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/google-chrome.profile | ||
75 | install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/skype.profile | ||
76 | install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/steam.profile | ||
77 | install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/wine.profile | ||
78 | install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/disable-devel.inc | ||
79 | |||
80 | install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/bitlbee.profile | ||
81 | install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/conkeror.profile | ||
82 | install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/google-chrome-beta.profile | ||
83 | install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile | ||
84 | install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile | ||
85 | install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile | ||
86 | install -m 644 /etc/firejail/konqueror.profile firejail-$VERSION/etc/firejail/konqueror.profile | ||
87 | install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net | ||
88 | install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile | ||
89 | install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile | ||
90 | install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/rtorrent.profile | ||
91 | install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/unbound.profile | ||
92 | install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/webserver.net | ||
93 | install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/weechat-curses.profile | ||
94 | install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile | ||
95 | install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc | ||
96 | |||
97 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | ||
98 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | ||
99 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | ||
100 | |||
101 | echo "building tar.gz archive" | ||
102 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | ||
103 | |||
104 | cp firejail-$VERSION.tar.gz SOURCES/. | ||
105 | |||
106 | echo "building config spec" | ||
107 | cat <<EOF > SPECS/firejail.spec | ||
108 | %define __spec_install_post %{nil} | ||
109 | %define debug_package %{nil} | ||
110 | %define __os_install_post %{_dbpath}/brp-compress | ||
111 | |||
112 | Summary: Linux namepaces sandbox program | ||
113 | Name: firejail | ||
114 | Version: $VERSION | ||
115 | Release: 1 | ||
116 | License: GPL+ | ||
117 | Group: Development/Tools | ||
118 | SOURCE0 : %{name}-%{version}.tar.gz | ||
119 | URL: http://firejail.wordpress.com | ||
120 | |||
121 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
122 | |||
123 | %description | ||
124 | Firejail is a SUID sandbox program that reduces the risk of security | ||
125 | breaches by restricting the running environment of untrusted applications | ||
126 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
127 | |||
128 | %prep | ||
129 | %setup -q | ||
130 | |||
131 | %build | ||
132 | |||
133 | %install | ||
134 | rm -rf %{buildroot} | ||
135 | mkdir -p %{buildroot} | ||
136 | |||
137 | cp -a * %{buildroot} | ||
138 | |||
139 | |||
140 | %clean | ||
141 | rm -rf %{buildroot} | ||
142 | |||
143 | |||
144 | %files | ||
145 | %defattr(-,root,root,-) | ||
146 | %config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile | ||
147 | %config(noreplace) %{_sysconfdir}/%{name}/chromium.profile | ||
148 | %config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc | ||
149 | %config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc | ||
150 | %config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile | ||
151 | %config(noreplace) %{_sysconfdir}/%{name}/evince.profile | ||
152 | %config(noreplace) %{_sysconfdir}/%{name}/firefox.profile | ||
153 | %config(noreplace) %{_sysconfdir}/%{name}/icedove.profile | ||
154 | %config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile | ||
155 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | ||
156 | %config(noreplace) %{_sysconfdir}/%{name}/midori.profile | ||
157 | %config(noreplace) %{_sysconfdir}/%{name}/opera.profile | ||
158 | %config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile | ||
159 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile | ||
160 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile | ||
161 | %config(noreplace) %{_sysconfdir}/%{name}/vlc.profile | ||
162 | %config(noreplace) %{_sysconfdir}/%{name}/audacious.profile | ||
163 | %config(noreplace) %{_sysconfdir}/%{name}/clementine.profile | ||
164 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile | ||
165 | %config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile | ||
166 | %config(noreplace) %{_sysconfdir}/%{name}/totem.profile | ||
167 | %config(noreplace) %{_sysconfdir}/%{name}/deluge.profile | ||
168 | %config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile | ||
169 | %config(noreplace) %{_sysconfdir}/%{name}/generic.profile | ||
170 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | ||
171 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | ||
172 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | ||
173 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | ||
174 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | ||
175 | %config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile | ||
176 | %config(noreplace) %{_sysconfdir}/%{name}/quassel.profile | ||
177 | %config(noreplace) %{_sysconfdir}/%{name}/server.profile | ||
178 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | ||
179 | %config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile | ||
180 | %config(noreplace) %{_sysconfdir}/%{name}/spotify.profile | ||
181 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile | ||
182 | %config(noreplace) %{_sysconfdir}/%{name}/skype.profile | ||
183 | %config(noreplace) %{_sysconfdir}/%{name}/steam.profile | ||
184 | %config(noreplace) %{_sysconfdir}/%{name}/wine.profile | ||
185 | %config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc | ||
186 | %config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile | ||
187 | %config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile | ||
188 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile | ||
189 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile | ||
190 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile | ||
191 | %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile | ||
192 | %config(noreplace) %{_sysconfdir}/%{name}/konqueror.profile | ||
193 | %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net | ||
194 | %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile | ||
195 | %config(noreplace) %{_sysconfdir}/%{name}/parole.profile | ||
196 | %config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile | ||
197 | %config(noreplace) %{_sysconfdir}/%{name}/unbound.profile | ||
198 | %config(noreplace) %{_sysconfdir}/%{name}/webserver.net | ||
199 | %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile | ||
200 | %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile | ||
201 | %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc | ||
202 | |||
203 | /usr/bin/firejail | ||
204 | /usr/bin/firemon | ||
205 | /usr/lib/firejail/libtrace.so | ||
206 | /usr/lib/firejail/libtracelog.so | ||
207 | /usr/lib/firejail/ftee | ||
208 | /usr/lib/firejail/fshaper.sh | ||
209 | /usr/share/doc/packages/firejail/COPYING | ||
210 | /usr/share/doc/packages/firejail/README | ||
211 | /usr/share/doc/packages/firejail/RELNOTES | ||
212 | /usr/share/man/man1/firejail.1.gz | ||
213 | /usr/share/man/man1/firemon.1.gz | ||
214 | /usr/share/man/man5/firejail-profile.5.gz | ||
215 | /usr/share/man/man5/firejail-login.5.gz | ||
216 | /usr/share/bash-completion/completions/firejail | ||
217 | /usr/share/bash-completion/completions/firemon | ||
218 | |||
219 | %post | ||
220 | chmod u+s /usr/bin/firejail | ||
221 | |||
222 | %changelog | ||
223 | * Thu Dec 24 2015 netblue30 <netblue30@yahoo.com> 0.9.36-1 | ||
224 | - added unbound, dnscrypt-proxy, BitlBee, HexChat profiles | ||
225 | - added WeeChat, parole and rtorrent profiles | ||
226 | - Google Chrome profile rework | ||
227 | - added google-chrome-stable profile | ||
228 | - added google-chrome-beta profile | ||
229 | - added google-chrome-unstable profile | ||
230 | - Opera profile rework | ||
231 | - added opera-beta profile | ||
232 | - added --noblacklist option | ||
233 | - added --profile-path option | ||
234 | - added --force option | ||
235 | - whitelist command enhancements | ||
236 | - prevent user name enumeration | ||
237 | - added /etc/firejail/nolocal.net network filter | ||
238 | - added /etc/firejail/webserver.net network filter | ||
239 | - blacklisting firejail configuration by default | ||
240 | - allow default gateway configuration for --interface option | ||
241 | - --debug enhancements: --debug-check-filenames | ||
242 | - --debug enhancements:--debug-blacklists | ||
243 | - --debug enhancements: --debug-whitelists | ||
244 | - filesystem log | ||
245 | - libtrace enhancements, tracing opendir call | ||
246 | - added --tracelog option | ||
247 | - added "name" command to profile files | ||
248 | - added "hostname" command to profile files | ||
249 | - added automated feature testing framework | ||
250 | - Debian reproducible build | ||
251 | - bugfixes | ||
252 | |||
253 | * Sat Nov 7 2015 netblue30 <netblue30@yahoo.com> 0.9.34-1 | ||
254 | - added --ignore option | ||
255 | - added --protocol option | ||
256 | - support dual i386/amd64 seccomp filters | ||
257 | - added Google Chrome profile | ||
258 | - added Steam, Skype, Wine and Conkeror profiles | ||
259 | - bugfixes | ||
260 | |||
261 | * Wed Oct 21 2015 netblue30 <netblue30@yahoo.com> 0.9.32-1 | ||
262 | - added --interface option | ||
263 | - added --mtu option | ||
264 | - added --private-bin option | ||
265 | - added --nosound option | ||
266 | - added --hostname option | ||
267 | - added --quiet option | ||
268 | - added seccomp errno support | ||
269 | - added FBReader default profile | ||
270 | - added Spotify default profile | ||
271 | - lots of default security profile changes | ||
272 | - fixed a security problem on multi-user systems | ||
273 | - bugfixes | ||
274 | |||
275 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
276 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
277 | disable-history.inc included in all default profiles | ||
278 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
279 | - added --private-etc option | ||
280 | - added --env option | ||
281 | - added --whitelist option | ||
282 | - support ${HOME} token in include directive in profile files | ||
283 | - --private.keep is transitioned to --private-home | ||
284 | - support ~ and blanks in blacklist option | ||
285 | - support "net none" command in profile files | ||
286 | - using /etc/firejail/generic.profile by default for user sessions | ||
287 | - using /etc/firejail/server.profile by default for root sessions | ||
288 | - added build --enable-fatal-warnings configure option | ||
289 | - added persistence to --overlay option | ||
290 | - added --overlay-tmpfs option | ||
291 | - make install-strip implemented, make install renamed | ||
292 | - bugfixes | ||
293 | |||
294 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
295 | - network scanning, --scan option | ||
296 | - interface MAC address support, --mac option | ||
297 | - IP address range, --iprange option | ||
298 | - traffic shaping, --bandwidth option | ||
299 | - reworked printing of network status at startup | ||
300 | - man pages rework | ||
301 | - added firejail-login man page | ||
302 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
303 | profiles | ||
304 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
305 | blacklists | ||
306 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
307 | - support noroot option for profile files | ||
308 | - enabled noroot in default profile files | ||
309 | - bugfixes | ||
310 | |||
311 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
312 | - private dev directory | ||
313 | - private.keep option for whitelisting home files in a new private directory | ||
314 | - user namespaces support, noroot option | ||
315 | - added Deluge and qBittorent profiles | ||
316 | - bugfixes | ||
317 | |||
318 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
319 | - whitelist and blacklist seccomp filters | ||
320 | - doubledash option | ||
321 | - --shell=none support | ||
322 | - netfilter file support in profile files | ||
323 | - dns server support in profile files | ||
324 | - added --dns.print option | ||
325 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
326 | - added --caps.drop=all in default profiles | ||
327 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
328 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
329 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
330 | - two build patches from Reiner Herman (tickets 11, 12) | ||
331 | - man page patch from Reiner Herman (ticket 13) | ||
332 | - output patch (ticket 15) from sshirokov | ||
333 | |||
334 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
335 | - Replaced --noip option with --ip=none | ||
336 | - Container stdout logging and log rotation | ||
337 | - Added process_vm_readv, process_vm_writev and mknod to | ||
338 | default seccomp blacklist | ||
339 | - Added CAP_MKNOD to default caps blacklist | ||
340 | - Blacklist and whitelist custom Linux capabilities filters | ||
341 | - macvlan device driver support for --net option | ||
342 | - DNS server support, --dns option | ||
343 | - Netfilter support | ||
344 | - Monitor network statistics, --netstats option | ||
345 | - Added profile for Mozilla Thunderbird/Icedove | ||
346 | - --overlay support for Linux kernels 3.18+ | ||
347 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
348 | - Bugfix: check uid/gid for cgroup | ||
349 | |||
350 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
351 | - utmp, btmp and wtmp enhancements | ||
352 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
353 | - generate a new /var/run/utmp file in sandbox | ||
354 | - CPU affinity, --cpu option | ||
355 | - Linux control groups support, --cgroup option | ||
356 | - Opera web browser support | ||
357 | - VLC support | ||
358 | - Added "empty" attribute to seccomp command to remove the default | ||
359 | - syscall list form seccomp blacklist | ||
360 | - Added --nogroups option to disable supplementary groups for regular | ||
361 | - users. root user always runs without supplementary groups. | ||
362 | - firemon enhancements | ||
363 | - display the command that started the sandbox | ||
364 | - added --caps option to display capabilities for all sandboxes | ||
365 | - added --cgroup option to display the control groups for all sandboxes | ||
366 | - added --cpu option to display CPU affinity for all sandboxes | ||
367 | - added --seccomp option to display seccomp setting for all sandboxes | ||
368 | - New compile time options: --disable-chroot, --disable-bind | ||
369 | - bugfixes | ||
370 | |||
371 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
372 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
373 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
374 | - Added profiles for transmission-gtk and transmission-qt | ||
375 | - bugfixes | ||
376 | |||
377 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
378 | - Configurable private home directory | ||
379 | - Configurable default user shell | ||
380 | - Software configuration support for --docdir and DESTDIR | ||
381 | - Profile file support for include, caps, seccomp and private keywords | ||
382 | - Dropbox profile file | ||
383 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
384 | Midori, Evince and Dropbox | ||
385 | - bugfixes | ||
386 | |||
387 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | ||
388 | - Linux capabilities and seccomp filters are automatically enabled in | ||
389 | chroot mode (--chroot option) if the sandbox is started as regular | ||
390 | user | ||
391 | - Added support for user defined seccomp blacklists | ||
392 | - Added syscall trace support | ||
393 | - Added --tmpfs option | ||
394 | - Added --balcklist option | ||
395 | - Added --read-only option | ||
396 | - Added --bind option | ||
397 | - Logging enhancements | ||
398 | - --overlay option was reactivated | ||
399 | - Added firemon support to print the ARP table for each sandbox | ||
400 | - Added firemon support to print the route table for each sandbox | ||
401 | - Added firemon support to print interface information for each sandbox | ||
402 | - bugfixes | ||
403 | |||
404 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | ||
405 | - Added capabilities support | ||
406 | - Added support for CentOS 7 | ||
407 | - bugfixes | ||
408 | |||
409 | EOF | ||
410 | |||
411 | echo "building rpm" | ||
412 | rpmbuild -ba SPECS/firejail.spec | ||
413 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | ||
414 | cd .. | ||
415 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
416 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | ||
417 | |||
diff --git a/seamonkey.profile b/seamonkey.profile deleted file mode 100644 index d21efc7f5..000000000 --- a/seamonkey.profile +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
2 | noblacklist ${HOME}/.mozilla | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | caps.drop all | ||
8 | seccomp | ||
9 | protocol unix,inet,inet6,netlink | ||
10 | netfilter | ||
11 | tracelog | ||
12 | noroot | ||
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ~/.mozilla/seamonkey | ||
15 | whitelist ~/.cache/mozilla/seamonkey | ||
16 | whitelist ~/dwhelper | ||
17 | whitelist ~/.zotero | ||
18 | whitelist ~/.lastpass | ||
19 | whitelist ~/.vimperatorrc | ||
20 | whitelist ~/.vimperator | ||
21 | whitelist ~/.pentadactylrc | ||
22 | whitelist ~/.pentadactyl | ||
23 | whitelist ~/.keysnail.js | ||
24 | whitelist ~/.config/gnome-mplayer | ||
25 | whitelist ~/.cache/gnome-mplayer/plugin | ||
26 | include /etc/firejail/whitelist-common.inc | ||
27 | |||
28 | # experimental features | ||
29 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
30 | |||
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 87cda9ab2..83a2b0592 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@ | |||
12 | HAVE_CHROOT=@HAVE_CHROOT@ | 12 | HAVE_CHROOT=@HAVE_CHROOT@ |
13 | HAVE_BIND=@HAVE_BIND@ | 13 | HAVE_BIND=@HAVE_BIND@ |
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
15 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
16 | HAVE_USERNS=@HAVE_USERNS@ | ||
15 | 17 | ||
16 | 18 | ||
17 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 19 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
18 | C_FILE_LIST = $(sort $(wildcard *.c)) | 20 | C_FILE_LIST = $(sort $(wildcard *.c)) |
19 | OBJS = $(C_FILE_LIST:.c=.o) | 21 | OBJS = $(C_FILE_LIST:.c=.o) |
20 | BINOBJS = $(foreach file, $(OBJS), $file) | 22 | BINOBJS = $(foreach file, $(OBJS), $file) |
21 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 23 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
22 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 24 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
23 | 25 | ||
24 | %.o : %.c $(H_FILE_LIST) | 26 | %.o : %.c $(H_FILE_LIST) |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index b25c2692e..fb5e426b0 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -87,7 +87,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
87 | memcpy(hdr.sender_ip, (uint8_t *)&srcaddr, 4); | 87 | memcpy(hdr.sender_ip, (uint8_t *)&srcaddr, 4); |
88 | memcpy(hdr.target_ip, (uint8_t *)&destaddr, 4); | 88 | memcpy(hdr.target_ip, (uint8_t *)&destaddr, 4); |
89 | 89 | ||
90 | // buiild ethernet frame | 90 | // build ethernet frame |
91 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc | 91 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc |
92 | memset(frame, 0, sizeof(frame)); | 92 | memset(frame, 0, sizeof(frame)); |
93 | frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff; | 93 | frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff; |
@@ -130,7 +130,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
130 | return -1; | 130 | return -1; |
131 | } | 131 | } |
132 | 132 | ||
133 | // parse the incomming packet | 133 | // parse the incoming packet |
134 | if ((unsigned int) len < 14 + sizeof(ArpHdr)) | 134 | if ((unsigned int) len < 14 + sizeof(ArpHdr)) |
135 | continue; | 135 | continue; |
136 | if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256)) | 136 | if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256)) |
@@ -384,7 +384,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
384 | uint32_t dst = htonl(dest); | 384 | uint32_t dst = htonl(dest); |
385 | memcpy(hdr.target_ip, (uint8_t *)&dst, 4); | 385 | memcpy(hdr.target_ip, (uint8_t *)&dst, 4); |
386 | 386 | ||
387 | // buiild ethernet frame | 387 | // build ethernet frame |
388 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc | 388 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc |
389 | memset(frame, 0, sizeof(frame)); | 389 | memset(frame, 0, sizeof(frame)); |
390 | frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff; | 390 | frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff; |
@@ -409,7 +409,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
409 | perror("recvfrom"); | 409 | perror("recvfrom"); |
410 | } | 410 | } |
411 | 411 | ||
412 | // parse the incomming packet | 412 | // parse the incoming packet |
413 | if ((unsigned int) len < 14 + sizeof(ArpHdr)) | 413 | if ((unsigned int) len < 14 + sizeof(ArpHdr)) |
414 | continue; | 414 | continue; |
415 | 415 | ||
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index cb3631ab7..da894b321 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -118,7 +118,7 @@ void shm_create_firejail_dir(void) { | |||
118 | struct stat s; | 118 | struct stat s; |
119 | if (stat("/dev/shm/firejail", &s) == -1) { | 119 | if (stat("/dev/shm/firejail", &s) == -1) { |
120 | /* coverity[toctou] */ | 120 | /* coverity[toctou] */ |
121 | if (mkdir("/dev/shm/firejail", 0777) == -1) | 121 | if (mkdir("/dev/shm/firejail", 0644) == -1) |
122 | errExit("mkdir"); | 122 | errExit("mkdir"); |
123 | if (chown("/dev/shm/firejail", 0, 0) == -1) | 123 | if (chown("/dev/shm/firejail", 0, 0) == -1) |
124 | errExit("chown"); | 124 | errExit("chown"); |
@@ -271,7 +271,7 @@ void shm_write_bandwidth_file(pid_t pid) { | |||
271 | return; | 271 | return; |
272 | 272 | ||
273 | errout: | 273 | errout: |
274 | fprintf(stderr, "Error: cannot write bandwidht file %s\n", fname); | 274 | fprintf(stderr, "Error: cannot write bandwidth file %s\n", fname); |
275 | exit(1); | 275 | exit(1); |
276 | } | 276 | } |
277 | 277 | ||
@@ -413,7 +413,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
413 | errExit("asprintf"); | 413 | errExit("asprintf"); |
414 | FILE *fp = fopen(fname, "r"); | 414 | FILE *fp = fopen(fname, "r"); |
415 | if (!fp) { | 415 | if (!fp) { |
416 | fprintf(stderr, "Error: cannot read netowk map filel %s\n", fname); | 416 | fprintf(stderr, "Error: cannot read network map file %s\n", fname); |
417 | exit(1); | 417 | exit(1); |
418 | } | 418 | } |
419 | 419 | ||
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 93049ebf0..1c4ac8d37 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -289,10 +289,12 @@ int caps_default_filter(void) { | |||
289 | else if (arg_debug) | 289 | else if (arg_debug) |
290 | printf("Drop CAP_SYS_TTY_CONFIG\n"); | 290 | printf("Drop CAP_SYS_TTY_CONFIG\n"); |
291 | 291 | ||
292 | #ifdef CAP_SYSLOG | ||
292 | if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) | 293 | if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) |
293 | fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); | 294 | fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); |
294 | else if (arg_debug) | 295 | else if (arg_debug) |
295 | printf("Drop CAP_SYSLOG\n"); | 296 | printf("Drop CAP_SYSLOG\n"); |
297 | #endif | ||
296 | 298 | ||
297 | if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) | 299 | if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) |
298 | fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); | 300 | fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 8b8f7e970..040a1f934 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -64,7 +64,7 @@ void load_cgroup(const char *fname) { | |||
64 | return; | 64 | return; |
65 | } | 65 | } |
66 | errout: | 66 | errout: |
67 | fprintf(stderr, "Warrning: cannot load control group\n"); | 67 | fprintf(stderr, "Warning: cannot load control group\n"); |
68 | if (fp) | 68 | if (fp) |
69 | fclose(fp); | 69 | fclose(fp); |
70 | } | 70 | } |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 1cbc50af5..cccab966d 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -114,6 +114,13 @@ void env_defaults(void) { | |||
114 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 114 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
115 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 115 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) |
116 | errExit("setenv"); | 116 | errExit("setenv"); |
117 | |||
118 | // build the window title and set it | ||
119 | char *title; | ||
120 | if (asprintf(&title, "\033]0;firejail %s\007\n", cfg.window_title) == -1) | ||
121 | errExit("asprintf"); | ||
122 | printf("%s", title); | ||
123 | free(title); | ||
117 | } | 124 | } |
118 | 125 | ||
119 | // parse and store the environment setting | 126 | // parse and store the environment setting |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 180454bda..a754711b1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,6 +22,7 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | 23 | ||
24 | // filesystem | 24 | // filesystem |
25 | #define RUN_FIREJAIL_BASEDIR "/run" | ||
25 | #define RUN_FIREJAIL_DIR "/run/firejail" | 26 | #define RUN_FIREJAIL_DIR "/run/firejail" |
26 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 27 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" |
27 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | 28 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
@@ -49,6 +50,7 @@ | |||
49 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" | 50 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" |
50 | 51 | ||
51 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" | 52 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" |
53 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | ||
52 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 54 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
53 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 55 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
54 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | 56 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" |
@@ -122,7 +124,6 @@ typedef struct config_t { | |||
122 | char *profile_ignore[MAX_PROFILE_IGNORE]; | 124 | char *profile_ignore[MAX_PROFILE_IGNORE]; |
123 | char *chrootdir; // chroot directory | 125 | char *chrootdir; // chroot directory |
124 | char *home_private; // private home directory | 126 | char *home_private; // private home directory |
125 | char *home_private_keep; // keep list for private home directory | ||
126 | char *etc_private_keep; // keep list for private etc directory | 127 | char *etc_private_keep; // keep list for private etc directory |
127 | char *bin_private_keep; // keep list for private bin directory | 128 | char *bin_private_keep; // keep list for private bin directory |
128 | char *cwd; // current working directory | 129 | char *cwd; // current working directory |
@@ -157,13 +158,15 @@ typedef struct config_t { | |||
157 | unsigned rlimit_fsize; | 158 | unsigned rlimit_fsize; |
158 | unsigned rlimit_sigpending; | 159 | unsigned rlimit_sigpending; |
159 | 160 | ||
160 | // cpu affinity and control groups | 161 | // cpu affinity, nice and control groups |
161 | uint32_t cpus; | 162 | uint32_t cpus; |
163 | int nice; | ||
162 | char *cgroup; | 164 | char *cgroup; |
163 | 165 | ||
164 | 166 | ||
165 | // command line | 167 | // command line |
166 | char *command_line; | 168 | char *command_line; |
169 | char *window_title; | ||
167 | char *command_name; | 170 | char *command_name; |
168 | char *shell; | 171 | char *shell; |
169 | char **original_argv; | 172 | char **original_argv; |
@@ -223,12 +226,14 @@ extern int arg_shell_none; // run the program directly without a shell | |||
223 | extern int arg_private_dev; // private dev directory | 226 | extern int arg_private_dev; // private dev directory |
224 | extern int arg_private_etc; // private etc directory | 227 | extern int arg_private_etc; // private etc directory |
225 | extern int arg_private_bin; // private bin directory | 228 | extern int arg_private_bin; // private bin directory |
229 | extern int arg_private_tmp; // private tmp directory | ||
226 | extern int arg_scan; // arp-scan all interfaces | 230 | extern int arg_scan; // arp-scan all interfaces |
227 | extern int arg_whitelist; // whitelist commad | 231 | extern int arg_whitelist; // whitelist commad |
228 | extern int arg_nosound; // disable sound | 232 | extern int arg_nosound; // disable sound |
229 | extern int arg_quiet; // no output for scripting | 233 | extern int arg_quiet; // no output for scripting |
230 | extern int arg_join_network; // join only the network namespace | 234 | extern int arg_join_network; // join only the network namespace |
231 | extern int arg_join_filesystem; // join only the mount namespace | 235 | extern int arg_join_filesystem; // join only the mount namespace |
236 | extern int arg_nice; // nice value configured | ||
232 | 237 | ||
233 | extern int parent_to_child_fds[2]; | 238 | extern int parent_to_child_fds[2]; |
234 | extern int child_to_parent_fds[2]; | 239 | extern int child_to_parent_fds[2]; |
@@ -287,6 +292,7 @@ void fs_overlayfs(void); | |||
287 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 292 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
288 | void fs_chroot(const char *rootdir); | 293 | void fs_chroot(const char *rootdir); |
289 | int fs_check_chroot_dir(const char *rootdir); | 294 | int fs_check_chroot_dir(const char *rootdir); |
295 | void fs_private_tmp(void); | ||
290 | 296 | ||
291 | // profile.c | 297 | // profile.c |
292 | // find and read the profile specified by name from dir directory | 298 | // find and read the profile specified by name from dir directory |
@@ -375,16 +381,12 @@ void fs_private_dev(void); | |||
375 | void fs_private(void); | 381 | void fs_private(void); |
376 | // private mode (--private=homedir) | 382 | // private mode (--private=homedir) |
377 | void fs_private_homedir(void); | 383 | void fs_private_homedir(void); |
378 | // private mode (--private-home=list) | ||
379 | void fs_private_home_list(void); | ||
380 | // check directory list specified by user (--private-home option) - exit if it fails | ||
381 | void fs_check_home_list(void); | ||
382 | // check new private home directory (--private= option) - exit if it fails | 384 | // check new private home directory (--private= option) - exit if it fails |
383 | void fs_check_private_dir(void); | 385 | void fs_check_private_dir(void); |
384 | 386 | ||
385 | 387 | ||
386 | // seccomp.c | 388 | // seccomp.c |
387 | int seccomp_filter_drop(void); | 389 | int seccomp_filter_drop(int enforce_seccomp); |
388 | int seccomp_filter_keep(void); | 390 | int seccomp_filter_keep(void); |
389 | void seccomp_set(void); | 391 | void seccomp_set(void); |
390 | void seccomp_print_filter_name(const char *name); | 392 | void seccomp_print_filter_name(const char *name); |
@@ -437,6 +439,7 @@ void check_output(int argc, char **argv); | |||
437 | // netfilter.c | 439 | // netfilter.c |
438 | void check_netfilter_file(const char *fname); | 440 | void check_netfilter_file(const char *fname); |
439 | void netfilter(const char *fname); | 441 | void netfilter(const char *fname); |
442 | void netfilter6(const char *fname); | ||
440 | 443 | ||
441 | // bandwidth.c | 444 | // bandwidth.c |
442 | void shm_create_firejail_dir(void); | 445 | void shm_create_firejail_dir(void); |
@@ -503,5 +506,11 @@ void fs_logger_print_log(pid_t pid); | |||
503 | // run_symlink.c | 506 | // run_symlink.c |
504 | void run_symlink(int argc, char **argv); | 507 | void run_symlink(int argc, char **argv); |
505 | 508 | ||
509 | // user.c | ||
510 | void check_user(int argc, char **argv); | ||
511 | |||
512 | // paths.c | ||
513 | char **build_paths(void); | ||
514 | |||
506 | #endif | 515 | #endif |
507 | 516 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cef1cc68b..c3e9890b4 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -60,16 +60,30 @@ static void create_empty_file(void) { | |||
60 | void fs_build_firejail_dir(void) { | 60 | void fs_build_firejail_dir(void) { |
61 | struct stat s; | 61 | struct stat s; |
62 | 62 | ||
63 | // CentOS 6 doesn't have /run directory | ||
64 | if (stat(RUN_FIREJAIL_BASEDIR, &s)) { | ||
65 | if (arg_debug) | ||
66 | printf("Creating %s directory\n", RUN_FIREJAIL_BASEDIR); | ||
67 | /* coverity[toctou] */ | ||
68 | int rv = mkdir(RUN_FIREJAIL_BASEDIR, 0755); | ||
69 | if (rv == -1) | ||
70 | errExit("mkdir"); | ||
71 | if (chown(RUN_FIREJAIL_BASEDIR, 0, 0) < 0) | ||
72 | errExit("chown"); | ||
73 | if (chmod(RUN_FIREJAIL_BASEDIR, 0755) < 0) | ||
74 | errExit("chmod"); | ||
75 | } | ||
76 | |||
63 | if (stat(RUN_FIREJAIL_DIR, &s)) { | 77 | if (stat(RUN_FIREJAIL_DIR, &s)) { |
64 | if (arg_debug) | 78 | if (arg_debug) |
65 | printf("Creating %s directory\n", RUN_FIREJAIL_DIR); | 79 | printf("Creating %s directory\n", RUN_FIREJAIL_DIR); |
66 | /* coverity[toctou] */ | 80 | /* coverity[toctou] */ |
67 | int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 81 | int rv = mkdir(RUN_FIREJAIL_DIR, 0755); |
68 | if (rv == -1) | 82 | if (rv == -1) |
69 | errExit("mkdir"); | 83 | errExit("mkdir"); |
70 | if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0) | 84 | if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0) |
71 | errExit("chown"); | 85 | errExit("chown"); |
72 | if (chmod(RUN_FIREJAIL_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 86 | if (chmod(RUN_FIREJAIL_DIR, 0755) < 0) |
73 | errExit("chmod"); | 87 | errExit("chmod"); |
74 | } | 88 | } |
75 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! | 89 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! |
@@ -102,12 +116,12 @@ void fs_build_mnt_dir(void) { | |||
102 | if (arg_debug) | 116 | if (arg_debug) |
103 | printf("Creating %s directory\n", RUN_MNT_DIR); | 117 | printf("Creating %s directory\n", RUN_MNT_DIR); |
104 | /* coverity[toctou] */ | 118 | /* coverity[toctou] */ |
105 | int rv = mkdir(RUN_MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 119 | int rv = mkdir(RUN_MNT_DIR, 0755); |
106 | if (rv == -1) | 120 | if (rv == -1) |
107 | errExit("mkdir"); | 121 | errExit("mkdir"); |
108 | if (chown(RUN_MNT_DIR, 0, 0) < 0) | 122 | if (chown(RUN_MNT_DIR, 0, 0) < 0) |
109 | errExit("chown"); | 123 | errExit("chown"); |
110 | if (chmod(RUN_MNT_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 124 | if (chmod(RUN_MNT_DIR, 0755) < 0) |
111 | errExit("chmod"); | 125 | errExit("chmod"); |
112 | } | 126 | } |
113 | 127 | ||
@@ -136,12 +150,18 @@ void fs_build_cp_command(void) { | |||
136 | fprintf(stderr, "Error: /bin/cp not found\n"); | 150 | fprintf(stderr, "Error: /bin/cp not found\n"); |
137 | exit(1); | 151 | exit(1); |
138 | } | 152 | } |
153 | if (is_link(fname)) { | ||
154 | fprintf(stderr, "Error: invalid /bin/cp file\n"); | ||
155 | exit(1); | ||
156 | } | ||
139 | int rv = copy_file(fname, RUN_CP_COMMAND); | 157 | int rv = copy_file(fname, RUN_CP_COMMAND); |
140 | if (rv) { | 158 | if (rv) { |
141 | fprintf(stderr, "Error: cannot access /bin/cp\n"); | 159 | fprintf(stderr, "Error: cannot access /bin/cp\n"); |
142 | exit(1); | 160 | exit(1); |
143 | } | 161 | } |
144 | /* coverity[toctou] */ | 162 | /* coverity[toctou] */ |
163 | if (chown(RUN_CP_COMMAND, 0, 0)) | ||
164 | errExit("chown"); | ||
145 | if (chmod(RUN_CP_COMMAND, 0755)) | 165 | if (chmod(RUN_CP_COMMAND, 0755)) |
146 | errExit("chmod"); | 166 | errExit("chmod"); |
147 | 167 | ||
@@ -181,11 +201,40 @@ static void disable_file(OPERATION op, const char *filename) { | |||
181 | 201 | ||
182 | // Resolve all symlinks | 202 | // Resolve all symlinks |
183 | char* fname = realpath(filename, NULL); | 203 | char* fname = realpath(filename, NULL); |
184 | if (fname == NULL) { | 204 | if (fname == NULL && errno != EACCES) { |
185 | if (arg_debug) | 205 | if (arg_debug) |
186 | printf("Warning: %s is an invalid file, skipping...\n", filename); | 206 | printf("Warning: %s is an invalid file, skipping...\n", filename); |
187 | return; | 207 | return; |
188 | } | 208 | } |
209 | if (fname == NULL && errno == EACCES) { | ||
210 | if (arg_debug) | ||
211 | printf("Debug: no access to file %s, forcing mount\n", filename); | ||
212 | // realpath and stat funtions will fail on FUSE filesystems | ||
213 | // they don't seem to like a uid of 0 | ||
214 | // force mounting | ||
215 | int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0"); | ||
216 | if (rv == 0) | ||
217 | last_disable = SUCCESSFUL; | ||
218 | else { | ||
219 | rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0"); | ||
220 | if (rv == 0) | ||
221 | last_disable = SUCCESSFUL; | ||
222 | } | ||
223 | if (last_disable == SUCCESSFUL) { | ||
224 | if (arg_debug) | ||
225 | printf("Disable %s\n", filename); | ||
226 | if (op == BLACKLIST_FILE) | ||
227 | fs_logger2("blacklist", filename); | ||
228 | else | ||
229 | fs_logger2("blacklist-nolog", filename); | ||
230 | } | ||
231 | else { | ||
232 | if (arg_debug) | ||
233 | printf("Warning: %s is an invalid file, skipping...\n", filename); | ||
234 | } | ||
235 | |||
236 | return; | ||
237 | } | ||
189 | 238 | ||
190 | // if the file is not present, do nothing | 239 | // if the file is not present, do nothing |
191 | struct stat s; | 240 | struct stat s; |
@@ -411,13 +460,14 @@ void fs_blacklist(void) { | |||
411 | if (strncmp(ptr, "${PATH}", 7) == 0) { | 460 | if (strncmp(ptr, "${PATH}", 7) == 0) { |
412 | char *fname = ptr + 7; | 461 | char *fname = ptr + 7; |
413 | size_t fname_len = strlen(fname); | 462 | size_t fname_len = strlen(fname); |
414 | char **path, *paths[] = {"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL}; | 463 | char **paths = build_paths(); //{"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL}; |
415 | for (path = &paths[0]; *path; path++) { | 464 | int i = 0; |
416 | char newname[strlen(*path) + fname_len + 1]; | 465 | while (paths[i] != NULL) { |
417 | sprintf(newname, "%s%s", *path, fname); | 466 | char *path = paths[i]; |
467 | i++; | ||
468 | char newname[strlen(path) + fname_len + 1]; | ||
469 | sprintf(newname, "%s%s", path, fname); | ||
418 | globbing(op, newname, (const char**)noblacklist, noblacklist_c); | 470 | globbing(op, newname, (const char**)noblacklist, noblacklist_c); |
419 | if (last_disable == SUCCESSFUL) | ||
420 | break; | ||
421 | } | 471 | } |
422 | } | 472 | } |
423 | else | 473 | else |
@@ -575,6 +625,18 @@ void fs_proc_sys_dev_boot(void) { | |||
575 | if (stat("/dev/port", &s) == 0) { | 625 | if (stat("/dev/port", &s) == 0) { |
576 | disable_file(BLACKLIST_FILE, "/dev/port"); | 626 | disable_file(BLACKLIST_FILE, "/dev/port"); |
577 | } | 627 | } |
628 | |||
629 | if (getuid() != 0) { | ||
630 | // disable /dev/kmsg | ||
631 | if (stat("/dev/kmsg", &s) == 0) { | ||
632 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | ||
633 | } | ||
634 | |||
635 | // disable /proc/kmsg | ||
636 | if (stat("/proc/kmsg", &s) == 0) { | ||
637 | disable_file(BLACKLIST_FILE, "/proc/kmsg"); | ||
638 | } | ||
639 | } | ||
578 | } | 640 | } |
579 | 641 | ||
580 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail | 642 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail |
@@ -693,18 +755,18 @@ void fs_overlayfs(void) { | |||
693 | char *oroot; | 755 | char *oroot; |
694 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) | 756 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) |
695 | errExit("asprintf"); | 757 | errExit("asprintf"); |
696 | if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO)) | 758 | if (mkdir(oroot, 0755)) |
697 | errExit("mkdir"); | 759 | errExit("mkdir"); |
698 | if (chown(oroot, 0, 0) < 0) | 760 | if (chown(oroot, 0, 0) < 0) |
699 | errExit("chown"); | 761 | errExit("chown"); |
700 | if (chmod(oroot, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 762 | if (chmod(oroot, 0755) < 0) |
701 | errExit("chmod"); | 763 | errExit("chmod"); |
702 | 764 | ||
703 | char *basedir = RUN_MNT_DIR; | 765 | char *basedir = RUN_MNT_DIR; |
704 | if (arg_overlay_keep) { | 766 | if (arg_overlay_keep) { |
705 | // set base for working and diff directories | 767 | // set base for working and diff directories |
706 | basedir = cfg.overlay_dir; | 768 | basedir = cfg.overlay_dir; |
707 | if (mkdir(basedir, S_IRWXU | S_IRWXG | S_IRWXO) != 0) { | 769 | if (mkdir(basedir, 0755) != 0) { |
708 | fprintf(stderr, "Error: cannot create overlay directory\n"); | 770 | fprintf(stderr, "Error: cannot create overlay directory\n"); |
709 | exit(1); | 771 | exit(1); |
710 | } | 772 | } |
@@ -713,21 +775,21 @@ void fs_overlayfs(void) { | |||
713 | char *odiff; | 775 | char *odiff; |
714 | if(asprintf(&odiff, "%s/odiff", basedir) == -1) | 776 | if(asprintf(&odiff, "%s/odiff", basedir) == -1) |
715 | errExit("asprintf"); | 777 | errExit("asprintf"); |
716 | if (mkdir(odiff, S_IRWXU | S_IRWXG | S_IRWXO)) | 778 | if (mkdir(odiff, 0755)) |
717 | errExit("mkdir"); | 779 | errExit("mkdir"); |
718 | if (chown(odiff, 0, 0) < 0) | 780 | if (chown(odiff, 0, 0) < 0) |
719 | errExit("chown"); | 781 | errExit("chown"); |
720 | if (chmod(odiff, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 782 | if (chmod(odiff, 0755) < 0) |
721 | errExit("chmod"); | 783 | errExit("chmod"); |
722 | 784 | ||
723 | char *owork; | 785 | char *owork; |
724 | if(asprintf(&owork, "%s/owork", basedir) == -1) | 786 | if(asprintf(&owork, "%s/owork", basedir) == -1) |
725 | errExit("asprintf"); | 787 | errExit("asprintf"); |
726 | if (mkdir(owork, S_IRWXU | S_IRWXG | S_IRWXO)) | 788 | if (mkdir(owork, 0755)) |
727 | errExit("mkdir"); | 789 | errExit("mkdir"); |
728 | if (chown(owork, 0, 0) < 0) | 790 | if (chown(owork, 0, 0) < 0) |
729 | errExit("chown"); | 791 | errExit("chown"); |
730 | if (chmod(owork, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 792 | if (chmod(owork, 0755) < 0) |
731 | errExit("chmod"); | 793 | errExit("chmod"); |
732 | 794 | ||
733 | // mount overlayfs | 795 | // mount overlayfs |
@@ -866,7 +928,7 @@ void fs_chroot(const char *rootdir) { | |||
866 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | 928 | if (asprintf(&rundir, "%s/run", rootdir) == -1) |
867 | errExit("asprintf"); | 929 | errExit("asprintf"); |
868 | if (!is_dir(rundir)) { | 930 | if (!is_dir(rundir)) { |
869 | int rv = mkdir(rundir, S_IRWXU | S_IRWXG | S_IRWXO); | 931 | int rv = mkdir(rundir, 0755); |
870 | (void) rv; | 932 | (void) rv; |
871 | rv = chown(rundir, 0, 0); | 933 | rv = chown(rundir, 0, 0); |
872 | (void) rv; | 934 | (void) rv; |
@@ -880,6 +942,10 @@ void fs_chroot(const char *rootdir) { | |||
880 | errExit("asprintf"); | 942 | errExit("asprintf"); |
881 | if (arg_debug) | 943 | if (arg_debug) |
882 | printf("Updating /etc/resolv.conf in %s\n", fname); | 944 | printf("Updating /etc/resolv.conf in %s\n", fname); |
945 | if (is_link(fname)) { | ||
946 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
947 | exit(1); | ||
948 | } | ||
883 | if (copy_file("/etc/resolv.conf", fname) == -1) | 949 | if (copy_file("/etc/resolv.conf", fname) == -1) |
884 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | 950 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); |
885 | 951 | ||
@@ -908,4 +974,11 @@ void fs_chroot(const char *rootdir) { | |||
908 | } | 974 | } |
909 | #endif | 975 | #endif |
910 | 976 | ||
977 | void fs_private_tmp(void) { | ||
978 | // mount tmpfs on top of /run/firejail/mnt | ||
979 | if (arg_debug) | ||
980 | printf("Mounting tmpfs on /tmp directory\n"); | ||
981 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
982 | errExit("mounting /tmp/firejail/mnt"); | ||
983 | } | ||
911 | 984 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index e88d5c53b..af67ac290 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -169,7 +169,7 @@ void fs_private_bin_list(void) { | |||
169 | 169 | ||
170 | // create /tmp/firejail/mnt/bin directory | 170 | // create /tmp/firejail/mnt/bin directory |
171 | fs_build_mnt_dir(); | 171 | fs_build_mnt_dir(); |
172 | int rv = mkdir(RUN_BIN_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 172 | int rv = mkdir(RUN_BIN_DIR, 0755); |
173 | if (rv == -1) | 173 | if (rv == -1) |
174 | errExit("mkdir"); | 174 | errExit("mkdir"); |
175 | if (chown(RUN_BIN_DIR, 0, 0) < 0) | 175 | if (chown(RUN_BIN_DIR, 0, 0) < 0) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 0407b0626..97ee9de55 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -105,7 +105,7 @@ void fs_private_dev(void){ | |||
105 | } | 105 | } |
106 | 106 | ||
107 | // mount tmpfs on top of /dev | 107 | // mount tmpfs on top of /dev |
108 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 108 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
109 | errExit("mounting /dev"); | 109 | errExit("mounting /dev"); |
110 | fs_logger("mount tmpfs on /dev"); | 110 | fs_logger("mount tmpfs on /dev"); |
111 | 111 | ||
@@ -139,12 +139,12 @@ void fs_private_dev(void){ | |||
139 | // create /dev/shm | 139 | // create /dev/shm |
140 | if (arg_debug) | 140 | if (arg_debug) |
141 | printf("Create /dev/shm directory\n"); | 141 | printf("Create /dev/shm directory\n"); |
142 | rv = mkdir("/dev/shm", 0777); | 142 | rv = mkdir("/dev/shm", 01777); |
143 | if (rv == -1) | 143 | if (rv == -1) |
144 | errExit("mkdir"); | 144 | errExit("mkdir"); |
145 | if (chown("/dev/shm", 0, 0) < 0) | 145 | if (chown("/dev/shm", 0, 0) < 0) |
146 | errExit("chown"); | 146 | errExit("chown"); |
147 | if (chmod("/dev/shm", 0777) < 0) | 147 | if (chmod("/dev/shm", 01777) < 0) |
148 | errExit("chmod"); | 148 | errExit("chmod"); |
149 | fs_logger("mkdir /dev/shm"); | 149 | fs_logger("mkdir /dev/shm"); |
150 | 150 | ||
@@ -201,7 +201,7 @@ void fs_dev_shm(void) { | |||
201 | if (is_dir("/dev/shm")) { | 201 | if (is_dir("/dev/shm")) { |
202 | if (arg_debug) | 202 | if (arg_debug) |
203 | printf("Mounting tmpfs on /dev/shm\n"); | 203 | printf("Mounting tmpfs on /dev/shm\n"); |
204 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 204 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
205 | errExit("mounting /dev/shm"); | 205 | errExit("mounting /dev/shm"); |
206 | fs_logger("mount tmpfs on /dev/shm"); | 206 | fs_logger("mount tmpfs on /dev/shm"); |
207 | } | 207 | } |
@@ -210,16 +210,16 @@ void fs_dev_shm(void) { | |||
210 | if (lnk) { | 210 | if (lnk) { |
211 | if (!is_dir(lnk)) { | 211 | if (!is_dir(lnk)) { |
212 | // create directory | 212 | // create directory |
213 | if (mkdir(lnk, 0777)) | 213 | if (mkdir(lnk, 01777)) |
214 | errExit("mkdir"); | 214 | errExit("mkdir"); |
215 | if (chown(lnk, 0, 0)) | 215 | if (chown(lnk, 0, 0)) |
216 | errExit("chown"); | 216 | errExit("chown"); |
217 | if (chmod(lnk, 0777)) | 217 | if (chmod(lnk, 01777)) |
218 | errExit("chmod"); | 218 | errExit("chmod"); |
219 | } | 219 | } |
220 | if (arg_debug) | 220 | if (arg_debug) |
221 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); | 221 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); |
222 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 222 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
223 | errExit("mounting /var/tmp"); | 223 | errExit("mounting /var/tmp"); |
224 | fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm"); | 224 | fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm"); |
225 | free(lnk); | 225 | free(lnk); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 3d9abaf72..c3a247331 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -113,7 +113,7 @@ void fs_private_etc_list(void) { | |||
113 | 113 | ||
114 | // create /tmp/firejail/mnt/etc directory | 114 | // create /tmp/firejail/mnt/etc directory |
115 | fs_build_mnt_dir(); | 115 | fs_build_mnt_dir(); |
116 | int rv = mkdir(RUN_ETC_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 116 | int rv = mkdir(RUN_ETC_DIR, 0755); |
117 | if (rv == -1) | 117 | if (rv == -1) |
118 | errExit("mkdir"); | 118 | errExit("mkdir"); |
119 | if (chown(RUN_ETC_DIR, 0, 0) < 0) | 119 | if (chown(RUN_ETC_DIR, 0, 0) < 0) |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index ba62b788a..2bfabbe89 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
41 | if (stat(fname, &s) == 0) | 41 | if (stat(fname, &s) == 0) |
42 | return; | 42 | return; |
43 | if (stat("/etc/skel/.zshrc", &s) == 0) { | 43 | if (stat("/etc/skel/.zshrc", &s) == 0) { |
44 | if (is_link("/etc/skel/.zshrc")) { | ||
45 | fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n"); | ||
46 | exit(1); | ||
47 | } | ||
44 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { | 48 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { |
45 | if (chown(fname, u, g) == -1) | 49 | if (chown(fname, u, g) == -1) |
46 | errExit("chown"); | 50 | errExit("chown"); |
@@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
71 | if (stat(fname, &s) == 0) | 75 | if (stat(fname, &s) == 0) |
72 | return; | 76 | return; |
73 | if (stat("/etc/skel/.cshrc", &s) == 0) { | 77 | if (stat("/etc/skel/.cshrc", &s) == 0) { |
78 | if (is_link("/etc/skel/.cshrc")) { | ||
79 | fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n"); | ||
80 | exit(1); | ||
81 | } | ||
74 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { | 82 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { |
75 | if (chown(fname, u, g) == -1) | 83 | if (chown(fname, u, g) == -1) |
76 | errExit("chown"); | 84 | errExit("chown"); |
@@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
102 | if (stat(fname, &s) == 0) | 110 | if (stat(fname, &s) == 0) |
103 | return; | 111 | return; |
104 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 112 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
113 | if (is_link("/etc/skel/.bashrc")) { | ||
114 | fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n"); | ||
115 | exit(1); | ||
116 | } | ||
105 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { | 117 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { |
106 | /* coverity[toctou] */ | 118 | /* coverity[toctou] */ |
107 | if (chown(fname, u, g) == -1) | 119 | if (chown(fname, u, g) == -1) |
@@ -123,7 +135,12 @@ static int store_xauthority(void) { | |||
123 | errExit("asprintf"); | 135 | errExit("asprintf"); |
124 | 136 | ||
125 | struct stat s; | 137 | struct stat s; |
126 | if (stat(src, &s) == 0) { | 138 | if (stat(src, &s) == 0) { |
139 | if (is_link(src)) { | ||
140 | fprintf(stderr, "Error: invalid .Xauthority file\n"); | ||
141 | exit(1); | ||
142 | } | ||
143 | |||
127 | int rv = copy_file(src, dest); | 144 | int rv = copy_file(src, dest); |
128 | if (rv) { | 145 | if (rv) { |
129 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 146 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); |
@@ -135,6 +152,33 @@ static int store_xauthority(void) { | |||
135 | return 0; | 152 | return 0; |
136 | } | 153 | } |
137 | 154 | ||
155 | static int store_asoundrc(void) { | ||
156 | // put a copy of .Xauthority in XAUTHORITY_FILE | ||
157 | fs_build_mnt_dir(); | ||
158 | |||
159 | char *src; | ||
160 | char *dest = RUN_ASOUNDRC_FILE; | ||
161 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) | ||
162 | errExit("asprintf"); | ||
163 | |||
164 | struct stat s; | ||
165 | if (stat(src, &s) == 0) { | ||
166 | if (is_link(src)) { | ||
167 | fprintf(stderr, "Error: invalid .asoundrc file\n"); | ||
168 | exit(1); | ||
169 | } | ||
170 | |||
171 | int rv = copy_file(src, dest); | ||
172 | if (rv) { | ||
173 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); | ||
174 | return 0; | ||
175 | } | ||
176 | return 1; // file copied | ||
177 | } | ||
178 | |||
179 | return 0; | ||
180 | } | ||
181 | |||
138 | static void copy_xauthority(void) { | 182 | static void copy_xauthority(void) { |
139 | // copy XAUTHORITY_FILE in the new home directory | 183 | // copy XAUTHORITY_FILE in the new home directory |
140 | char *src = RUN_XAUTHORITY_FILE ; | 184 | char *src = RUN_XAUTHORITY_FILE ; |
@@ -144,13 +188,38 @@ static void copy_xauthority(void) { | |||
144 | int rv = copy_file(src, dest); | 188 | int rv = copy_file(src, dest); |
145 | if (rv) | 189 | if (rv) |
146 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 190 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); |
147 | fs_logger2("clone", dest); | 191 | else { |
192 | fs_logger2("clone", dest); | ||
193 | |||
194 | // set permissions and ownership | ||
195 | if (chown(dest, getuid(), getgid()) < 0) | ||
196 | errExit("chown"); | ||
197 | if (chmod(dest, S_IRUSR | S_IWUSR) < 0) | ||
198 | errExit("chmod"); | ||
199 | } | ||
200 | |||
201 | // delete the temporary file | ||
202 | unlink(src); | ||
203 | } | ||
148 | 204 | ||
149 | // set permissions and ownership | 205 | static void copy_asoundrc(void) { |
150 | if (chown(dest, getuid(), getgid()) < 0) | 206 | // copy XAUTHORITY_FILE in the new home directory |
151 | errExit("chown"); | 207 | char *src = RUN_ASOUNDRC_FILE ; |
152 | if (chmod(dest, S_IRUSR | S_IWUSR) < 0) | 208 | char *dest; |
153 | errExit("chmod"); | 209 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) |
210 | errExit("asprintf"); | ||
211 | int rv = copy_file(src, dest); | ||
212 | if (rv) | ||
213 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); | ||
214 | else { | ||
215 | fs_logger2("clone", dest); | ||
216 | |||
217 | // set permissions and ownership | ||
218 | if (chown(dest, getuid(), getgid()) < 0) | ||
219 | errExit("chown"); | ||
220 | if (chmod(dest, S_IRUSR | S_IWUSR) < 0) | ||
221 | errExit("chmod"); | ||
222 | } | ||
154 | 223 | ||
155 | // delete the temporary file | 224 | // delete the temporary file |
156 | unlink(src); | 225 | unlink(src); |
@@ -168,6 +237,7 @@ void fs_private_homedir(void) { | |||
168 | assert(private_homedir); | 237 | assert(private_homedir); |
169 | 238 | ||
170 | int xflag = store_xauthority(); | 239 | int xflag = store_xauthority(); |
240 | int aflag = store_asoundrc(); | ||
171 | 241 | ||
172 | uid_t u = getuid(); | 242 | uid_t u = getuid(); |
173 | gid_t g = getgid(); | 243 | gid_t g = getgid(); |
@@ -211,6 +281,8 @@ void fs_private_homedir(void) { | |||
211 | skel(homedir, u, g); | 281 | skel(homedir, u, g); |
212 | if (xflag) | 282 | if (xflag) |
213 | copy_xauthority(); | 283 | copy_xauthority(); |
284 | if (aflag) | ||
285 | copy_asoundrc(); | ||
214 | } | 286 | } |
215 | 287 | ||
216 | // private mode (--private): | 288 | // private mode (--private): |
@@ -225,6 +297,7 @@ void fs_private(void) { | |||
225 | gid_t g = getgid(); | 297 | gid_t g = getgid(); |
226 | 298 | ||
227 | int xflag = store_xauthority(); | 299 | int xflag = store_xauthority(); |
300 | int aflag = store_asoundrc(); | ||
228 | 301 | ||
229 | // mask /home | 302 | // mask /home |
230 | if (arg_debug) | 303 | if (arg_debug) |
@@ -258,76 +331,10 @@ void fs_private(void) { | |||
258 | skel(homedir, u, g); | 331 | skel(homedir, u, g); |
259 | if (xflag) | 332 | if (xflag) |
260 | copy_xauthority(); | 333 | copy_xauthority(); |
334 | if (aflag) | ||
335 | copy_asoundrc(); | ||
261 | } | 336 | } |
262 | 337 | ||
263 | static void check_dir_or_file(const char *name) { | ||
264 | assert(name); | ||
265 | struct stat s; | ||
266 | |||
267 | invalid_filename(name); | ||
268 | |||
269 | |||
270 | char *fname = expand_home(name, cfg.homedir); | ||
271 | if (!fname) { | ||
272 | fprintf(stderr, "Error: file %s not found.\n", name); | ||
273 | exit(1); | ||
274 | } | ||
275 | if (fname[0] != '/') { | ||
276 | // If it doesn't start with '/', it must be relative to homedir | ||
277 | char* tmp; | ||
278 | if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1) | ||
279 | errExit("asprintf"); | ||
280 | free(fname); | ||
281 | fname = tmp; | ||
282 | } | ||
283 | if (arg_debug) | ||
284 | printf("Checking %s\n", fname); | ||
285 | if (stat(fname, &s) == -1) { | ||
286 | fprintf(stderr, "Error: file %s not found.\n", fname); | ||
287 | exit(1); | ||
288 | } | ||
289 | |||
290 | // check uid | ||
291 | uid_t uid = getuid(); | ||
292 | gid_t gid = getgid(); | ||
293 | if (s.st_uid != uid || s.st_gid != gid) { | ||
294 | fprintf(stderr, "Error: only files or directories created by the current user are allowed.\n"); | ||
295 | exit(1); | ||
296 | } | ||
297 | |||
298 | // dir or regular file | ||
299 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { | ||
300 | free(fname); | ||
301 | return; | ||
302 | } | ||
303 | |||
304 | if (!is_link(fname)) { | ||
305 | free(fname); | ||
306 | return; | ||
307 | } | ||
308 | |||
309 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); | ||
310 | exit(1); | ||
311 | } | ||
312 | |||
313 | // check directory list specified by user (--private-home option) - exit if it fails | ||
314 | void fs_check_home_list(void) { | ||
315 | if (strstr(cfg.home_private_keep, "..")) { | ||
316 | fprintf(stderr, "Error: invalid private-home list\n"); | ||
317 | exit(1); | ||
318 | } | ||
319 | |||
320 | char *dlist = strdup(cfg.home_private_keep); | ||
321 | if (!dlist) | ||
322 | errExit("strdup"); | ||
323 | |||
324 | char *ptr = strtok(dlist, ","); | ||
325 | check_dir_or_file(ptr); | ||
326 | while ((ptr = strtok(NULL, ",")) != NULL) | ||
327 | check_dir_or_file(ptr); | ||
328 | |||
329 | free(dlist); | ||
330 | } | ||
331 | 338 | ||
332 | // check new private home directory (--private= option) - exit if it fails | 339 | // check new private home directory (--private= option) - exit if it fails |
333 | void fs_check_private_dir(void) { | 340 | void fs_check_private_dir(void) { |
@@ -366,141 +373,3 @@ void fs_check_private_dir(void) { | |||
366 | } | 373 | } |
367 | } | 374 | } |
368 | 375 | ||
369 | |||
370 | static void duplicate(char *name) { | ||
371 | char *cmd; | ||
372 | |||
373 | char *fname = expand_home(name, cfg.homedir); | ||
374 | if (!fname) { | ||
375 | fprintf(stderr, "Error: file %s not found.\n", name); | ||
376 | exit(1); | ||
377 | } | ||
378 | if (fname[0] != '/') { | ||
379 | // If it doesn't start with '/', it must be relative to homedir | ||
380 | char* tmp; | ||
381 | if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1) | ||
382 | errExit("asprintf"); | ||
383 | free(fname); | ||
384 | fname = tmp; | ||
385 | } | ||
386 | |||
387 | // copy the file | ||
388 | if (asprintf(&cmd, "%s -a --parents \"%s\" %s", RUN_CP_COMMAND, fname, RUN_HOME_DIR) == -1) | ||
389 | errExit("asprintf"); | ||
390 | if (arg_debug) | ||
391 | printf("%s\n", cmd); | ||
392 | if (system(cmd)) | ||
393 | errExit("system cp -a --parents"); | ||
394 | fs_logger2("clone", fname); | ||
395 | free(cmd); | ||
396 | free(fname); | ||
397 | } | ||
398 | |||
399 | |||
400 | // private mode (--private-home=list): | ||
401 | // mount homedir on top of /home/user, | ||
402 | // tmpfs on top of /root in nonroot mode, | ||
403 | // tmpfs on top of /tmp in root mode, | ||
404 | // set skel files, | ||
405 | // restore .Xauthority | ||
406 | void fs_private_home_list(void) { | ||
407 | char *homedir = cfg.homedir; | ||
408 | char *private_list = cfg.home_private_keep; | ||
409 | assert(homedir); | ||
410 | assert(private_list); | ||
411 | |||
412 | int xflag = store_xauthority(); | ||
413 | |||
414 | uid_t u = getuid(); | ||
415 | gid_t g = getgid(); | ||
416 | struct stat s; | ||
417 | if (stat(homedir, &s) == -1) { | ||
418 | fprintf(stderr, "Error: cannot find user home directory\n"); | ||
419 | exit(1); | ||
420 | } | ||
421 | |||
422 | // create /tmp/firejail/mnt/home directory | ||
423 | fs_build_mnt_dir(); | ||
424 | int rv = mkdir(RUN_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | ||
425 | if (rv == -1) | ||
426 | errExit("mkdir"); | ||
427 | if (chown(RUN_HOME_DIR, u, g) < 0) | ||
428 | errExit("chown"); | ||
429 | if (chmod(RUN_HOME_DIR, 0755) < 0) | ||
430 | errExit("chmod"); | ||
431 | |||
432 | |||
433 | // copy the list of files in the new home directory | ||
434 | // using a new child process without root privileges | ||
435 | fs_logger_print(); // save the current log | ||
436 | pid_t child = fork(); | ||
437 | if (child < 0) | ||
438 | errExit("fork"); | ||
439 | if (child == 0) { | ||
440 | if (arg_debug) | ||
441 | printf("Copying files in the new home:\n"); | ||
442 | |||
443 | // drop privileges | ||
444 | if (setgroups(0, NULL) < 0) | ||
445 | errExit("setgroups"); | ||
446 | if (setgid(getgid()) < 0) | ||
447 | errExit("setgid/getgid"); | ||
448 | if (setuid(getuid()) < 0) | ||
449 | errExit("setuid/getuid"); | ||
450 | |||
451 | // copy the list of files in the new home directory | ||
452 | char *dlist = strdup(cfg.home_private_keep); | ||
453 | if (!dlist) | ||
454 | errExit("strdup"); | ||
455 | |||
456 | char *ptr = strtok(dlist, ","); | ||
457 | duplicate(ptr); | ||
458 | |||
459 | while ((ptr = strtok(NULL, ",")) != NULL) | ||
460 | duplicate(ptr); | ||
461 | free(dlist); | ||
462 | fs_logger_print(); | ||
463 | exit(0); | ||
464 | } | ||
465 | // wait for the child to finish | ||
466 | waitpid(child, NULL, 0); | ||
467 | |||
468 | // mount bind private_homedir on top of homedir | ||
469 | char *newhome; | ||
470 | if (asprintf(&newhome, "%s%s", RUN_HOME_DIR, cfg.homedir) == -1) | ||
471 | errExit("asprintf"); | ||
472 | |||
473 | if (arg_debug) | ||
474 | printf("Mount-bind %s on top of %s\n", newhome, homedir); | ||
475 | if (mount(newhome, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
476 | errExit("mount bind"); | ||
477 | fs_logger2("mount", homedir); | ||
478 | // preserve mode and ownership | ||
479 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) | ||
480 | // errExit("mount-bind chown"); | ||
481 | // if (chmod(homedir, s.st_mode) == -1) | ||
482 | // errExit("mount-bind chmod"); | ||
483 | |||
484 | if (u != 0) { | ||
485 | // mask /root | ||
486 | if (arg_debug) | ||
487 | printf("Mounting a new /root directory\n"); | ||
488 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | ||
489 | errExit("mounting home directory"); | ||
490 | fs_logger("mount tmpfs on /root"); | ||
491 | } | ||
492 | else { | ||
493 | // mask /home | ||
494 | if (arg_debug) | ||
495 | printf("Mounting a new /home directory\n"); | ||
496 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
497 | errExit("mounting home directory"); | ||
498 | fs_logger("mount tmpfs on /home"); | ||
499 | } | ||
500 | |||
501 | skel(homedir, u, g); | ||
502 | if (xflag) | ||
503 | copy_xauthority(); | ||
504 | |||
505 | } | ||
506 | |||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index def718720..82d453308 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -110,7 +110,7 @@ static void build_dirs(void) { | |||
110 | void fs_var_log(void) { | 110 | void fs_var_log(void) { |
111 | build_list("/var/log"); | 111 | build_list("/var/log"); |
112 | 112 | ||
113 | // create /var/log if it does't exit | 113 | // create /var/log if it doesn't exit |
114 | if (is_dir("/var/log")) { | 114 | if (is_dir("/var/log")) { |
115 | // extract group id for /var/log/wtmp | 115 | // extract group id for /var/log/wtmp |
116 | struct stat s; | 116 | struct stat s; |
@@ -184,7 +184,7 @@ void fs_var_lib(void) { | |||
184 | printf("Mounting tmpfs on /var/lib/nginx\n"); | 184 | printf("Mounting tmpfs on /var/lib/nginx\n"); |
185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
186 | errExit("mounting /var/lib/nginx"); | 186 | errExit("mounting /var/lib/nginx"); |
187 | fs_logger("mount tmpfs on /var/lib/nignx"); | 187 | fs_logger("mount tmpfs on /var/lib/nginx"); |
188 | } | 188 | } |
189 | 189 | ||
190 | // net-snmp multiserver | 190 | // net-snmp multiserver |
@@ -232,14 +232,14 @@ void fs_var_cache(void) { | |||
232 | gid = p->pw_gid; | 232 | gid = p->pw_gid; |
233 | } | 233 | } |
234 | 234 | ||
235 | int rv = mkdir("/var/cache/lighttpd/compress", S_IRWXU | S_IRWXG | S_IRWXO); | 235 | int rv = mkdir("/var/cache/lighttpd/compress", 0755); |
236 | if (rv == -1) | 236 | if (rv == -1) |
237 | errExit("mkdir"); | 237 | errExit("mkdir"); |
238 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) | 238 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) |
239 | errExit("chown"); | 239 | errExit("chown"); |
240 | fs_logger("mkdir /var/cache/lighttpd/compress"); | 240 | fs_logger("mkdir /var/cache/lighttpd/compress"); |
241 | 241 | ||
242 | rv = mkdir("/var/cache/lighttpd/uploads", S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); | 242 | rv = mkdir("/var/cache/lighttpd/uploads", 0755); |
243 | if (rv == -1) | 243 | if (rv == -1) |
244 | errExit("mkdir"); | 244 | errExit("mkdir"); |
245 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) | 245 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) |
@@ -268,7 +268,7 @@ void fs_var_lock(void) { | |||
268 | if (is_dir("/var/lock")) { | 268 | if (is_dir("/var/lock")) { |
269 | if (arg_debug) | 269 | if (arg_debug) |
270 | printf("Mounting tmpfs on /var/lock\n"); | 270 | printf("Mounting tmpfs on /var/lock\n"); |
271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
272 | errExit("mounting /lock"); | 272 | errExit("mounting /lock"); |
273 | fs_logger("mount tmpfs on /var/lock"); | 273 | fs_logger("mount tmpfs on /var/lock"); |
274 | } | 274 | } |
@@ -286,7 +286,7 @@ void fs_var_lock(void) { | |||
286 | } | 286 | } |
287 | if (arg_debug) | 287 | if (arg_debug) |
288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
290 | errExit("mounting /var/lock"); | 290 | errExit("mounting /var/lock"); |
291 | free(lnk); | 291 | free(lnk); |
292 | fs_logger("mount tmpfs on /var/lock"); | 292 | fs_logger("mount tmpfs on /var/lock"); |
@@ -304,7 +304,7 @@ void fs_var_tmp(void) { | |||
304 | if (!is_link("/var/tmp")) { | 304 | if (!is_link("/var/tmp")) { |
305 | if (arg_debug) | 305 | if (arg_debug) |
306 | printf("Mounting tmpfs on /var/tmp\n"); | 306 | printf("Mounting tmpfs on /var/tmp\n"); |
307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
308 | errExit("mounting /var/tmp"); | 308 | errExit("mounting /var/tmp"); |
309 | fs_logger("mount tmpfs on /var/tmp"); | 309 | fs_logger("mount tmpfs on /var/tmp"); |
310 | } | 310 | } |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 22fbe2111..99c2e855c 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -262,9 +262,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
262 | if (S_ISDIR(s.st_mode)) { | 262 | if (S_ISDIR(s.st_mode)) { |
263 | // create directory | 263 | // create directory |
264 | int rv = mkdir(path, 0755); | 264 | int rv = mkdir(path, 0755); |
265 | if (rv == -1) | 265 | (void) rv; |
266 | errExit("mkdir"); | ||
267 | |||
268 | } | 266 | } |
269 | 267 | ||
270 | // process regular file | 268 | // process regular file |
@@ -338,6 +336,14 @@ void fs_whitelist(void) { | |||
338 | if (arg_debug) | 336 | if (arg_debug) |
339 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); | 337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); |
340 | 338 | ||
339 | // valid path referenced to filesystem root | ||
340 | if (*new_name != '/') { | ||
341 | if (arg_debug) | ||
342 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
343 | goto errexit; | ||
344 | } | ||
345 | |||
346 | |||
341 | // extract the absolute path of the file | 347 | // extract the absolute path of the file |
342 | // realpath function will fail with ENOENT if the file is not found | 348 | // realpath function will fail with ENOENT if the file is not found |
343 | char *fname = realpath(new_name, NULL); | 349 | char *fname = realpath(new_name, NULL); |
@@ -351,19 +357,29 @@ void fs_whitelist(void) { | |||
351 | perror("realpath"); | 357 | perror("realpath"); |
352 | } | 358 | } |
353 | *entry->data = '\0'; | 359 | *entry->data = '\0'; |
360 | |||
361 | // if 1 the file was not found; mount an empty directory | ||
362 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | ||
363 | if(!arg_private) | ||
364 | home_dir = 1; | ||
365 | } | ||
366 | else if (strncmp(new_name, "/tmp/", 5) == 0) | ||
367 | tmp_dir = 1; | ||
368 | else if (strncmp(new_name, "/media/", 7) == 0) | ||
369 | media_dir = 1; | ||
370 | else if (strncmp(new_name, "/var/", 5) == 0) | ||
371 | var_dir = 1; | ||
372 | else if (strncmp(new_name, "/dev/", 5) == 0) | ||
373 | dev_dir = 1; | ||
374 | else if (strncmp(new_name, "/opt/", 5) == 0) | ||
375 | opt_dir = 1; | ||
376 | |||
354 | continue; | 377 | continue; |
355 | } | 378 | } |
356 | 379 | ||
357 | // valid path referenced to filesystem root | ||
358 | if (*new_name != '/') { | ||
359 | if (arg_debug) | ||
360 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
361 | goto errexit; | ||
362 | } | ||
363 | |||
364 | // check for supported directories | 380 | // check for supported directories |
365 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 381 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
366 | // whitelisting home directory is disabled if --private or --private-home option is present | 382 | // whitelisting home directory is disabled if --private option is present |
367 | if (arg_private) { | 383 | if (arg_private) { |
368 | if (arg_debug || arg_debug_whitelists) | 384 | if (arg_debug || arg_debug_whitelists) |
369 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | 385 | printf("Removed whitelist path %s, --private option is present\n", entry->data); |
@@ -466,7 +482,7 @@ void fs_whitelist(void) { | |||
466 | // /home/user | 482 | // /home/user |
467 | if (home_dir) { | 483 | if (home_dir) { |
468 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR | 484 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR |
469 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 485 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); |
470 | if (rv == -1) | 486 | if (rv == -1) |
471 | errExit("mkdir"); | 487 | errExit("mkdir"); |
472 | if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) | 488 | if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) |
@@ -484,12 +500,12 @@ void fs_whitelist(void) { | |||
484 | // /tmp mountpoint | 500 | // /tmp mountpoint |
485 | if (tmp_dir) { | 501 | if (tmp_dir) { |
486 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR | 502 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR |
487 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 503 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); |
488 | if (rv == -1) | 504 | if (rv == -1) |
489 | errExit("mkdir"); | 505 | errExit("mkdir"); |
490 | if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) | 506 | if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) |
491 | errExit("chown"); | 507 | errExit("chown"); |
492 | if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0) | 508 | if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0) |
493 | errExit("chmod"); | 509 | errExit("chmod"); |
494 | 510 | ||
495 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 511 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
@@ -498,7 +514,7 @@ void fs_whitelist(void) { | |||
498 | // mount tmpfs on /tmp | 514 | // mount tmpfs on /tmp |
499 | if (arg_debug || arg_debug_whitelists) | 515 | if (arg_debug || arg_debug_whitelists) |
500 | printf("Mounting tmpfs on /tmp directory\n"); | 516 | printf("Mounting tmpfs on /tmp directory\n"); |
501 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 517 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
502 | errExit("mounting tmpfs on /tmp"); | 518 | errExit("mounting tmpfs on /tmp"); |
503 | fs_logger("mount tmpfs on /tmp"); | 519 | fs_logger("mount tmpfs on /tmp"); |
504 | } | 520 | } |
@@ -506,7 +522,7 @@ void fs_whitelist(void) { | |||
506 | // /media mountpoint | 522 | // /media mountpoint |
507 | if (media_dir) { | 523 | if (media_dir) { |
508 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR | 524 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
509 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 525 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); |
510 | if (rv == -1) | 526 | if (rv == -1) |
511 | errExit("mkdir"); | 527 | errExit("mkdir"); |
512 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) | 528 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) |
@@ -528,7 +544,7 @@ void fs_whitelist(void) { | |||
528 | // /var mountpoint | 544 | // /var mountpoint |
529 | if (var_dir) { | 545 | if (var_dir) { |
530 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR | 546 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR |
531 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 547 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); |
532 | if (rv == -1) | 548 | if (rv == -1) |
533 | errExit("mkdir"); | 549 | errExit("mkdir"); |
534 | if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) | 550 | if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) |
@@ -550,7 +566,7 @@ void fs_whitelist(void) { | |||
550 | // /dev mountpoint | 566 | // /dev mountpoint |
551 | if (dev_dir) { | 567 | if (dev_dir) { |
552 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR | 568 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR |
553 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 569 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); |
554 | if (rv == -1) | 570 | if (rv == -1) |
555 | errExit("mkdir"); | 571 | errExit("mkdir"); |
556 | if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) | 572 | if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) |
@@ -558,7 +574,7 @@ void fs_whitelist(void) { | |||
558 | if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) | 574 | if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) |
559 | errExit("chmod"); | 575 | errExit("chmod"); |
560 | 576 | ||
561 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 577 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) |
562 | errExit("mount bind"); | 578 | errExit("mount bind"); |
563 | 579 | ||
564 | // mount tmpfs on /dev | 580 | // mount tmpfs on /dev |
@@ -571,8 +587,8 @@ void fs_whitelist(void) { | |||
571 | 587 | ||
572 | // /opt mountpoint | 588 | // /opt mountpoint |
573 | if (opt_dir) { | 589 | if (opt_dir) { |
574 | // keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR | 590 | // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR |
575 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 591 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); |
576 | if (rv == -1) | 592 | if (rv == -1) |
577 | errExit("mkdir"); | 593 | errExit("mkdir"); |
578 | if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) | 594 | if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2ae3213ee..6fd011868 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -85,13 +85,14 @@ int arg_shell_none = 0; // run the program directly without a shell | |||
85 | int arg_private_dev = 0; // private dev directory | 85 | int arg_private_dev = 0; // private dev directory |
86 | int arg_private_etc = 0; // private etc directory | 86 | int arg_private_etc = 0; // private etc directory |
87 | int arg_private_bin = 0; // private bin directory | 87 | int arg_private_bin = 0; // private bin directory |
88 | int arg_private_tmp = 0; // private tmp directory | ||
88 | int arg_scan = 0; // arp-scan all interfaces | 89 | int arg_scan = 0; // arp-scan all interfaces |
89 | int arg_whitelist = 0; // whitelist commad | 90 | int arg_whitelist = 0; // whitelist commad |
90 | int arg_nosound = 0; // disable sound | 91 | int arg_nosound = 0; // disable sound |
91 | int arg_quiet = 0; // no output for scripting | 92 | int arg_quiet = 0; // no output for scripting |
92 | int arg_join_network = 0; // join only the network namespace | 93 | int arg_join_network = 0; // join only the network namespace |
93 | int arg_join_filesystem = 0; // join only the mount namespace | 94 | int arg_join_filesystem = 0; // join only the mount namespace |
94 | 95 | int arg_nice = 0; // nice value configured | |
95 | 96 | ||
96 | int parent_to_child_fds[2]; | 97 | int parent_to_child_fds[2]; |
97 | int child_to_parent_fds[2]; | 98 | int child_to_parent_fds[2]; |
@@ -107,7 +108,7 @@ static void myexit(int rv) { | |||
107 | printf("\nparent is shutting down, bye...\n"); | 108 | printf("\nparent is shutting down, bye...\n"); |
108 | 109 | ||
109 | // delete sandbox files in shared memory | 110 | // delete sandbox files in shared memory |
110 | bandwidth_shm_del_file(sandbox_pid); // bandwidht file | 111 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file |
111 | network_shm_del_file(sandbox_pid); // network map file | 112 | network_shm_del_file(sandbox_pid); // network map file |
112 | 113 | ||
113 | exit(rv); | 114 | exit(rv); |
@@ -208,7 +209,7 @@ static void check_network(Bridge *br) { | |||
208 | } | 209 | } |
209 | } | 210 | } |
210 | 211 | ||
211 | 212 | #ifdef HAVE_USERNS | |
212 | void check_user_namespace(void) { | 213 | void check_user_namespace(void) { |
213 | if (getuid() == 0) { | 214 | if (getuid() == 0) { |
214 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); | 215 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); |
@@ -228,6 +229,7 @@ void check_user_namespace(void) { | |||
228 | arg_noroot = 0; | 229 | arg_noroot = 0; |
229 | } | 230 | } |
230 | } | 231 | } |
232 | #endif | ||
231 | 233 | ||
232 | // exit commands | 234 | // exit commands |
233 | static void run_cmd_and_exit(int i, int argc, char **argv) { | 235 | static void run_cmd_and_exit(int i, int argc, char **argv) { |
@@ -241,8 +243,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
241 | } | 243 | } |
242 | else if (strcmp(argv[i], "--version") == 0) { | 244 | else if (strcmp(argv[i], "--version") == 0) { |
243 | printf("firejail version %s\n", VERSION); | 245 | printf("firejail version %s\n", VERSION); |
246 | #ifndef HAVE_NETWORK | ||
247 | printf("Networking support is disabled.\n"); | ||
248 | #endif | ||
249 | #ifndef HAVE_USERNS | ||
250 | printf("User namespace support is disabled.\n"); | ||
251 | #endif | ||
252 | #ifndef HAVE_SECCOMP | ||
253 | printf("Seccomp-bpf support is disabled.\n"); | ||
254 | #endif | ||
255 | #ifndef HAVE_BIND | ||
256 | printf("Bind support is disabled.\n"); | ||
257 | #endif | ||
258 | #ifndef HAVE_CHROOT | ||
259 | printf("Chroot support is disabled.\n"); | ||
260 | #endif | ||
244 | exit(0); | 261 | exit(0); |
245 | } | 262 | } |
263 | #ifdef HAVE_NETWORK | ||
246 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 264 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
247 | logargs(argc, argv); | 265 | logargs(argc, argv); |
248 | 266 | ||
@@ -300,10 +318,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
300 | if (read_pid(argv[i] + 12, &pid) == 0) | 318 | if (read_pid(argv[i] + 12, &pid) == 0) |
301 | bandwidth_pid(pid, cmd, dev, down, up); | 319 | bandwidth_pid(pid, cmd, dev, down, up); |
302 | else | 320 | else |
303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 321 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
304 | exit(0); | 322 | exit(0); |
305 | } | 323 | } |
306 | 324 | #endif | |
307 | //************************************* | 325 | //************************************* |
308 | // independent commands - the program will exit! | 326 | // independent commands - the program will exit! |
309 | //************************************* | 327 | //************************************* |
@@ -382,10 +400,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
382 | top(); | 400 | top(); |
383 | exit(0); | 401 | exit(0); |
384 | } | 402 | } |
403 | #ifdef HAVE_NETWORK | ||
385 | else if (strcmp(argv[i], "--netstats") == 0) { | 404 | else if (strcmp(argv[i], "--netstats") == 0) { |
386 | netstats(); | 405 | netstats(); |
387 | exit(0); | 406 | exit(0); |
388 | } | 407 | } |
408 | #endif | ||
389 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 409 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
390 | logargs(argc, argv); | 410 | logargs(argc, argv); |
391 | 411 | ||
@@ -397,6 +417,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
397 | join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); | 417 | join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); |
398 | exit(0); | 418 | exit(0); |
399 | } | 419 | } |
420 | #ifdef HAVE_NETWORK | ||
400 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { | 421 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { |
401 | logargs(argc, argv); | 422 | logargs(argc, argv); |
402 | arg_join_network = 1; | 423 | arg_join_network = 1; |
@@ -413,6 +434,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
413 | join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); | 434 | join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); |
414 | exit(0); | 435 | exit(0); |
415 | } | 436 | } |
437 | #endif | ||
416 | else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { | 438 | else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { |
417 | logargs(argc, argv); | 439 | logargs(argc, argv); |
418 | arg_join_filesystem = 1; | 440 | arg_join_filesystem = 1; |
@@ -459,8 +481,9 @@ int main(int argc, char **argv) { | |||
459 | int highest_errno = errno_highest_nr(); | 481 | int highest_errno = errno_highest_nr(); |
460 | #endif | 482 | #endif |
461 | 483 | ||
462 | // check argv[0] symlink wrapper | 484 | // check argv[0] symlink wrapper if this is not a login shell |
463 | run_symlink(argc, argv); | 485 | if (*argv[0] != '-') |
486 | run_symlink(argc, argv); | ||
464 | 487 | ||
465 | 488 | ||
466 | // check if we already have a sandbox running | 489 | // check if we already have a sandbox running |
@@ -514,6 +537,7 @@ int main(int argc, char **argv) { | |||
514 | else { | 537 | else { |
515 | // check --output option and execute it; | 538 | // check --output option and execute it; |
516 | check_output(argc, argv); // the function will not return if --output option was found | 539 | check_output(argc, argv); // the function will not return if --output option was found |
540 | check_user(argc, argv); // the function will not return if --user option was found | ||
517 | } | 541 | } |
518 | 542 | ||
519 | // parse arguments | 543 | // parse arguments |
@@ -669,6 +693,10 @@ int main(int argc, char **argv) { | |||
669 | arg_ipc = 1; | 693 | arg_ipc = 1; |
670 | else if (strncmp(argv[i], "--cpu=", 6) == 0) | 694 | else if (strncmp(argv[i], "--cpu=", 6) == 0) |
671 | read_cpu_list(argv[i] + 6); | 695 | read_cpu_list(argv[i] + 6); |
696 | else if (strncmp(argv[i], "--nice=", 7) == 0) { | ||
697 | cfg.nice = atoi(argv[i] + 7); | ||
698 | arg_nice = 1; | ||
699 | } | ||
672 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 700 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
673 | if (arg_cgroup) { | 701 | if (arg_cgroup) { |
674 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 702 | fprintf(stderr, "Error: only a cgroup can be defined\n"); |
@@ -750,13 +778,18 @@ int main(int argc, char **argv) { | |||
750 | struct stat s; | 778 | struct stat s; |
751 | if (stat(dirname, &s) == -1) { | 779 | if (stat(dirname, &s) == -1) { |
752 | /* coverity[toctou] */ | 780 | /* coverity[toctou] */ |
753 | if (mkdir(dirname, S_IRWXU | S_IRWXG | S_IRWXO)) | 781 | if (mkdir(dirname, 0700)) |
754 | errExit("mkdir"); | 782 | errExit("mkdir"); |
755 | if (chown(dirname, getuid(), getgid()) < 0) | 783 | if (chown(dirname, getuid(), getgid()) < 0) |
756 | errExit("chown"); | 784 | errExit("chown"); |
757 | if (chmod(dirname, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 785 | if (chmod(dirname, 0700) < 0) |
758 | errExit("chmod"); | 786 | errExit("chmod"); |
759 | } | 787 | } |
788 | else if (is_link(dirname)) { | ||
789 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | ||
790 | exit(1); | ||
791 | } | ||
792 | |||
760 | free(dirname); | 793 | free(dirname); |
761 | 794 | ||
762 | // check overlay directory | 795 | // check overlay directory |
@@ -882,11 +915,6 @@ int main(int argc, char **argv) { | |||
882 | else if (strcmp(argv[i], "--private") == 0) | 915 | else if (strcmp(argv[i], "--private") == 0) |
883 | arg_private = 1; | 916 | arg_private = 1; |
884 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 917 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
885 | if (cfg.home_private_keep) { | ||
886 | fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n"); | ||
887 | exit(1); | ||
888 | } | ||
889 | |||
890 | // extract private home dirname | 918 | // extract private home dirname |
891 | cfg.home_private = argv[i] + 10; | 919 | cfg.home_private = argv[i] + 10; |
892 | if (*cfg.home_private == '\0') { | 920 | if (*cfg.home_private == '\0') { |
@@ -896,26 +924,11 @@ int main(int argc, char **argv) { | |||
896 | fs_check_private_dir(); | 924 | fs_check_private_dir(); |
897 | arg_private = 1; | 925 | arg_private = 1; |
898 | } | 926 | } |
899 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { | ||
900 | if (cfg.home_private) { | ||
901 | fprintf(stderr, "Error: a private home directory was already defined with --private option.\n"); | ||
902 | exit(1); | ||
903 | } | ||
904 | |||
905 | // extract private home dirname | ||
906 | cfg.home_private_keep = argv[i] + 15; | ||
907 | if (*cfg.home_private_keep == '\0') { | ||
908 | fprintf(stderr, "Error: invalid private-home option\n"); | ||
909 | exit(1); | ||
910 | } | ||
911 | fs_check_home_list(); | ||
912 | arg_private = 1; | ||
913 | } | ||
914 | else if (strcmp(argv[i], "--private-dev") == 0) { | 927 | else if (strcmp(argv[i], "--private-dev") == 0) { |
915 | arg_private_dev = 1; | 928 | arg_private_dev = 1; |
916 | } | 929 | } |
917 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 930 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
918 | // extract private etc dirname | 931 | // extract private etc list |
919 | cfg.etc_private_keep = argv[i] + 14; | 932 | cfg.etc_private_keep = argv[i] + 14; |
920 | if (*cfg.etc_private_keep == '\0') { | 933 | if (*cfg.etc_private_keep == '\0') { |
921 | fprintf(stderr, "Error: invalid private-etc option\n"); | 934 | fprintf(stderr, "Error: invalid private-etc option\n"); |
@@ -930,7 +943,7 @@ int main(int argc, char **argv) { | |||
930 | } | 943 | } |
931 | } | 944 | } |
932 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 945 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
933 | // extract private etc dirname | 946 | // extract private bin list |
934 | cfg.bin_private_keep = argv[i] + 14; | 947 | cfg.bin_private_keep = argv[i] + 14; |
935 | if (*cfg.bin_private_keep == '\0') { | 948 | if (*cfg.bin_private_keep == '\0') { |
936 | fprintf(stderr, "Error: invalid private-bin option\n"); | 949 | fprintf(stderr, "Error: invalid private-bin option\n"); |
@@ -939,8 +952,9 @@ int main(int argc, char **argv) { | |||
939 | fs_check_bin_list(); | 952 | fs_check_bin_list(); |
940 | arg_private_bin = 1; | 953 | arg_private_bin = 1; |
941 | } | 954 | } |
942 | 955 | else if (strcmp(argv[i], "--private-tmp") == 0) { | |
943 | 956 | arg_private_tmp = 1; | |
957 | } | ||
944 | 958 | ||
945 | //************************************* | 959 | //************************************* |
946 | // hostname, etc | 960 | // hostname, etc |
@@ -961,9 +975,11 @@ int main(int argc, char **argv) { | |||
961 | } | 975 | } |
962 | else if (strcmp(argv[i], "--nogroups") == 0) | 976 | else if (strcmp(argv[i], "--nogroups") == 0) |
963 | arg_nogroups = 1; | 977 | arg_nogroups = 1; |
978 | #ifdef HAVE_USERNS | ||
964 | else if (strcmp(argv[i], "--noroot") == 0) { | 979 | else if (strcmp(argv[i], "--noroot") == 0) { |
965 | check_user_namespace(); | 980 | check_user_namespace(); |
966 | } | 981 | } |
982 | #endif | ||
967 | else if (strncmp(argv[i], "--env=", 6) == 0) | 983 | else if (strncmp(argv[i], "--env=", 6) == 0) |
968 | env_store(argv[i] + 6); | 984 | env_store(argv[i] + 6); |
969 | else if (strncmp(argv[i], "--nosound", 9) == 0) { | 985 | else if (strncmp(argv[i], "--nosound", 9) == 0) { |
@@ -974,6 +990,7 @@ int main(int argc, char **argv) { | |||
974 | //************************************* | 990 | //************************************* |
975 | // network | 991 | // network |
976 | //************************************* | 992 | //************************************* |
993 | #ifdef HAVE_NETWORK | ||
977 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 994 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
978 | // checks | 995 | // checks |
979 | if (arg_nonetwork) { | 996 | if (arg_nonetwork) { |
@@ -1163,6 +1180,7 @@ int main(int argc, char **argv) { | |||
1163 | return 1; | 1180 | return 1; |
1164 | } | 1181 | } |
1165 | } | 1182 | } |
1183 | #endif | ||
1166 | else if (strncmp(argv[i], "--dns=", 6) == 0) { | 1184 | else if (strncmp(argv[i], "--dns=", 6) == 0) { |
1167 | uint32_t dns; | 1185 | uint32_t dns; |
1168 | if (atoip(argv[i] + 6, &dns)) { | 1186 | if (atoip(argv[i] + 6, &dns)) { |
@@ -1181,6 +1199,7 @@ int main(int argc, char **argv) { | |||
1181 | return 1; | 1199 | return 1; |
1182 | } | 1200 | } |
1183 | } | 1201 | } |
1202 | #ifdef HAVE_NETWORK | ||
1184 | else if (strcmp(argv[i], "--netfilter") == 0) | 1203 | else if (strcmp(argv[i], "--netfilter") == 0) |
1185 | arg_netfilter = 1; | 1204 | arg_netfilter = 1; |
1186 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1205 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
@@ -1193,7 +1212,7 @@ int main(int argc, char **argv) { | |||
1193 | arg_netfilter6_file = argv[i] + 13; | 1212 | arg_netfilter6_file = argv[i] + 13; |
1194 | check_netfilter_file(arg_netfilter6_file); | 1213 | check_netfilter_file(arg_netfilter6_file); |
1195 | } | 1214 | } |
1196 | 1215 | #endif | |
1197 | //************************************* | 1216 | //************************************* |
1198 | // command | 1217 | // command |
1199 | //************************************* | 1218 | //************************************* |
@@ -1315,18 +1334,22 @@ int main(int argc, char **argv) { | |||
1315 | // build the sandbox command | 1334 | // build the sandbox command |
1316 | if (prog_index == -1 && arg_zsh) { | 1335 | if (prog_index == -1 && arg_zsh) { |
1317 | cfg.command_line = "/usr/bin/zsh"; | 1336 | cfg.command_line = "/usr/bin/zsh"; |
1337 | cfg.window_title = "/usr/bin/zsh"; | ||
1318 | cfg.command_name = "zsh"; | 1338 | cfg.command_name = "zsh"; |
1319 | } | 1339 | } |
1320 | else if (prog_index == -1 && arg_csh) { | 1340 | else if (prog_index == -1 && arg_csh) { |
1321 | cfg.command_line = "/bin/csh"; | 1341 | cfg.command_line = "/bin/csh"; |
1342 | cfg.window_title = "/bin/csh"; | ||
1322 | cfg.command_name = "csh"; | 1343 | cfg.command_name = "csh"; |
1323 | } | 1344 | } |
1324 | else if (prog_index == -1 && cfg.shell) { | 1345 | else if (prog_index == -1 && cfg.shell) { |
1325 | cfg.command_line = cfg.shell; | 1346 | cfg.command_line = cfg.shell; |
1347 | cfg.window_title = cfg.shell; | ||
1326 | cfg.command_name = cfg.shell; | 1348 | cfg.command_name = cfg.shell; |
1327 | } | 1349 | } |
1328 | else if (prog_index == -1) { | 1350 | else if (prog_index == -1) { |
1329 | cfg.command_line = "/bin/bash"; | 1351 | cfg.command_line = "/bin/bash"; |
1352 | cfg.window_title = "/bin/bash"; | ||
1330 | cfg.command_name = "bash"; | 1353 | cfg.command_name = "bash"; |
1331 | } | 1354 | } |
1332 | else { | 1355 | else { |
@@ -1341,16 +1364,24 @@ int main(int argc, char **argv) { | |||
1341 | cfg.command_line = malloc(len + 1); // + '\0' | 1364 | cfg.command_line = malloc(len + 1); // + '\0' |
1342 | if (!cfg.command_line) | 1365 | if (!cfg.command_line) |
1343 | errExit("malloc"); | 1366 | errExit("malloc"); |
1344 | char *ptr = cfg.command_line; | 1367 | cfg.window_title = malloc(len + 1); // + '\0' |
1368 | if (!cfg.window_title) | ||
1369 | errExit("malloc"); | ||
1370 | |||
1371 | char *ptr1 = cfg.command_line; | ||
1372 | char *ptr2 = cfg.window_title; | ||
1345 | for (i = 0; i < argcnt; i++) { | 1373 | for (i = 0; i < argcnt; i++) { |
1346 | // detect bash commands | 1374 | // detect bash commands |
1347 | if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) { | 1375 | if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) { |
1348 | sprintf(ptr, "%s ", argv[i + prog_index]); | 1376 | sprintf(ptr1, "%s ", argv[i + prog_index]); |
1349 | } | 1377 | } |
1350 | else { | 1378 | else { |
1351 | sprintf(ptr, "\"%s\" ", argv[i + prog_index]); | 1379 | sprintf(ptr1, "\"%s\" ", argv[i + prog_index]); |
1352 | } | 1380 | } |
1353 | ptr += strlen(ptr); | 1381 | sprintf(ptr2, "%s ", argv[i + prog_index]); |
1382 | |||
1383 | ptr1 += strlen(ptr1); | ||
1384 | ptr2 += strlen(ptr2); | ||
1354 | } | 1385 | } |
1355 | } | 1386 | } |
1356 | 1387 | ||
@@ -1582,6 +1613,16 @@ int main(int argc, char **argv) { | |||
1582 | free(cfg.seccomp_list_errno); | 1613 | free(cfg.seccomp_list_errno); |
1583 | } | 1614 | } |
1584 | #endif | 1615 | #endif |
1616 | if (cfg.profile) { | ||
1617 | ProfileEntry *prf = cfg.profile; | ||
1618 | while (prf != NULL) { | ||
1619 | ProfileEntry *next = prf->next; | ||
1620 | free(prf->data); | ||
1621 | free(prf->link); | ||
1622 | free(prf); | ||
1623 | prf = next; | ||
1624 | } | ||
1625 | } | ||
1585 | 1626 | ||
1586 | myexit(0); | 1627 | myexit(0); |
1587 | 1628 | ||
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 68a4207e5..2ed09434a 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -30,12 +30,17 @@ static char *client_filter = | |||
30 | ":FORWARD DROP [0:0]\n" | 30 | ":FORWARD DROP [0:0]\n" |
31 | ":OUTPUT ACCEPT [0:0]\n" | 31 | ":OUTPUT ACCEPT [0:0]\n" |
32 | "-A INPUT -i lo -j ACCEPT\n" | 32 | "-A INPUT -i lo -j ACCEPT\n" |
33 | "# echo replay is handled by -m state RELEATED/ESTABLISHED below\n" | ||
34 | "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" | ||
35 | "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" | 33 | "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" |
34 | "# echo replay is handled by -m state RELATED/ESTABLISHED below\n" | ||
35 | "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" | ||
36 | "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" | 36 | "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" |
37 | "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" | 37 | "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" |
38 | "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" | 38 | "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" |
39 | "# disable STUN\n" | ||
40 | "-A OUTPUT -p udp --dport 3478 -j DROP\n" | ||
41 | "-A OUTPUT -p udp --dport 3479 -j DROP\n" | ||
42 | "-A OUTPUT -p tcp --dport 3478 -j DROP\n" | ||
43 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" | ||
39 | "COMMIT\n"; | 44 | "COMMIT\n"; |
40 | 45 | ||
41 | void check_netfilter_file(const char *fname) { | 46 | void check_netfilter_file(const char *fname) { |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 46eeb5c57..aac48e521 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -292,7 +292,7 @@ void net_if_ip6(const char *ifname, const char *addr6) { | |||
292 | char *ptr; | 292 | char *ptr; |
293 | if ((ptr = strchr(addr6, '/'))) { | 293 | if ((ptr = strchr(addr6, '/'))) { |
294 | prefix = atol(ptr + 1); | 294 | prefix = atol(ptr + 1); |
295 | if ((prefix < 0) || (prefix > 128)) { | 295 | if (prefix > 128) { |
296 | fprintf(stderr, "Error: invalid prefix for IPv6 address %s\n", addr6); | 296 | fprintf(stderr, "Error: invalid prefix for IPv6 address %s\n", addr6); |
297 | exit(1); | 297 | exit(1); |
298 | } | 298 | } |
diff --git a/src/firejail/paths.c b/src/firejail/paths.c new file mode 100644 index 000000000..3d4b8cd8e --- /dev/null +++ b/src/firejail/paths.c | |||
@@ -0,0 +1,98 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | |||
22 | static char **paths = NULL; | ||
23 | static int path_cnt = 0; | ||
24 | static char initialized = 0; | ||
25 | |||
26 | static void add_path(const char *path) { | ||
27 | assert(paths); | ||
28 | assert(path_cnt); | ||
29 | |||
30 | // filter out duplicates | ||
31 | int i; | ||
32 | int empty = 0; | ||
33 | for (i = 0; i < path_cnt; i++) { | ||
34 | if (paths[i] && strcmp(path, paths[i]) == 0) { | ||
35 | return; | ||
36 | } | ||
37 | if (!paths[i]) { | ||
38 | empty = i; | ||
39 | break; | ||
40 | } | ||
41 | } | ||
42 | |||
43 | paths[empty] = strdup(path); | ||
44 | if (!paths[empty]) | ||
45 | errExit("strdup"); | ||
46 | } | ||
47 | |||
48 | char **build_paths(void) { | ||
49 | if (initialized) { | ||
50 | assert(paths); | ||
51 | return paths; | ||
52 | } | ||
53 | initialized = 1; | ||
54 | |||
55 | int cnt = 5; // 4 default paths + 1 NULL to end the array | ||
56 | char *path1 = getenv("PATH"); | ||
57 | if (path1) { | ||
58 | char *path2 = strdup(path1); | ||
59 | if (!path2) | ||
60 | errExit("strdup"); | ||
61 | |||
62 | // use path2 to count the entries | ||
63 | char *ptr = strtok(path2, ":"); | ||
64 | while (ptr) { | ||
65 | cnt++; | ||
66 | ptr = strtok(NULL, ":"); | ||
67 | } | ||
68 | free(path2); | ||
69 | path_cnt = cnt; | ||
70 | |||
71 | // allocate paths array | ||
72 | paths = malloc(sizeof(char *) * cnt); | ||
73 | if (!paths) | ||
74 | errExit("malloc"); | ||
75 | memset(paths, 0, sizeof(char *) * cnt); | ||
76 | |||
77 | // add default paths | ||
78 | add_path("/bin"); | ||
79 | add_path("/sbin"); | ||
80 | add_path("/usr/bin"); | ||
81 | add_path("/usr/sbin"); | ||
82 | |||
83 | path2 = strdup(path1); | ||
84 | if (!path2) | ||
85 | errExit("strdup"); | ||
86 | |||
87 | // use path2 to count the entries | ||
88 | ptr = strtok(path2, ":"); | ||
89 | while (ptr) { | ||
90 | cnt++; | ||
91 | add_path(ptr); | ||
92 | ptr = strtok(NULL, ":"); | ||
93 | } | ||
94 | free(path2); | ||
95 | } | ||
96 | |||
97 | return paths; | ||
98 | } | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f6b062d2b..70ec360ce 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
110 | } | 110 | } |
111 | // seccomp, caps, private, user namespace | 111 | // seccomp, caps, private, user namespace |
112 | else if (strcmp(ptr, "noroot") == 0) { | 112 | else if (strcmp(ptr, "noroot") == 0) { |
113 | #if HAVE_USERNS | ||
113 | check_user_namespace(); | 114 | check_user_namespace(); |
115 | #endif | ||
114 | return 0; | 116 | return 0; |
115 | } | 117 | } |
116 | else if (strcmp(ptr, "seccomp") == 0) { | 118 | else if (strcmp(ptr, "seccomp") == 0) { |
@@ -141,36 +143,48 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
141 | arg_private_dev = 1; | 143 | arg_private_dev = 1; |
142 | return 0; | 144 | return 0; |
143 | } | 145 | } |
146 | else if (strcmp(ptr, "private-tmp") == 0) { | ||
147 | arg_private_tmp = 1; | ||
148 | return 0; | ||
149 | } | ||
144 | else if (strcmp(ptr, "nogroups") == 0) { | 150 | else if (strcmp(ptr, "nogroups") == 0) { |
145 | arg_nogroups = 1; | 151 | arg_nogroups = 1; |
146 | return 0; | 152 | return 0; |
147 | } | 153 | } |
148 | else if (strcmp(ptr, "netfilter") == 0) { | 154 | else if (strcmp(ptr, "netfilter") == 0) { |
155 | #ifdef HAVE_NETWORK | ||
149 | arg_netfilter = 1; | 156 | arg_netfilter = 1; |
157 | #endif | ||
150 | return 0; | 158 | return 0; |
151 | } | 159 | } |
152 | else if (strncmp(ptr, "netfilter ", 10) == 0) { | 160 | else if (strncmp(ptr, "netfilter ", 10) == 0) { |
161 | #ifdef HAVE_NETWORK | ||
153 | arg_netfilter = 1; | 162 | arg_netfilter = 1; |
154 | arg_netfilter_file = strdup(ptr + 10); | 163 | arg_netfilter_file = strdup(ptr + 10); |
155 | if (!arg_netfilter_file) | 164 | if (!arg_netfilter_file) |
156 | errExit("strdup"); | 165 | errExit("strdup"); |
157 | check_netfilter_file(arg_netfilter_file); | 166 | check_netfilter_file(arg_netfilter_file); |
167 | #endif | ||
158 | return 0; | 168 | return 0; |
159 | } | 169 | } |
160 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { | 170 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { |
171 | #ifdef HAVE_NETWORK | ||
161 | arg_netfilter6 = 1; | 172 | arg_netfilter6 = 1; |
162 | arg_netfilter6_file = strdup(ptr + 11); | 173 | arg_netfilter6_file = strdup(ptr + 11); |
163 | if (!arg_netfilter6_file) | 174 | if (!arg_netfilter6_file) |
164 | errExit("strdup"); | 175 | errExit("strdup"); |
165 | check_netfilter_file(arg_netfilter6_file); | 176 | check_netfilter_file(arg_netfilter6_file); |
177 | #endif | ||
166 | return 0; | 178 | return 0; |
167 | } | 179 | } |
168 | else if (strcmp(ptr, "net none") == 0) { | 180 | else if (strcmp(ptr, "net none") == 0) { |
181 | #ifdef HAVE_NETWORK | ||
169 | arg_nonetwork = 1; | 182 | arg_nonetwork = 1; |
170 | cfg.bridge0.configured = 0; | 183 | cfg.bridge0.configured = 0; |
171 | cfg.bridge1.configured = 0; | 184 | cfg.bridge1.configured = 0; |
172 | cfg.bridge2.configured = 0; | 185 | cfg.bridge2.configured = 0; |
173 | cfg.bridge3.configured = 0; | 186 | cfg.bridge3.configured = 0; |
187 | #endif | ||
174 | return 0; | 188 | return 0; |
175 | } | 189 | } |
176 | 190 | ||
@@ -276,6 +290,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
276 | return 0; | 290 | return 0; |
277 | } | 291 | } |
278 | 292 | ||
293 | // nice value | ||
294 | if (strncmp(ptr, "nice ", 4) == 0) { | ||
295 | cfg.nice = atoi(ptr + 5); | ||
296 | arg_nice = 1; | ||
297 | return 0; | ||
298 | } | ||
299 | |||
279 | // cgroup | 300 | // cgroup |
280 | if (strncmp(ptr, "cgroup ", 7) == 0) { | 301 | if (strncmp(ptr, "cgroup ", 7) == 0) { |
281 | set_cgroup(ptr + 7); | 302 | set_cgroup(ptr + 7); |
@@ -290,14 +311,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
290 | return 0; | 311 | return 0; |
291 | } | 312 | } |
292 | 313 | ||
293 | // private home list of files and directories | ||
294 | if (strncmp(ptr, "private-home ", 13) == 0) { | ||
295 | cfg.home_private_keep = ptr + 13; | ||
296 | fs_check_home_list(); | ||
297 | arg_private = 1; | ||
298 | return 0; | ||
299 | } | ||
300 | |||
301 | // private /etc list of files and directories | 314 | // private /etc list of files and directories |
302 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 315 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
303 | cfg.etc_private_keep = ptr + 12; | 316 | cfg.etc_private_keep = ptr + 12; |
@@ -331,7 +344,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
331 | char *dname1 = ptr + 5; | 344 | char *dname1 = ptr + 5; |
332 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 345 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
333 | if (dname2 == NULL) { | 346 | if (dname2 == NULL) { |
334 | fprintf(stderr, "Error: mising second directory for bind\n"); | 347 | fprintf(stderr, "Error: missing second directory for bind\n"); |
335 | exit(1); | 348 | exit(1); |
336 | } | 349 | } |
337 | 350 | ||
@@ -407,8 +420,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
407 | } | 420 | } |
408 | else if (strncmp(ptr, "read-only ", 10) == 0) | 421 | else if (strncmp(ptr, "read-only ", 10) == 0) |
409 | ptr += 10; | 422 | ptr += 10; |
410 | else if (strncmp(ptr, "tmpfs ", 6) == 0) | 423 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
424 | if (getuid() != 0) { | ||
425 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
426 | exit(1); | ||
427 | } | ||
411 | ptr += 6; | 428 | ptr += 6; |
429 | } | ||
412 | else { | 430 | else { |
413 | if (lineno == 0) | 431 | if (lineno == 0) |
414 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); | 432 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); |
@@ -515,6 +533,10 @@ void profile_read(const char *fname) { | |||
515 | // verify syntax, exit in case of error | 533 | // verify syntax, exit in case of error |
516 | if (profile_check_line(ptr, lineno, fname)) | 534 | if (profile_check_line(ptr, lineno, fname)) |
517 | profile_add(ptr); | 535 | profile_add(ptr); |
536 | // we cannot free ptr here, data is extracted from ptr and linked as a pointer in cfg structure | ||
537 | // else { | ||
538 | // free(ptr); | ||
539 | // } | ||
518 | } | 540 | } |
519 | fclose(fp); | 541 | fclose(fp); |
520 | } | 542 | } |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index e6a8f61ab..407f8c62d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -119,6 +119,11 @@ void protocol_list(void) { | |||
119 | void protocol_store(const char *prlist) { | 119 | void protocol_store(const char *prlist) { |
120 | assert(prlist); | 120 | assert(prlist); |
121 | 121 | ||
122 | if (cfg.protocol) { | ||
123 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist); | ||
124 | return; | ||
125 | } | ||
126 | |||
122 | // temporary list | 127 | // temporary list |
123 | char *tmplist = strdup(prlist); | 128 | char *tmplist = strdup(prlist); |
124 | if (!tmplist) | 129 | if (!tmplist) |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 29f3bc4f0..8bf8d8303 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -93,8 +93,8 @@ void pulseaudio_init(void) { | |||
93 | 93 | ||
94 | // create the new user pulseaudio directory | 94 | // create the new user pulseaudio directory |
95 | fs_build_mnt_dir(); | 95 | fs_build_mnt_dir(); |
96 | int rv = mkdir(RUN_PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 96 | int rv = mkdir(RUN_PULSE_DIR, 0700); |
97 | (void) rv; // in --chroot mode the directory canalready be there | 97 | (void) rv; // in --chroot mode the directory can already be there |
98 | if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) | 98 | if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) |
99 | errExit("chown"); | 99 | errExit("chown"); |
100 | if (chmod(RUN_PULSE_DIR, 0700) < 0) | 100 | if (chmod(RUN_PULSE_DIR, 0700) < 0) |
@@ -104,6 +104,10 @@ void pulseaudio_init(void) { | |||
104 | char *pulsecfg = NULL; | 104 | char *pulsecfg = NULL; |
105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) | 105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
106 | errExit("asprintf"); | 106 | errExit("asprintf"); |
107 | if (is_link("/etc/pulse/client.conf")) { | ||
108 | fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n"); | ||
109 | exit(1); | ||
110 | } | ||
107 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) | 111 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) |
108 | errExit("copy_file"); | 112 | errExit("copy_file"); |
109 | FILE *fp = fopen(pulsecfg, "a+"); | 113 | FILE *fp = fopen(pulsecfg, "a+"); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index aa6a5d268..88dd38021 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -115,6 +115,10 @@ static void sanitize_passwd(void) { | |||
115 | return; | 115 | return; |
116 | if (arg_debug) | 116 | if (arg_debug) |
117 | printf("Sanitizing /etc/passwd\n"); | 117 | printf("Sanitizing /etc/passwd\n"); |
118 | if (is_link("/etc/passwd")) { | ||
119 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | ||
120 | exit(1); | ||
121 | } | ||
118 | 122 | ||
119 | FILE *fpin = NULL; | 123 | FILE *fpin = NULL; |
120 | FILE *fpout = NULL; | 124 | FILE *fpout = NULL; |
@@ -248,6 +252,10 @@ static void sanitize_group(void) { | |||
248 | return; | 252 | return; |
249 | if (arg_debug) | 253 | if (arg_debug) |
250 | printf("Sanitizing /etc/group\n"); | 254 | printf("Sanitizing /etc/group\n"); |
255 | if (is_link("/etc/group")) { | ||
256 | fprintf(stderr, "Error: invalid /etc/group\n"); | ||
257 | exit(1); | ||
258 | } | ||
251 | 259 | ||
252 | FILE *fpin = NULL; | 260 | FILE *fpin = NULL; |
253 | FILE *fpout = NULL; | 261 | FILE *fpout = NULL; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 5f8d131ae..bc1bb3011 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -42,7 +42,11 @@ void run_symlink(int argc, char **argv) { | |||
42 | char *path = strdup(p); | 42 | char *path = strdup(p); |
43 | if (!path) | 43 | if (!path) |
44 | errExit("strdup"); | 44 | errExit("strdup"); |
45 | 45 | ||
46 | char *selfpath = realpath("/proc/self/exe", NULL); | ||
47 | if (!selfpath) | ||
48 | errExit("realpath"); | ||
49 | |||
46 | // look in path for our program | 50 | // look in path for our program |
47 | char *tok = strtok(path, ":"); | 51 | char *tok = strtok(path, ":"); |
48 | int found = 0; | 52 | int found = 0; |
@@ -53,28 +57,37 @@ void run_symlink(int argc, char **argv) { | |||
53 | 57 | ||
54 | struct stat s; | 58 | struct stat s; |
55 | if (stat(name, &s) == 0) { | 59 | if (stat(name, &s) == 0) { |
56 | if (!is_link(name)) { | 60 | char* rp = realpath(name, NULL); |
61 | if (!rp) | ||
62 | errExit("realpath"); | ||
63 | |||
64 | if (strcmp(selfpath, rp) != 0) { | ||
57 | program = strdup(name); | 65 | program = strdup(name); |
58 | found = 1; | 66 | found = 1; |
67 | free(rp); | ||
59 | break; | 68 | break; |
60 | } | 69 | } |
70 | |||
71 | free(rp); | ||
61 | } | 72 | } |
62 | 73 | ||
63 | free(name); | 74 | free(name); |
64 | tok = strtok(NULL, ":"); | 75 | tok = strtok(NULL, ":"); |
65 | } | 76 | } |
66 | if (!found) { | 77 | if (!found) { |
67 | fprintf(stderr, "Error: cannot find the program in the path\n"); | 78 | fprintf(stderr, "Error: cannot find the program in the path\n"); |
68 | exit(1); | 79 | exit(1); |
69 | } | 80 | } |
70 | 81 | ||
82 | free(selfpath); | ||
83 | |||
71 | 84 | ||
72 | // start the argv[0] program in a new sandbox | 85 | // start the argv[0] program in a new sandbox |
73 | char *firejail; | 86 | char *firejail; |
74 | if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) | 87 | if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) |
75 | errExit("asprintf"); | 88 | errExit("asprintf"); |
76 | 89 | ||
77 | printf("Redirecting symlink to %s\n", firejail, program); | 90 | printf("Redirecting symlink to %s\n", program); |
78 | 91 | ||
79 | // run command | 92 | // run command |
80 | char *a[3 + argc]; | 93 | char *a[3 + argc]; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b49172f1f..1ba655301 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -27,6 +27,7 @@ | |||
27 | #include <sys/resource.h> | 27 | #include <sys/resource.h> |
28 | #include <sys/types.h> | 28 | #include <sys/types.h> |
29 | #include <dirent.h> | 29 | #include <dirent.h> |
30 | #include <errno.h> | ||
30 | 31 | ||
31 | #include <sched.h> | 32 | #include <sched.h> |
32 | #ifndef CLONE_NEWUSER | 33 | #ifndef CLONE_NEWUSER |
@@ -134,7 +135,13 @@ static void monitor_application(pid_t app_pid) { | |||
134 | usleep(20000); | 135 | usleep(20000); |
135 | 136 | ||
136 | int status; | 137 | int status; |
137 | unsigned rv = waitpid(app_pid, &status, 0); | 138 | pid_t rv; |
139 | do { | ||
140 | rv = waitpid(-1, &status, 0); | ||
141 | if (rv == -1) | ||
142 | break; | ||
143 | } | ||
144 | while(rv != app_pid); | ||
138 | if (arg_debug) | 145 | if (arg_debug) |
139 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", app_pid, rv, status); | 146 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", app_pid, rv, status); |
140 | 147 | ||
@@ -167,7 +174,7 @@ static void monitor_application(pid_t app_pid) { | |||
167 | 174 | ||
168 | #if 0 | 175 | #if 0 |
169 | // todo: find a way to shut down interfaces before closing the namespace | 176 | // todo: find a way to shut down interfaces before closing the namespace |
170 | // the problem is we don't have enough privileges to shutdown interfaces in this momen | 177 | // the problem is we don't have enough privileges to shutdown interfaces in this moment |
171 | // shut down bridge/macvlan interfaces | 178 | // shut down bridge/macvlan interfaces |
172 | if (any_bridge_configured()) { | 179 | if (any_bridge_configured()) { |
173 | 180 | ||
@@ -343,6 +350,9 @@ int sandbox(void* sandbox_arg) { | |||
343 | //**************************** | 350 | //**************************** |
344 | // configure filesystem | 351 | // configure filesystem |
345 | //**************************** | 352 | //**************************** |
353 | #ifdef HAVE_SECCOMP | ||
354 | int enforce_seccomp = 0; | ||
355 | #endif | ||
346 | #ifdef HAVE_CHROOT | 356 | #ifdef HAVE_CHROOT |
347 | if (cfg.chrootdir) { | 357 | if (cfg.chrootdir) { |
348 | fs_chroot(cfg.chrootdir); | 358 | fs_chroot(cfg.chrootdir); |
@@ -354,6 +364,9 @@ int sandbox(void* sandbox_arg) { | |||
354 | // force default seccomp inside the chroot, no keep or drop list | 364 | // force default seccomp inside the chroot, no keep or drop list |
355 | // the list build on top of the default drop list is kept intact | 365 | // the list build on top of the default drop list is kept intact |
356 | arg_seccomp = 1; | 366 | arg_seccomp = 1; |
367 | #ifdef HAVE_SECCOMP | ||
368 | enforce_seccomp = 1; | ||
369 | #endif | ||
357 | if (cfg.seccomp_list_drop) { | 370 | if (cfg.seccomp_list_drop) { |
358 | free(cfg.seccomp_list_drop); | 371 | free(cfg.seccomp_list_drop); |
359 | cfg.seccomp_list_drop = NULL; | 372 | cfg.seccomp_list_drop = NULL; |
@@ -404,8 +417,6 @@ int sandbox(void* sandbox_arg) { | |||
404 | if (arg_private) { | 417 | if (arg_private) { |
405 | if (cfg.home_private) // --private= | 418 | if (cfg.home_private) // --private= |
406 | fs_private_homedir(); | 419 | fs_private_homedir(); |
407 | else if (cfg.home_private_keep) // --private-home= | ||
408 | fs_private_home_list(); | ||
409 | else // --private | 420 | else // --private |
410 | fs_private(); | 421 | fs_private(); |
411 | } | 422 | } |
@@ -420,6 +431,8 @@ int sandbox(void* sandbox_arg) { | |||
420 | } | 431 | } |
421 | if (arg_private_bin) | 432 | if (arg_private_bin) |
422 | fs_private_bin_list(); | 433 | fs_private_bin_list(); |
434 | if (arg_private_tmp) | ||
435 | fs_private_tmp(); | ||
423 | 436 | ||
424 | //**************************** | 437 | //**************************** |
425 | // apply the profile file | 438 | // apply the profile file |
@@ -570,6 +583,18 @@ int sandbox(void* sandbox_arg) { | |||
570 | // set user-supplied environment variables | 583 | // set user-supplied environment variables |
571 | env_apply(); | 584 | env_apply(); |
572 | 585 | ||
586 | // set nice | ||
587 | if (arg_nice) { | ||
588 | errno = 0; | ||
589 | int rv = nice(cfg.nice); | ||
590 | (void) rv; | ||
591 | printf("nice rv %d\n", rv); | ||
592 | if (errno) { | ||
593 | fprintf(stderr, "Warning: cannot set nice value\n"); | ||
594 | errno = 0; | ||
595 | } | ||
596 | } | ||
597 | |||
573 | //**************************** | 598 | //**************************** |
574 | // set security filters | 599 | // set security filters |
575 | //**************************** | 600 | //**************************** |
@@ -595,7 +620,7 @@ int sandbox(void* sandbox_arg) { | |||
595 | else if (cfg.seccomp_list_errno) | 620 | else if (cfg.seccomp_list_errno) |
596 | seccomp_filter_errno(); | 621 | seccomp_filter_errno(); |
597 | else | 622 | else |
598 | seccomp_filter_drop(); | 623 | seccomp_filter_drop(enforce_seccomp); |
599 | } | 624 | } |
600 | #endif | 625 | #endif |
601 | 626 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 396ab99db..57f483b1c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) { | |||
324 | filter_debug(); | 324 | filter_debug(); |
325 | } | 325 | } |
326 | 326 | ||
327 | // i386t filter installed on amd64 architectures | 327 | // i386 filter installed on amd64 architectures |
328 | void seccomp_filter_32(void) { | 328 | void seccomp_filter_32(void) { |
329 | // hardcoded syscall values | 329 | // hardcoded syscall values |
330 | struct sock_filter filter[] = { | 330 | struct sock_filter filter[] = { |
@@ -373,6 +373,9 @@ void seccomp_filter_32(void) { | |||
373 | BLACKLIST(317), // move_pages | 373 | BLACKLIST(317), // move_pages |
374 | BLACKLIST(316), // vmsplice | 374 | BLACKLIST(316), // vmsplice |
375 | BLACKLIST(61), // chroot | 375 | BLACKLIST(61), // chroot |
376 | BLACKLIST(88), // reboot | ||
377 | BLACKLIST(169), // nfsservctl | ||
378 | BLACKLIST(130), // get_kernel_syms | ||
376 | RETURN_ALLOW | 379 | RETURN_ALLOW |
377 | }; | 380 | }; |
378 | 381 | ||
@@ -389,8 +392,78 @@ void seccomp_filter_32(void) { | |||
389 | } | 392 | } |
390 | } | 393 | } |
391 | 394 | ||
395 | // amd64 filter installed on i386 architectures | ||
396 | void seccomp_filter_64(void) { | ||
397 | // hardcoded syscall values | ||
398 | struct sock_filter filter[] = { | ||
399 | VALIDATE_ARCHITECTURE_64, | ||
400 | EXAMINE_SYSCALL, | ||
401 | BLACKLIST(165), // mount | ||
402 | BLACKLIST(166), // umount2 | ||
403 | BLACKLIST(101), // ptrace | ||
404 | BLACKLIST(246), // kexec_load | ||
405 | BLACKLIST(304), // open_by_handle_at | ||
406 | BLACKLIST(175), // init_module | ||
407 | BLACKLIST(313), // finit_module | ||
408 | BLACKLIST(176), // delete_module | ||
409 | BLACKLIST(172), // iopl | ||
410 | BLACKLIST(173), // ioperm | ||
411 | BLACKLIST(167), // swapon | ||
412 | BLACKLIST(168), // swapoff | ||
413 | BLACKLIST(103), // syslog | ||
414 | BLACKLIST(310), // process_vm_readv | ||
415 | BLACKLIST(311), // process_vm_writev | ||
416 | BLACKLIST(139), // sysfs | ||
417 | BLACKLIST(156), // _sysctl | ||
418 | BLACKLIST(159), // adjtimex | ||
419 | BLACKLIST(305), // clock_adjtime | ||
420 | BLACKLIST(212), // lookup_dcookie | ||
421 | BLACKLIST(298), // perf_event_open | ||
422 | BLACKLIST(300), // fanotify_init | ||
423 | BLACKLIST(312), // kcmp | ||
424 | BLACKLIST(248), // add_key | ||
425 | BLACKLIST(249), // request_key | ||
426 | BLACKLIST(250), // keyctl | ||
427 | BLACKLIST(134), // uselib | ||
428 | BLACKLIST(163), // acct | ||
429 | BLACKLIST(154), // modify_ldt | ||
430 | BLACKLIST(155), // pivot_root | ||
431 | BLACKLIST(206), // io_setup | ||
432 | BLACKLIST(207), // io_destroy | ||
433 | BLACKLIST(208), // io_getevents | ||
434 | BLACKLIST(209), // io_submit | ||
435 | BLACKLIST(210), // io_cancel | ||
436 | BLACKLIST(216), // remap_file_pages | ||
437 | BLACKLIST(237), // mbind | ||
438 | BLACKLIST(239), // get_mempolicy | ||
439 | BLACKLIST(238), // set_mempolicy | ||
440 | BLACKLIST(256), // migrate_pages | ||
441 | BLACKLIST(279), // move_pages | ||
442 | BLACKLIST(278), // vmsplice | ||
443 | BLACKLIST(161), // chroot | ||
444 | BLACKLIST(184), // tuxcall | ||
445 | BLACKLIST(169), // reboot | ||
446 | BLACKLIST(180), // nfsservctl | ||
447 | BLACKLIST(177), // get_kernel_syms | ||
448 | RETURN_ALLOW | ||
449 | }; | ||
450 | |||
451 | struct sock_fprog prog = { | ||
452 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), | ||
453 | .filter = filter, | ||
454 | }; | ||
455 | |||
456 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | ||
457 | ; | ||
458 | } | ||
459 | else if (arg_debug) { | ||
460 | printf("Dual i386/amd64 seccomp filter configured\n"); | ||
461 | } | ||
462 | } | ||
463 | |||
464 | |||
392 | // drop filter for seccomp option | 465 | // drop filter for seccomp option |
393 | int seccomp_filter_drop(void) { | 466 | int seccomp_filter_drop(int enforce_seccomp) { |
394 | filter_init(); | 467 | filter_init(); |
395 | 468 | ||
396 | // default seccomp | 469 | // default seccomp |
@@ -398,6 +471,9 @@ int seccomp_filter_drop(void) { | |||
398 | #if defined(__x86_64__) | 471 | #if defined(__x86_64__) |
399 | seccomp_filter_32(); | 472 | seccomp_filter_32(); |
400 | #endif | 473 | #endif |
474 | #if defined(__i386__) | ||
475 | seccomp_filter_64(); | ||
476 | #endif | ||
401 | 477 | ||
402 | #ifdef SYS_mount | 478 | #ifdef SYS_mount |
403 | filter_add_blacklist(SYS_mount, 0); | 479 | filter_add_blacklist(SYS_mount, 0); |
@@ -432,7 +508,7 @@ int seccomp_filter_drop(void) { | |||
432 | #ifdef SYS_ioperm | 508 | #ifdef SYS_ioperm |
433 | filter_add_blacklist(SYS_ioperm, 0); | 509 | filter_add_blacklist(SYS_ioperm, 0); |
434 | #endif | 510 | #endif |
435 | #ifdef SYS_ni_syscall // new io permisions call on arm devices | 511 | #ifdef SYS_ni_syscall // new io permissions call on arm devices |
436 | filter_add_blacklist(SYS_ni_syscall, 0); | 512 | filter_add_blacklist(SYS_ni_syscall, 0); |
437 | #endif | 513 | #endif |
438 | #ifdef SYS_swapon | 514 | #ifdef SYS_swapon |
@@ -559,9 +635,19 @@ int seccomp_filter_drop(void) { | |||
559 | // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | 635 | // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, |
560 | // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | 636 | // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); |
561 | 637 | ||
562 | // 32bit | 638 | // 0.9.39 |
563 | // filter_add_blacklist(SYS_personality, 0); // test wine | 639 | #ifdef SYS_tuxcall |
564 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | 640 | filter_add_blacklist(SYS_tuxcall, 0); |
641 | #endif | ||
642 | #ifdef SYS_reboot | ||
643 | filter_add_blacklist(SYS_reboot, 0); | ||
644 | #endif | ||
645 | #ifdef SYS_nfsservctl | ||
646 | filter_add_blacklist(SYS_nfsservctl, 0); | ||
647 | #endif | ||
648 | #ifdef SYS_get_kernel_syms | ||
649 | filter_add_blacklist(SYS_get_kernel_syms, 0); | ||
650 | #endif | ||
565 | } | 651 | } |
566 | 652 | ||
567 | // default seccomp filter with additional drop list | 653 | // default seccomp filter with additional drop list |
@@ -595,7 +681,13 @@ int seccomp_filter_drop(void) { | |||
595 | }; | 681 | }; |
596 | 682 | ||
597 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 683 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
598 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 684 | if (enforce_seccomp) { |
685 | fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); | ||
686 | exit(1); | ||
687 | } | ||
688 | else | ||
689 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
690 | |||
599 | return 1; | 691 | return 1; |
600 | } | 692 | } |
601 | 693 | ||
diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h index 3c4f14469..7d646dd9e 100644 --- a/src/firejail/seccomp.h +++ b/src/firejail/seccomp.h | |||
@@ -31,9 +31,9 @@ | |||
31 | BLACKLIST(SYS_init_module), // kernel module handling | 31 | BLACKLIST(SYS_init_module), // kernel module handling |
32 | BLACKLIST(SYS_finit_module), | 32 | BLACKLIST(SYS_finit_module), |
33 | BLACKLIST(SYS_delete_module), | 33 | BLACKLIST(SYS_delete_module), |
34 | BLACKLIST(SYS_iopl), // io permisions | 34 | BLACKLIST(SYS_iopl), // io permissions |
35 | BLACKLIST(SYS_ioperm), | 35 | BLACKLIST(SYS_ioperm), |
36 | BLACKLIST(SYS_iopl), // io permisions | 36 | BLACKLIST(SYS_iopl), // io permissions |
37 | BLACKLIST(SYS_ni_syscall), | 37 | BLACKLIST(SYS_ni_syscall), |
38 | BLACKLIST(SYS_swapon), // swap on/off | 38 | BLACKLIST(SYS_swapon), // swap on/off |
39 | BLACKLIST(SYS_swapoff), | 39 | BLACKLIST(SYS_swapoff), |
@@ -105,6 +105,11 @@ struct seccomp_data { | |||
105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
107 | 107 | ||
108 | #define VALIDATE_ARCHITECTURE_64 \ | ||
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | ||
111 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
112 | |||
108 | #define VALIDATE_ARCHITECTURE_32 \ | 113 | #define VALIDATE_ARCHITECTURE_32 \ |
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ |
@@ -141,4 +146,4 @@ struct seccomp_data { | |||
141 | #define KILL_PROCESS \ | 146 | #define KILL_PROCESS \ |
142 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | 147 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) |
143 | 148 | ||
144 | #endif \ No newline at end of file | 149 | #endif |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 131f663d4..edaac7eb9 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -54,8 +54,14 @@ void shut(pid_t pid) { | |||
54 | printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); | 54 | printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); |
55 | } | 55 | } |
56 | } | 56 | } |
57 | else { | ||
58 | fprintf(stderr, "Error: this is not a firejail sandbox\n"); | ||
59 | exit(1); | ||
60 | } | ||
57 | free(comm); | 61 | free(comm); |
58 | } | 62 | } |
63 | else | ||
64 | errExit("/proc/PID/comm"); | ||
59 | 65 | ||
60 | // check privileges for non-root users | 66 | // check privileges for non-root users |
61 | uid_t uid = getuid(); | 67 | uid_t uid = getuid(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9197baae2..33724c80f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,10 +34,12 @@ void usage(void) { | |||
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); | 36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); |
37 | #ifdef HAVE_NETWORK | ||
37 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); | 38 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); |
38 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); | 39 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); |
39 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); | 40 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); |
40 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); | 41 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); |
42 | #endif | ||
41 | #ifdef HAVE_BIND | 43 | #ifdef HAVE_BIND |
42 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); | 44 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); |
43 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); | 45 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); |
@@ -46,7 +48,11 @@ void usage(void) { | |||
46 | printf("\t-c - execute command and exit.\n\n"); | 48 | printf("\t-c - execute command and exit.\n\n"); |
47 | printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); | 49 | printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); |
48 | printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); | 50 | printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); |
51 | #ifdef CAP_SYSLOG | ||
49 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); | 52 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); |
53 | #else | ||
54 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); | ||
55 | #endif | ||
50 | printf("\t--caps.drop=all - drop all capabilities.\n\n"); | 56 | printf("\t--caps.drop=all - drop all capabilities.\n\n"); |
51 | printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n"); | 57 | printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n"); |
52 | printf("\t\tcapabilities filter.\n\n"); | 58 | printf("\t\tcapabilities filter.\n\n"); |
@@ -71,7 +77,7 @@ void usage(void) { | |||
71 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); | 77 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); |
72 | printf("\t\tFirejail software build and exit.\n\n"); | 78 | printf("\t\tFirejail software build and exit.\n\n"); |
73 | printf("\t--debug-check-filename - debug filename checking.\n\n"); | 79 | printf("\t--debug-check-filename - debug filename checking.\n\n"); |
74 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 80 | printf("\t--debug-errnos - print all recognized error numbers in the current\n"); |
75 | printf("\t\tFirejail software build and exit.\n\n"); | 81 | printf("\t\tFirejail software build and exit.\n\n"); |
76 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | 82 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); |
77 | printf("\t\tFirejail software build and exit.\n\n"); | 83 | printf("\t\tFirejail software build and exit.\n\n"); |
@@ -81,8 +87,10 @@ void usage(void) { | |||
81 | 87 | ||
82 | 88 | ||
83 | 89 | ||
90 | #ifdef HAVE_NETWORK | ||
84 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 91 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
85 | printf("\t\tnetwork namespace.\n\n"); | 92 | printf("\t\tnetwork namespace.\n\n"); |
93 | #endif | ||
86 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); | 94 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); |
87 | printf("\t\tservers can be defined.\n\n"); | 95 | printf("\t\tservers can be defined.\n\n"); |
88 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); | 96 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); |
@@ -99,15 +107,16 @@ void usage(void) { | |||
99 | printf("\t--help, -? - this help screen.\n\n"); | 107 | printf("\t--help, -? - this help screen.\n\n"); |
100 | printf("\t--hostname=name - set sandbox hostname.\n\n"); | 108 | printf("\t--hostname=name - set sandbox hostname.\n\n"); |
101 | printf("\t--ignore=command - ignore command in profile files.\n\n"); | 109 | printf("\t--ignore=command - ignore command in profile files.\n\n"); |
110 | #ifdef HAVE_NETWORK | ||
102 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); | 111 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); |
103 | printf("\t\tfour --interface options can be sepcified.\n\n"); | 112 | printf("\t\tfour --interface options can be specified.\n\n"); |
104 | |||
105 | printf("\t--ip=address - set interface IP address.\n\n"); | 113 | printf("\t--ip=address - set interface IP address.\n\n"); |
106 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); | 114 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); |
107 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); | 115 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); |
108 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); | 116 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); |
109 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); | 117 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); |
110 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); | 118 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); |
119 | #endif | ||
111 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); | 120 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); |
112 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); | 121 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); |
113 | printf("\t\tthe sandbox is started as root.\n\n"); | 122 | printf("\t\tthe sandbox is started as root.\n\n"); |
@@ -117,14 +126,19 @@ void usage(void) { | |||
117 | printf("\t\tidentified by name.\n\n"); | 126 | printf("\t\tidentified by name.\n\n"); |
118 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); | 127 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); |
119 | printf("\t\tidentified by PID.\n\n"); | 128 | printf("\t\tidentified by PID.\n\n"); |
129 | #ifdef HAVE_NETWORK | ||
120 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); | 130 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); |
121 | printf("\t\tidentified by name.\n\n"); | 131 | printf("\t\tidentified by name.\n\n"); |
122 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); | 132 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); |
123 | printf("\t\tidentified by PID.\n\n"); | 133 | printf("\t\tidentified by PID.\n\n"); |
134 | #endif | ||
124 | printf("\t--list - list all sandboxes.\n\n"); | 135 | printf("\t--list - list all sandboxes.\n\n"); |
136 | #ifdef HAVE_NETWORK | ||
125 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); | 137 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); |
126 | printf("\t--mtu=number - set interface MTU.\n\n"); | 138 | printf("\t--mtu=number - set interface MTU.\n\n"); |
139 | #endif | ||
127 | printf("\t--name=name - set sandbox name.\n\n"); | 140 | printf("\t--name=name - set sandbox name.\n\n"); |
141 | #ifdef HAVE_NETWORK | ||
128 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); | 142 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); |
129 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); | 143 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); |
130 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); | 144 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); |
@@ -163,6 +177,8 @@ void usage(void) { | |||
163 | 177 | ||
164 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | 178 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); |
165 | printf("\t\tnetwork namespace.\n\n"); | 179 | printf("\t\tnetwork namespace.\n\n"); |
180 | #endif | ||
181 | printf("\t--nice=value - set nice value\n\n"); | ||
166 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); | 182 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); |
167 | printf("\t\tor file.\n\n"); | 183 | printf("\t\tor file.\n\n"); |
168 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); | 184 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); |
@@ -175,11 +191,11 @@ void usage(void) { | |||
175 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); | 191 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); |
176 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); | 192 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); |
177 | printf("\t\troot.\n\n"); | 193 | printf("\t\troot.\n\n"); |
178 | 194 | #ifdef HAVE_USERNS | |
179 | printf("\t--noroot - install a user namespace with a single user - the current\n"); | 195 | printf("\t--noroot - install a user namespace with a single user - the current\n"); |
180 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); | 196 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); |
181 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); | 197 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); |
182 | 198 | #endif | |
183 | printf("\t--nosound - disable sound system\n\n"); | 199 | printf("\t--nosound - disable sound system\n\n"); |
184 | 200 | ||
185 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); | 201 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); |
@@ -206,19 +222,16 @@ void usage(void) { | |||
206 | printf("\t\tand copy the programs in the list. The same directory is\n"); | 222 | printf("\t\tand copy the programs in the list. The same directory is\n"); |
207 | printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); | 223 | printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); |
208 | 224 | ||
209 | printf("\t--private-home=file,directory - build a new user home in a temporary\n"); | ||
210 | printf("\t\tfilesystem, and copy the files and directories in the list in\n"); | ||
211 | printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); | ||
212 | printf("\t\tis closed.\n\n"); | ||
213 | |||
214 | printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); | 225 | printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); |
215 | printf("\t\ttty, pst, ptms, random, urandom, log and shm devices are\n"); | 226 | printf("\t\tty, pst, ptms, random, urandom, log and shm devices are\n"); |
216 | printf("\t\tavailable.\n\n"); | 227 | printf("\t\tavailable.\n\n"); |
217 | 228 | ||
218 | printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); | 229 | printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); |
219 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); | 230 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); |
220 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 231 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
221 | 232 | ||
233 | printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n"); | ||
234 | |||
222 | printf("\t--profile=filename - use a custom profile.\n\n"); | 235 | printf("\t--profile=filename - use a custom profile.\n\n"); |
223 | printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); | 236 | printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); |
224 | 237 | ||
@@ -239,24 +252,13 @@ void usage(void) { | |||
239 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); | 252 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); |
240 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); | 253 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); |
241 | printf("\t\tfor a process.\n\n"); | 254 | printf("\t\tfor a process.\n\n"); |
242 | 255 | #ifdef HAVE_NETWORK | |
243 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); | 256 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); |
244 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); | 257 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); |
245 | printf("\t\trunning on the current host.\n\n"); | 258 | printf("\t\trunning on the current host.\n\n"); |
246 | 259 | #endif | |
247 | #ifdef HAVE_SECCOMP | 260 | #ifdef HAVE_SECCOMP |
248 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); | 261 | printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); |
249 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); | ||
250 | printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n"); | ||
251 | printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n"); | ||
252 | printf("\t\tsyslog, process_vm_readv and process_vm_writev\n"); | ||
253 | printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n"); | ||
254 | printf("\t\tperf_event_open, fanotify_init, kcmp, add_key, request_key,\n"); | ||
255 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | ||
256 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | ||
257 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | ||
258 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); | ||
259 | printf("\t\tkexec_file_load, chroot.\n\n"); | ||
260 | 262 | ||
261 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 263 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
262 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 264 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
@@ -280,12 +282,14 @@ void usage(void) { | |||
280 | printf("\t--shell=program - set default user shell.\n\n"); | 282 | printf("\t--shell=program - set default user shell.\n\n"); |
281 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); | 283 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); |
282 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); | 284 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); |
283 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); | 285 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); |
286 | printf("\t\tThis option is available only when running the sandbox as root.\n\n"); | ||
284 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 287 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); |
285 | printf("\t--trace - trace open, access and connect system calls.\n\n"); | 288 | printf("\t--trace - trace open, access and connect system calls.\n\n"); |
286 | printf("\t--tracelog - add a syslog message for every access to files or\n"); | 289 | printf("\t--tracelog - add a syslog message for every access to files or\n"); |
287 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); | 290 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); |
288 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | 291 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); |
292 | printf("\t--user=new_user - switch the user before starting the sandbox.\n\n"); | ||
289 | printf("\t--version - print program version and exit.\n\n"); | 293 | printf("\t--version - print program version and exit.\n\n"); |
290 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 294 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
291 | printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n"); | 295 | printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n"); |
@@ -293,6 +297,7 @@ void usage(void) { | |||
293 | printf("\n"); | 297 | printf("\n"); |
294 | 298 | ||
295 | 299 | ||
300 | #ifdef HAVE_NETWORK | ||
296 | printf("Traffic Shaping\n\n"); | 301 | printf("Traffic Shaping\n\n"); |
297 | 302 | ||
298 | printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); | 303 | printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); |
@@ -322,7 +327,7 @@ void usage(void) { | |||
322 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); | 327 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); |
323 | printf("\n"); | 328 | printf("\n"); |
324 | printf("\n"); | 329 | printf("\n"); |
325 | 330 | #endif | |
326 | 331 | ||
327 | 332 | ||
328 | printf("Monitoring\n\n"); | 333 | printf("Monitoring\n\n"); |
diff --git a/src/firejail/user.c b/src/firejail/user.c new file mode 100644 index 000000000..e5f7848e8 --- /dev/null +++ b/src/firejail/user.c | |||
@@ -0,0 +1,114 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <unistd.h> | ||
24 | #include <grp.h> | ||
25 | #include <pwd.h> | ||
26 | |||
27 | |||
28 | void check_user(int argc, char **argv) { | ||
29 | int i; | ||
30 | char *user = NULL; | ||
31 | |||
32 | int found = 0; | ||
33 | for (i = 1; i < argc; i++) { | ||
34 | // check options | ||
35 | if (strcmp(argv[i], "--") == 0) | ||
36 | break; | ||
37 | if (strncmp(argv[i], "--", 2) != 0) | ||
38 | break; | ||
39 | |||
40 | // check user option | ||
41 | if (strncmp(argv[i], "--user=", 7) == 0) { | ||
42 | found = 1; | ||
43 | user = argv[i] + 7; | ||
44 | break; | ||
45 | } | ||
46 | } | ||
47 | if (!found) | ||
48 | return; | ||
49 | |||
50 | // check root | ||
51 | if (getuid() != 0) { | ||
52 | fprintf(stderr, "Error: you need to be root to use --user command line option\n"); | ||
53 | exit(1); | ||
54 | } | ||
55 | |||
56 | // switch user | ||
57 | struct passwd *pw = getpwnam(user); | ||
58 | if (!pw) { | ||
59 | fprintf(stderr, "Error: cannot find user %s\n", user); | ||
60 | exit(1); | ||
61 | } | ||
62 | |||
63 | printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid); | ||
64 | int rv = initgroups(user, pw->pw_gid); | ||
65 | if (rv == -1) { | ||
66 | perror("initgroups"); | ||
67 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
68 | } | ||
69 | |||
70 | rv = setgid(pw->pw_gid); | ||
71 | if (rv == -1) { | ||
72 | perror("setgid"); | ||
73 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
74 | } | ||
75 | |||
76 | rv = setuid(pw->pw_uid); | ||
77 | if (rv == -1) { | ||
78 | perror("setuid"); | ||
79 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
80 | } | ||
81 | |||
82 | // build the new command line | ||
83 | int len = 0; | ||
84 | for (i = 0; i < argc; i++) { | ||
85 | len += strlen(argv[i]) + 1; // + ' ' | ||
86 | } | ||
87 | |||
88 | char *cmd = malloc(len + 1); // + '\0' | ||
89 | if (!cmd) | ||
90 | errExit("malloc"); | ||
91 | |||
92 | char *ptr = cmd; | ||
93 | int first = 1; | ||
94 | for (i = 0; i < argc; i++) { | ||
95 | if (strncmp(argv[i], "--user=", 7) == 0 && first) { | ||
96 | first = 0; | ||
97 | continue; | ||
98 | } | ||
99 | |||
100 | ptr += sprintf(ptr, "%s ", argv[i]); | ||
101 | } | ||
102 | |||
103 | // run command | ||
104 | char *a[4]; | ||
105 | a[0] = "/bin/bash"; | ||
106 | a[1] = "-c"; | ||
107 | a[2] = cmd; | ||
108 | a[3] = NULL; | ||
109 | |||
110 | execvp(a[0], a); | ||
111 | |||
112 | perror("execvp"); | ||
113 | exit(1); | ||
114 | } | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index d7964ccb8..d969f6439 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -439,9 +439,17 @@ void extract_command_name(int index, char **argv) { | |||
439 | exit(1); | 439 | exit(1); |
440 | } | 440 | } |
441 | 441 | ||
442 | |||
442 | char *tmp = strdup(ptr); | 443 | char *tmp = strdup(ptr); |
443 | if (!tmp) | 444 | if (!tmp) |
444 | errExit("strdup"); | 445 | errExit("strdup"); |
446 | |||
447 | // limit the command to the first '.' | ||
448 | char *ptr2 = tmp; | ||
449 | while (*ptr2 != '.' && *ptr2 != '\0') | ||
450 | ptr2++; | ||
451 | *ptr2 = '\0'; | ||
452 | |||
445 | free(cfg.command_name); | 453 | free(cfg.command_name); |
446 | cfg.command_name = tmp; | 454 | cfg.command_name = tmp; |
447 | } | 455 | } |
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index b31d9a467..06658f58c 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2015 6etblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2015 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 83cce5c32..679c5a3e9 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -74,7 +74,7 @@ void firemon_drop_privs(void) { | |||
74 | // sleep and wait for a key to be pressed | 74 | // sleep and wait for a key to be pressed |
75 | void firemon_sleep(int st) { | 75 | void firemon_sleep(int st) { |
76 | if (terminal_set == 0) { | 76 | if (terminal_set == 0) { |
77 | tcgetattr(0, &twait); // get current terminal attirbutes; 0 is the file descriptor for stdin | 77 | tcgetattr(0, &twait); // get current terminal attributes; 0 is the file descriptor for stdin |
78 | memcpy(&tlocal, &twait, sizeof(tlocal)); | 78 | memcpy(&tlocal, &twait, sizeof(tlocal)); |
79 | twait.c_lflag &= ~ICANON; // disable canonical mode | 79 | twait.c_lflag &= ~ICANON; // disable canonical mode |
80 | twait.c_lflag &= ~ECHO; // no echo | 80 | twait.c_lflag &= ~ECHO; // no echo |
diff --git a/src/include/libnetlink.h b/src/include/libnetlink.h index e9cd6b186..7ff5d01b6 100644 --- a/src/include/libnetlink.h +++ b/src/include/libnetlink.h | |||
@@ -24,6 +24,7 @@ | |||
24 | #include <stdint.h> | 24 | #include <stdint.h> |
25 | #include <string.h> | 25 | #include <string.h> |
26 | #include <asm/types.h> | 26 | #include <asm/types.h> |
27 | #include <sys/socket.h> | ||
27 | #include <linux/netlink.h> | 28 | #include <linux/netlink.h> |
28 | #include <linux/rtnetlink.h> | 29 | #include <linux/rtnetlink.h> |
29 | #include <linux/if_link.h> | 30 | #include <linux/if_link.h> |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index edd409af5..a3d1571f7 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -229,26 +229,26 @@ static char *translate(XTable *table, int val) { | |||
229 | return NULL; | 229 | return NULL; |
230 | } | 230 | } |
231 | 231 | ||
232 | static void print_sockaddr(const char *call, const struct sockaddr *addr, int rv) { | 232 | static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { |
233 | if (addr->sa_family == AF_INET) { | 233 | if (addr->sa_family == AF_INET) { |
234 | struct sockaddr_in *a = (struct sockaddr_in *) addr; | 234 | struct sockaddr_in *a = (struct sockaddr_in *) addr; |
235 | printf("%u:%s:%s %s port %u:%d\n", pid(), name(), call, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv); | 235 | printf("%u:%s:%s %d %s port %u:%d\n", pid(), name(), call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv); |
236 | } | 236 | } |
237 | else if (addr->sa_family == AF_INET6) { | 237 | else if (addr->sa_family == AF_INET6) { |
238 | struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr; | 238 | struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr; |
239 | char str[INET6_ADDRSTRLEN]; | 239 | char str[INET6_ADDRSTRLEN]; |
240 | inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN); | 240 | inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN); |
241 | printf("%u:%s:%s %s:%d\n", pid(), name(), call, str, rv); | 241 | printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, str, rv); |
242 | } | 242 | } |
243 | else if (addr->sa_family == AF_UNIX) { | 243 | else if (addr->sa_family == AF_UNIX) { |
244 | struct sockaddr_un *a = (struct sockaddr_un *) addr; | 244 | struct sockaddr_un *a = (struct sockaddr_un *) addr; |
245 | if (a->sun_path[0]) | 245 | if (a->sun_path[0]) |
246 | printf("%u:%s:%s %s:%d\n", pid(), name(), call, a->sun_path, rv); | 246 | printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, a->sun_path, rv); |
247 | else | 247 | else |
248 | printf("%u:%s:%s @%s:%d\n", pid(), name(), call, a->sun_path + 1, rv); | 248 | printf("%u:%s:%s %d @%s:%d\n", pid(), name(), call, sockfd, a->sun_path + 1, rv); |
249 | } | 249 | } |
250 | else { | 250 | else { |
251 | printf("%u:%s:%s family %d:%d\n", pid(), name(), call, addr->sa_family, rv); | 251 | printf("%u:%s:%s %d family %d:%d\n", pid(), name(), call, sockfd, addr->sa_family, rv); |
252 | } | 252 | } |
253 | } | 253 | } |
254 | 254 | ||
@@ -465,7 +465,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | |||
465 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | 465 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); |
466 | 466 | ||
467 | int rv = orig_connect(sockfd, addr, addrlen); | 467 | int rv = orig_connect(sockfd, addr, addrlen); |
468 | print_sockaddr("connect", addr, rv); | 468 | print_sockaddr(sockfd, "connect", addr, rv); |
469 | 469 | ||
470 | return rv; | 470 | return rv; |
471 | } | 471 | } |
@@ -500,11 +500,15 @@ int socket(int domain, int type, int protocol) { | |||
500 | else | 500 | else |
501 | ptr += sprintf(ptr, "%s ", str); | 501 | ptr += sprintf(ptr, "%s ", str); |
502 | 502 | ||
503 | str = translate(socket_protocol, protocol); | 503 | if (domain == AF_LOCAL) |
504 | if (str == NULL) | 504 | sprintf(ptr, "0"); |
505 | sprintf(ptr, "%d", protocol); | 505 | else { |
506 | else | 506 | str = translate(socket_protocol, protocol); |
507 | sprintf(ptr, "%s", str); | 507 | if (str == NULL) |
508 | sprintf(ptr, "%d", protocol); | ||
509 | else | ||
510 | sprintf(ptr, "%s", str); | ||
511 | } | ||
508 | 512 | ||
509 | printf("%s:%d\n", buf, rv); | 513 | printf("%s:%d\n", buf, rv); |
510 | return rv; | 514 | return rv; |
@@ -518,7 +522,7 @@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | |||
518 | orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind"); | 522 | orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind"); |
519 | 523 | ||
520 | int rv = orig_bind(sockfd, addr, addrlen); | 524 | int rv = orig_bind(sockfd, addr, addrlen); |
521 | print_sockaddr("bind", addr, rv); | 525 | print_sockaddr(sockfd, "bind", addr, rv); |
522 | 526 | ||
523 | return rv; | 527 | return rv; |
524 | } | 528 | } |
@@ -531,7 +535,7 @@ int accept(int sockfd, struct sockaddr *addr, socklen_t addrlen) { | |||
531 | orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept"); | 535 | orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept"); |
532 | 536 | ||
533 | int rv = orig_accept(sockfd, addr, addrlen); | 537 | int rv = orig_accept(sockfd, addr, addrlen); |
534 | print_sockaddr("accept", addr, rv); | 538 | print_sockaddr(sockfd, "accept", addr, rv); |
535 | 539 | ||
536 | return rv; | 540 | return rv; |
537 | } | 541 | } |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index f8601c892..c3fd40a67 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -91,6 +91,9 @@ static void storage_add(const char *str) { | |||
91 | storage[h] = ptr; | 91 | storage[h] = ptr; |
92 | } | 92 | } |
93 | 93 | ||
94 | char* cwd = NULL; // global variable for keeping current working directory | ||
95 | typedef int (*orig_chdir_t)(const char *pathname); | ||
96 | static orig_chdir_t orig_chdir = NULL; | ||
94 | static char *storage_find(const char *str) { | 97 | static char *storage_find(const char *str) { |
95 | #ifdef DEBUG | 98 | #ifdef DEBUG |
96 | printf("storage find %s\n", str); | 99 | printf("storage find %s\n", str); |
@@ -98,18 +101,27 @@ static char *storage_find(const char *str) { | |||
98 | if (!str) { | 101 | if (!str) { |
99 | #ifdef DEBUG | 102 | #ifdef DEBUG |
100 | printf("null pointer passed to storage_find\n"); | 103 | printf("null pointer passed to storage_find\n"); |
101 | #endif | 104 | #endif |
102 | return NULL; | 105 | return NULL; |
103 | } | 106 | } |
104 | const char *tofind = str; | 107 | const char *tofind = str; |
105 | int allocated = 0; | 108 | int allocated = 0; |
106 | 109 | ||
107 | if (strstr(str, "..") || strstr(str, "/./")) { | 110 | if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') { |
111 | if (!orig_chdir) | ||
112 | orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir"); | ||
113 | if (!orig_chdir(cwd)) { | ||
114 | #ifdef DEBUG | ||
115 | printf("chdir failed\n"); | ||
116 | #endif | ||
117 | return NULL; | ||
118 | } | ||
119 | |||
108 | tofind = realpath(str, NULL); | 120 | tofind = realpath(str, NULL); |
109 | if (!tofind) { | 121 | if (!tofind) { |
110 | #ifdef DEBUG | 122 | #ifdef DEBUG |
111 | printf("realpath failed\n"); | 123 | printf("realpath failed\n"); |
112 | #endif | 124 | #endif |
113 | return NULL; | 125 | return NULL; |
114 | } | 126 | } |
115 | allocated = 1; | 127 | allocated = 1; |
@@ -139,7 +151,7 @@ static char *storage_find(const char *str) { | |||
139 | 151 | ||
140 | 152 | ||
141 | // | 153 | // |
142 | // load blacklistst form /run/firejail/mnt/fslogger | 154 | // load blacklist form /run/firejail/mnt/fslogger |
143 | // | 155 | // |
144 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | 156 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" |
145 | #define MAXBUF 4096 | 157 | #define MAXBUF 4096 |
@@ -296,9 +308,9 @@ int open(const char *pathname, int flags, mode_t mode) { | |||
296 | if (!blacklist_loaded) | 308 | if (!blacklist_loaded) |
297 | load_blacklist(); | 309 | load_blacklist(); |
298 | 310 | ||
299 | int rv = orig_open(pathname, flags, mode); | ||
300 | if (storage_find(pathname)) | 311 | if (storage_find(pathname)) |
301 | sendlog(name(), __FUNCTION__, pathname); | 312 | sendlog(name(), __FUNCTION__, pathname); |
313 | int rv = orig_open(pathname, flags, mode); | ||
302 | return rv; | 314 | return rv; |
303 | } | 315 | } |
304 | 316 | ||
@@ -317,9 +329,9 @@ int open64(const char *pathname, int flags, mode_t mode) { | |||
317 | if (!blacklist_loaded) | 329 | if (!blacklist_loaded) |
318 | load_blacklist(); | 330 | load_blacklist(); |
319 | 331 | ||
320 | int rv = orig_open64(pathname, flags, mode); | ||
321 | if (storage_find(pathname)) | 332 | if (storage_find(pathname)) |
322 | sendlog(name(), __FUNCTION__, pathname); | 333 | sendlog(name(), __FUNCTION__, pathname); |
334 | int rv = orig_open64(pathname, flags, mode); | ||
323 | return rv; | 335 | return rv; |
324 | } | 336 | } |
325 | //#endif | 337 | //#endif |
@@ -337,9 +349,9 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
337 | if (!blacklist_loaded) | 349 | if (!blacklist_loaded) |
338 | load_blacklist(); | 350 | load_blacklist(); |
339 | 351 | ||
340 | int rv = orig_openat(dirfd, pathname, flags, mode); | ||
341 | if (storage_find(pathname)) | 352 | if (storage_find(pathname)) |
342 | sendlog(name(), __FUNCTION__, pathname); | 353 | sendlog(name(), __FUNCTION__, pathname); |
354 | int rv = orig_openat(dirfd, pathname, flags, mode); | ||
343 | return rv; | 355 | return rv; |
344 | } | 356 | } |
345 | 357 | ||
@@ -354,9 +366,9 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
354 | if (!blacklist_loaded) | 366 | if (!blacklist_loaded) |
355 | load_blacklist(); | 367 | load_blacklist(); |
356 | 368 | ||
357 | int rv = orig_openat64(dirfd, pathname, flags, mode); | ||
358 | if (storage_find(pathname)) | 369 | if (storage_find(pathname)) |
359 | sendlog(name(), __FUNCTION__, pathname); | 370 | sendlog(name(), __FUNCTION__, pathname); |
371 | int rv = orig_openat64(dirfd, pathname, flags, mode); | ||
360 | return rv; | 372 | return rv; |
361 | } | 373 | } |
362 | 374 | ||
@@ -371,9 +383,9 @@ FILE *fopen(const char *pathname, const char *mode) { | |||
371 | if (!blacklist_loaded) | 383 | if (!blacklist_loaded) |
372 | load_blacklist(); | 384 | load_blacklist(); |
373 | 385 | ||
374 | FILE *rv = orig_fopen(pathname, mode); | ||
375 | if (storage_find(pathname)) | 386 | if (storage_find(pathname)) |
376 | sendlog(name(), __FUNCTION__, pathname); | 387 | sendlog(name(), __FUNCTION__, pathname); |
388 | FILE *rv = orig_fopen(pathname, mode); | ||
377 | return rv; | 389 | return rv; |
378 | } | 390 | } |
379 | 391 | ||
@@ -387,9 +399,9 @@ FILE *fopen64(const char *pathname, const char *mode) { | |||
387 | if (!blacklist_loaded) | 399 | if (!blacklist_loaded) |
388 | load_blacklist(); | 400 | load_blacklist(); |
389 | 401 | ||
390 | FILE *rv = orig_fopen64(pathname, mode); | ||
391 | if (storage_find(pathname)) | 402 | if (storage_find(pathname)) |
392 | sendlog(name(), __FUNCTION__, pathname); | 403 | sendlog(name(), __FUNCTION__, pathname); |
404 | FILE *rv = orig_fopen64(pathname, mode); | ||
393 | return rv; | 405 | return rv; |
394 | } | 406 | } |
395 | #endif /* __GLIBC__ */ | 407 | #endif /* __GLIBC__ */ |
@@ -407,9 +419,9 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) { | |||
407 | if (!blacklist_loaded) | 419 | if (!blacklist_loaded) |
408 | load_blacklist(); | 420 | load_blacklist(); |
409 | 421 | ||
410 | FILE *rv = orig_freopen(pathname, mode, stream); | ||
411 | if (storage_find(pathname)) | 422 | if (storage_find(pathname)) |
412 | sendlog(name(), __FUNCTION__, pathname); | 423 | sendlog(name(), __FUNCTION__, pathname); |
424 | FILE *rv = orig_freopen(pathname, mode, stream); | ||
413 | return rv; | 425 | return rv; |
414 | } | 426 | } |
415 | 427 | ||
@@ -425,9 +437,9 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) { | |||
425 | if (!blacklist_loaded) | 437 | if (!blacklist_loaded) |
426 | load_blacklist(); | 438 | load_blacklist(); |
427 | 439 | ||
428 | FILE *rv = orig_freopen64(pathname, mode, stream); | ||
429 | if (storage_find(pathname)) | 440 | if (storage_find(pathname)) |
430 | sendlog(name(), __FUNCTION__, pathname); | 441 | sendlog(name(), __FUNCTION__, pathname); |
442 | FILE *rv = orig_freopen64(pathname, mode, stream); | ||
431 | return rv; | 443 | return rv; |
432 | } | 444 | } |
433 | #endif /* __GLIBC__ */ | 445 | #endif /* __GLIBC__ */ |
@@ -444,9 +456,9 @@ int unlink(const char *pathname) { | |||
444 | if (!blacklist_loaded) | 456 | if (!blacklist_loaded) |
445 | load_blacklist(); | 457 | load_blacklist(); |
446 | 458 | ||
447 | int rv = orig_unlink(pathname); | ||
448 | if (storage_find(pathname)) | 459 | if (storage_find(pathname)) |
449 | sendlog(name(), __FUNCTION__, pathname); | 460 | sendlog(name(), __FUNCTION__, pathname); |
461 | int rv = orig_unlink(pathname); | ||
450 | return rv; | 462 | return rv; |
451 | } | 463 | } |
452 | 464 | ||
@@ -461,9 +473,9 @@ int unlinkat(int dirfd, const char *pathname, int flags) { | |||
461 | if (!blacklist_loaded) | 473 | if (!blacklist_loaded) |
462 | load_blacklist(); | 474 | load_blacklist(); |
463 | 475 | ||
464 | int rv = orig_unlinkat(dirfd, pathname, flags); | ||
465 | if (storage_find(pathname)) | 476 | if (storage_find(pathname)) |
466 | sendlog(name(), __FUNCTION__, pathname); | 477 | sendlog(name(), __FUNCTION__, pathname); |
478 | int rv = orig_unlinkat(dirfd, pathname, flags); | ||
467 | return rv; | 479 | return rv; |
468 | } | 480 | } |
469 | 481 | ||
@@ -479,9 +491,9 @@ int mkdir(const char *pathname, mode_t mode) { | |||
479 | if (!blacklist_loaded) | 491 | if (!blacklist_loaded) |
480 | load_blacklist(); | 492 | load_blacklist(); |
481 | 493 | ||
482 | int rv = orig_mkdir(pathname, mode); | ||
483 | if (storage_find(pathname)) | 494 | if (storage_find(pathname)) |
484 | sendlog(name(), __FUNCTION__, pathname); | 495 | sendlog(name(), __FUNCTION__, pathname); |
496 | int rv = orig_mkdir(pathname, mode); | ||
485 | return rv; | 497 | return rv; |
486 | } | 498 | } |
487 | 499 | ||
@@ -496,9 +508,9 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) { | |||
496 | if (!blacklist_loaded) | 508 | if (!blacklist_loaded) |
497 | load_blacklist(); | 509 | load_blacklist(); |
498 | 510 | ||
499 | int rv = orig_mkdirat(dirfd, pathname, mode); | ||
500 | if (storage_find(pathname)) | 511 | if (storage_find(pathname)) |
501 | sendlog(name(), __FUNCTION__, pathname); | 512 | sendlog(name(), __FUNCTION__, pathname); |
513 | int rv = orig_mkdirat(dirfd, pathname, mode); | ||
502 | return rv; | 514 | return rv; |
503 | } | 515 | } |
504 | 516 | ||
@@ -513,9 +525,9 @@ int rmdir(const char *pathname) { | |||
513 | if (!blacklist_loaded) | 525 | if (!blacklist_loaded) |
514 | load_blacklist(); | 526 | load_blacklist(); |
515 | 527 | ||
516 | int rv = orig_rmdir(pathname); | ||
517 | if (storage_find(pathname)) | 528 | if (storage_find(pathname)) |
518 | sendlog(name(), __FUNCTION__, pathname); | 529 | sendlog(name(), __FUNCTION__, pathname); |
530 | int rv = orig_rmdir(pathname); | ||
519 | return rv; | 531 | return rv; |
520 | } | 532 | } |
521 | 533 | ||
@@ -531,9 +543,9 @@ int stat(const char *pathname, struct stat *buf) { | |||
531 | if (!blacklist_loaded) | 543 | if (!blacklist_loaded) |
532 | load_blacklist(); | 544 | load_blacklist(); |
533 | 545 | ||
534 | int rv = orig_stat(pathname, buf); | ||
535 | if (storage_find(pathname)) | 546 | if (storage_find(pathname)) |
536 | sendlog(name(), __FUNCTION__, pathname); | 547 | sendlog(name(), __FUNCTION__, pathname); |
548 | int rv = orig_stat(pathname, buf); | ||
537 | return rv; | 549 | return rv; |
538 | } | 550 | } |
539 | 551 | ||
@@ -549,9 +561,9 @@ int stat64(const char *pathname, struct stat64 *buf) { | |||
549 | if (!blacklist_loaded) | 561 | if (!blacklist_loaded) |
550 | load_blacklist(); | 562 | load_blacklist(); |
551 | 563 | ||
552 | int rv = orig_stat64(pathname, buf); | ||
553 | if (storage_find(pathname)) | 564 | if (storage_find(pathname)) |
554 | sendlog(name(), __FUNCTION__, pathname); | 565 | sendlog(name(), __FUNCTION__, pathname); |
566 | int rv = orig_stat64(pathname, buf); | ||
555 | return rv; | 567 | return rv; |
556 | } | 568 | } |
557 | #endif /* __GLIBC__ */ | 569 | #endif /* __GLIBC__ */ |
@@ -567,9 +579,9 @@ int lstat(const char *pathname, struct stat *buf) { | |||
567 | if (!blacklist_loaded) | 579 | if (!blacklist_loaded) |
568 | load_blacklist(); | 580 | load_blacklist(); |
569 | 581 | ||
570 | int rv = orig_lstat(pathname, buf); | ||
571 | if (storage_find(pathname)) | 582 | if (storage_find(pathname)) |
572 | sendlog(name(), __FUNCTION__, pathname); | 583 | sendlog(name(), __FUNCTION__, pathname); |
584 | int rv = orig_lstat(pathname, buf); | ||
573 | return rv; | 585 | return rv; |
574 | } | 586 | } |
575 | 587 | ||
@@ -585,9 +597,9 @@ int lstat64(const char *pathname, struct stat64 *buf) { | |||
585 | if (!blacklist_loaded) | 597 | if (!blacklist_loaded) |
586 | load_blacklist(); | 598 | load_blacklist(); |
587 | 599 | ||
588 | int rv = orig_lstat64(pathname, buf); | ||
589 | if (storage_find(pathname)) | 600 | if (storage_find(pathname)) |
590 | sendlog(name(), __FUNCTION__, pathname); | 601 | sendlog(name(), __FUNCTION__, pathname); |
602 | int rv = orig_lstat64(pathname, buf); | ||
591 | return rv; | 603 | return rv; |
592 | } | 604 | } |
593 | #endif /* __GLIBC__ */ | 605 | #endif /* __GLIBC__ */ |
@@ -604,9 +616,9 @@ int access(const char *pathname, int mode) { | |||
604 | if (!blacklist_loaded) | 616 | if (!blacklist_loaded) |
605 | load_blacklist(); | 617 | load_blacklist(); |
606 | 618 | ||
607 | int rv = orig_access(pathname, mode); | ||
608 | if (storage_find(pathname)) | 619 | if (storage_find(pathname)) |
609 | sendlog(name(), __FUNCTION__, pathname); | 620 | sendlog(name(), __FUNCTION__, pathname); |
621 | int rv = orig_access(pathname, mode); | ||
610 | return rv; | 622 | return rv; |
611 | } | 623 | } |
612 | 624 | ||
@@ -622,10 +634,31 @@ DIR *opendir(const char *pathname) { | |||
622 | if (!blacklist_loaded) | 634 | if (!blacklist_loaded) |
623 | load_blacklist(); | 635 | load_blacklist(); |
624 | 636 | ||
625 | DIR *rv = orig_opendir(pathname); | ||
626 | if (storage_find(pathname)) | 637 | if (storage_find(pathname)) |
627 | sendlog(name(), __FUNCTION__, pathname); | 638 | sendlog(name(), __FUNCTION__, pathname); |
639 | DIR *rv = orig_opendir(pathname); | ||
628 | return rv; | 640 | return rv; |
629 | } | 641 | } |
630 | 642 | ||
643 | // chdir | ||
644 | // definition of orig_chdir placed before storage_find function | ||
645 | //typedef int (*orig_chdir_t)(const char *pathname); | ||
646 | //static orig_chdir_t orig_chdir = NULL; | ||
647 | int chdir(const char *pathname) { | ||
648 | #ifdef DEBUG | ||
649 | printf("%s %s\n", __FUNCTION__, pathname); | ||
650 | #endif | ||
651 | if (!orig_chdir) | ||
652 | orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir"); | ||
653 | if (!blacklist_loaded) | ||
654 | load_blacklist(); | ||
655 | |||
656 | if (storage_find(pathname)) | ||
657 | sendlog(name(), __FUNCTION__, pathname); | ||
631 | 658 | ||
659 | free(cwd); | ||
660 | cwd = strdup(pathname); | ||
661 | |||
662 | int rv = orig_chdir(pathname); | ||
663 | return rv; | ||
664 | } | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e91c5c089..3ebb11549 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -39,7 +39,7 @@ Reading profile /home/netblue/.config/firejail/icecat.profile | |||
39 | \fB3.\fR Use a default.profile file if the sandbox | 39 | \fB3.\fR Use a default.profile file if the sandbox |
40 | is started by a regular user, or a server.profile file if the sandbox | 40 | is started by a regular user, or a server.profile file if the sandbox |
41 | is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. | 41 | is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. |
42 | To disable default profile loading, use --noroot command option. Example: | 42 | To disable default profile loading, use --noprofile command option. Example: |
43 | .PP | 43 | .PP |
44 | .RS | 44 | .RS |
45 | $ firejail | 45 | $ firejail |
@@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh | |||
126 | Make directory or file read-only. | 126 | Make directory or file read-only. |
127 | .TP | 127 | .TP |
128 | \fBtmpfs directory | 128 | \fBtmpfs directory |
129 | Mount an empty tmpfs filesystem on top of directory. | 129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. |
130 | .TP | 130 | .TP |
131 | \fBbind directory1,directory2 | 131 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
@@ -139,18 +139,12 @@ Mount new /root and /home/user directories in temporary | |||
139 | filesystems. All modifications are discarded when the sandbox is | 139 | filesystems. All modifications are discarded when the sandbox is |
140 | closed. | 140 | closed. |
141 | .TP | 141 | .TP |
142 | \fBprivate-bin file,file | ||
143 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | ||
144 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | ||
145 | .TP | ||
146 | \fBprivate directory | 142 | \fBprivate directory |
147 | Use directory as user home. | 143 | Use directory as user home. |
148 | .TP | 144 | .TP |
149 | \fBprivate-home file,directory | 145 | \fBprivate-bin file,file |
150 | Build a new user home in a temporary | 146 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
151 | filesystem, and copy the files and directories in the list in the | 147 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
152 | new home. All modifications are discarded when the sandbox is | ||
153 | closed. | ||
154 | .TP | 148 | .TP |
155 | \fBprivate-dev | 149 | \fBprivate-dev |
156 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. | 150 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. |
@@ -160,6 +154,9 @@ Build a new /etc in a temporary | |||
160 | filesystem, and copy the files and directories in the list. | 154 | filesystem, and copy the files and directories in the list. |
161 | All modifications are discarded when the sandbox is closed. | 155 | All modifications are discarded when the sandbox is closed. |
162 | .TP | 156 | .TP |
157 | \fBprivate-tmp | ||
158 | Mount an empty temporary filesystem on top of /tmp directory. | ||
159 | .TP | ||
163 | \fBwhitelist file_or_directory | 160 | \fBwhitelist file_or_directory |
164 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 161 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
165 | The modifications to file_or_directory are persistent, everything else is discarded | 162 | The modifications to file_or_directory are persistent, everything else is discarded |
@@ -231,6 +228,10 @@ Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples: | |||
231 | cpu 1,2,3 | 228 | cpu 1,2,3 |
232 | Use only CPU cores 0, 1 and 2. | 229 | Use only CPU cores 0, 1 and 2. |
233 | 230 | ||
231 | .TP | ||
232 | nice -5 | ||
233 | Set a nice value of -5 to all processes running inside the sandbox. | ||
234 | |||
234 | .SH Control Groups | 235 | .SH Control Groups |
235 | Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example: | 236 | Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example: |
236 | 237 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 66ec40ce9..c4f0dbd3e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -243,7 +243,7 @@ Example: | |||
243 | $ firejail \-\-debug firefox | 243 | $ firejail \-\-debug firefox |
244 | 244 | ||
245 | .TP | 245 | .TP |
246 | \fB\-\-debug-blackilsts\fR | 246 | \fB\-\-debug-blacklists\fR |
247 | Debug blacklisting. | 247 | Debug blacklisting. |
248 | .br | 248 | .br |
249 | 249 | ||
@@ -430,7 +430,7 @@ $ firejail \-\-ignore=shell --ignore=seccomp firefox | |||
430 | 430 | ||
431 | .TP | 431 | .TP |
432 | \fB\-\-interface=interface | 432 | \fB\-\-interface=interface |
433 | Move interface in a new network namespace. Up to four --interface options can be sepcified. | 433 | Move interface in a new network namespace. Up to four --interface options can be specified. |
434 | .br | 434 | .br |
435 | 435 | ||
436 | .br | 436 | .br |
@@ -679,12 +679,24 @@ The default filter is as follows: | |||
679 | .br | 679 | .br |
680 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT | 680 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT |
681 | .br | 681 | .br |
682 | # allow ping | ||
683 | .br | ||
682 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT | 684 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT |
683 | .br | 685 | .br |
684 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT | 686 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT |
685 | .br | 687 | .br |
686 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT | 688 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT |
687 | .br | 689 | .br |
690 | # drop STUN (WebRTC) requests | ||
691 | .br | ||
692 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
693 | .br | ||
694 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
695 | .br | ||
696 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
697 | .br | ||
698 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
699 | .br | ||
688 | COMMIT | 700 | COMMIT |
689 | .br | 701 | .br |
690 | 702 | ||
@@ -749,6 +761,16 @@ PID User RX(KB/s) TX(KB/s) Command | |||
749 | .br | 761 | .br |
750 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission | 762 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission |
751 | 763 | ||
764 | .TP | ||
765 | \fB\-\-nice=value | ||
766 | Set nice value for all processes running inside the sandbox. | ||
767 | .br | ||
768 | |||
769 | .br | ||
770 | Example: | ||
771 | .br | ||
772 | $ firejail --nice=-5 firefox | ||
773 | |||
752 | 774 | ||
753 | .TP | 775 | .TP |
754 | \fB\-\-noblacklist=dirname_or_filename | 776 | \fB\-\-noblacklist=dirname_or_filename |
@@ -961,18 +983,6 @@ $ ls /bin | |||
961 | bash cat ls sed | 983 | bash cat ls sed |
962 | 984 | ||
963 | .TP | 985 | .TP |
964 | \fB\-\-private-home=file,directory | ||
965 | Build a new user home in a temporary | ||
966 | filesystem, and copy the files and directories in the list in the | ||
967 | new home. All modifications are discarded when the sandbox is | ||
968 | closed. | ||
969 | .br | ||
970 | |||
971 | .br | ||
972 | Example: | ||
973 | .br | ||
974 | $ firejail \-\-private-home=.mozilla firefox | ||
975 | .TP | ||
976 | \fB\-\-private-dev | 986 | \fB\-\-private-dev |
977 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. | 987 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. |
978 | .br | 988 | .br |
@@ -1004,6 +1014,17 @@ Example: | |||
1004 | $ firejail --private-etc=group,hostname,localtime, \\ | 1014 | $ firejail --private-etc=group,hostname,localtime, \\ |
1005 | .br | 1015 | .br |
1006 | nsswitch.conf,passwd,resolv.conf | 1016 | nsswitch.conf,passwd,resolv.conf |
1017 | |||
1018 | .TP | ||
1019 | \fB\-\-private-tmp | ||
1020 | Mount an empty temporary filesystem on top of /tmp directory. | ||
1021 | .br | ||
1022 | |||
1023 | .br | ||
1024 | Example: | ||
1025 | .br | ||
1026 | $ firejail \-\-private-tmp | ||
1027 | |||
1007 | .TP | 1028 | .TP |
1008 | \fB\-\-profile=filename | 1029 | \fB\-\-profile=filename |
1009 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 1030 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
@@ -1032,7 +1053,7 @@ $ firejail \-\-profile-path=/home/netblue/myprofiles | |||
1032 | .TP | 1053 | .TP |
1033 | \fB\-\-protocol=protocol,protocol,protocol | 1054 | \fB\-\-protocol=protocol,protocol,protocol |
1034 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. | 1055 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |
1035 | Recognized values: unix, inet, inet6, netlink and packet. | 1056 | Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture. |
1036 | .br | 1057 | .br |
1037 | 1058 | ||
1038 | .br | 1059 | .br |
@@ -1113,7 +1134,14 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif | |||
1113 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1134 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1114 | io_destroy, io_getevents, io_submit, io_cancel, | 1135 | io_destroy, io_getevents, io_submit, io_cancel, |
1115 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1136 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, |
1116 | migrate_pages, move_pages, vmsplice, perf_event_open and chroot. | 1137 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, |
1138 | tuxcall, reboot, mfsservctl and get_kernel_syms. | ||
1139 | .br | ||
1140 | |||
1141 | .br | ||
1142 | System architecture is not strictly imposed. The filter is applied | ||
1143 | at run time only if the correct architecture was detected. For the case of I386 and AMD64 | ||
1144 | both 32-bit and 64-bit filters are installed. | ||
1117 | .br | 1145 | .br |
1118 | 1146 | ||
1119 | .br | 1147 | .br |
@@ -1185,7 +1213,7 @@ SECCOMP Filter: | |||
1185 | .br | 1213 | .br |
1186 | VALIDATE_ARCHITECTURE | 1214 | VALIDATE_ARCHITECTURE |
1187 | .br | 1215 | .br |
1188 | EXAMINE_SYSCAL | 1216 | EXAMINE_SYSCALL |
1189 | .br | 1217 | .br |
1190 | BLACKLIST 165 mount | 1218 | BLACKLIST 165 mount |
1191 | .br | 1219 | .br |
@@ -1348,13 +1376,13 @@ $ firejail \-\-list | |||
1348 | $ firejail \-\-shutdown=3272 | 1376 | $ firejail \-\-shutdown=3272 |
1349 | .TP | 1377 | .TP |
1350 | \fB\-\-tmpfs=dirname | 1378 | \fB\-\-tmpfs=dirname |
1351 | Mount a tmpfs filesystem on directory dirname. | 1379 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. |
1352 | .br | 1380 | .br |
1353 | 1381 | ||
1354 | .br | 1382 | .br |
1355 | Example: | 1383 | Example: |
1356 | .br | 1384 | .br |
1357 | $ firejail \-\-tmpfs=/var | 1385 | # firejail \-\-tmpfs=/var |
1358 | .TP | 1386 | .TP |
1359 | \fB\-\-top | 1387 | \fB\-\-top |
1360 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. | 1388 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1441,6 +1469,15 @@ $ firejail \-\-tree | |||
1441 | .br | 1469 | .br |
1442 | 11970:netblue:transmission-gtk | 1470 | 11970:netblue:transmission-gtk |
1443 | .TP | 1471 | .TP |
1472 | \fB\-\-user=new-user | ||
1473 | Switch the user before starting the sandbox. This command should be run as root. | ||
1474 | .br | ||
1475 | |||
1476 | .br | ||
1477 | Example: | ||
1478 | .br | ||
1479 | # firejail \-\-user=www-data | ||
1480 | .TP | ||
1444 | \fB\-\-version | 1481 | \fB\-\-version |
1445 | Print program version and exit. | 1482 | Print program version and exit. |
1446 | .br | 1483 | .br |
@@ -1454,6 +1491,8 @@ firejail version 0.9.27 | |||
1454 | .TP | 1491 | .TP |
1455 | \fB\-\-whitelist=dirname_or_filename | 1492 | \fB\-\-whitelist=dirname_or_filename |
1456 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. | 1493 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. |
1494 | When whitlisting symbolic links, both the link and the real file should be in the same top directory | ||
1495 | (home user, /media, /var etc.) | ||
1457 | .br | 1496 | .br |
1458 | 1497 | ||
1459 | .br | 1498 | .br |
diff --git a/test/chroot-resolvconf.exp b/test/chroot-resolvconf.exp new file mode 100755 index 000000000..2d0da2fb0 --- /dev/null +++ b/test/chroot-resolvconf.exp | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --chroot=/tmp/chroot /bin/bash\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "invalid /tmp/chroot/etc/resolv.conf file" | ||
11 | } | ||
12 | |||
13 | puts "\nall done\n" | ||
14 | |||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 43d27eac9..789ebbf28 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -4,6 +4,8 @@ arr[1]="TEST 1: standard compilation" | |||
4 | arr[2]="TEST 2: compile seccomp disabled" | 4 | arr[2]="TEST 2: compile seccomp disabled" |
5 | arr[3]="TEST 3: compile chroot disabled" | 5 | arr[3]="TEST 3: compile chroot disabled" |
6 | arr[4]="TEST 4: compile bind disabled" | 6 | arr[4]="TEST 4: compile bind disabled" |
7 | arr[5]="TEST 5: compile user namespace disabled" | ||
8 | arr[6]="TEST 6: compile network disabled" | ||
7 | 9 | ||
8 | 10 | ||
9 | # remove previous reports and output file | 11 | # remove previous reports and output file |
@@ -28,7 +30,7 @@ while [ $# -gt 0 ]; do # Until you run out of parameters . . . | |||
28 | exit | 30 | exit |
29 | ;; | 31 | ;; |
30 | --help) | 32 | --help) |
31 | echo "./autotest.sh [--clean|--help]" | 33 | echo "./compile.sh [--clean|--help]" |
32 | exit | 34 | exit |
33 | ;; | 35 | ;; |
34 | esac | 36 | esac |
@@ -96,10 +98,10 @@ rm output-configure output-make | |||
96 | #***************************************************************** | 98 | #***************************************************************** |
97 | # TEST 4 | 99 | # TEST 4 |
98 | #***************************************************************** | 100 | #***************************************************************** |
99 | # - disable bindconfiguration | 101 | # - disable bind configuration |
100 | # - check compilation | 102 | # - check compilation |
101 | #***************************************************************** | 103 | #***************************************************************** |
102 | print_title "${arr[3]}" | 104 | print_title "${arr[4]}" |
103 | # seccomp | 105 | # seccomp |
104 | cd firejail | 106 | cd firejail |
105 | make distclean | 107 | make distclean |
@@ -110,6 +112,40 @@ grep Warning output-configure output-make > ./report-test4 | |||
110 | grep Error output-configure output-make >> ./report-test4 | 112 | grep Error output-configure output-make >> ./report-test4 |
111 | rm output-configure output-make | 113 | rm output-configure output-make |
112 | 114 | ||
115 | #***************************************************************** | ||
116 | # TEST 5 | ||
117 | #***************************************************************** | ||
118 | # - disable user namespace configuration | ||
119 | # - check compilation | ||
120 | #***************************************************************** | ||
121 | print_title "${arr[5]}" | ||
122 | # seccomp | ||
123 | cd firejail | ||
124 | make distclean | ||
125 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
126 | make -j4 2>&1 | tee ../output-make | ||
127 | cd .. | ||
128 | grep Warning output-configure output-make > ./report-test5 | ||
129 | grep Error output-configure output-make >> ./report-test5 | ||
130 | rm output-configure output-make | ||
131 | |||
132 | #***************************************************************** | ||
133 | # TEST 6 | ||
134 | #***************************************************************** | ||
135 | # - disable user namespace configuration | ||
136 | # - check compilation | ||
137 | #***************************************************************** | ||
138 | print_title "${arr[6]}" | ||
139 | # seccomp | ||
140 | cd firejail | ||
141 | make distclean | ||
142 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
143 | make -j4 2>&1 | tee ../output-make | ||
144 | cd .. | ||
145 | grep Warning output-configure output-make > ./report-test6 | ||
146 | grep Error output-configure output-make >> ./report-test6 | ||
147 | rm output-configure output-make | ||
148 | |||
113 | 149 | ||
114 | #***************************************************************** | 150 | #***************************************************************** |
115 | # PRINT REPORTS | 151 | # PRINT REPORTS |
@@ -129,3 +165,5 @@ echo ${arr[1]} | |||
129 | echo ${arr[2]} | 165 | echo ${arr[2]} |
130 | echo ${arr[3]} | 166 | echo ${arr[3]} |
131 | echo ${arr[4]} | 167 | echo ${arr[4]} |
168 | echo ${arr[5]} | ||
169 | echo ${arr[6]} | ||
diff --git a/test/configure b/test/configure index c7fd66cfb..bdf36fcad 100755 --- a/test/configure +++ b/test/configure | |||
@@ -32,6 +32,7 @@ DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/i | |||
32 | 32 | ||
33 | rm -fr $ROOTDIR | 33 | rm -fr $ROOTDIR |
34 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} | 34 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} |
35 | chmod 777 $ROOTDIR/tmp | ||
35 | mkdir -p $ROOTDIR/etc/firejail | 36 | mkdir -p $ROOTDIR/etc/firejail |
36 | mkdir -p $ROOTDIR/home/netblue/.config/firejail | 37 | mkdir -p $ROOTDIR/home/netblue/.config/firejail |
37 | chown netblue:netblue $ROOTDIR/home/netblue | 38 | chown netblue:netblue $ROOTDIR/home/netblue |
diff --git a/test/features/1.2.exp b/test/features/1.2.exp index fe61bf482..65fcd54ae 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp | |||
@@ -69,10 +69,6 @@ if { $overlay == "overlay" } { | |||
69 | timeout {puts "TESTING ERROR 3.1\n";exit} | 69 | timeout {puts "TESTING ERROR 3.1\n";exit} |
70 | "proc /proc proc" | 70 | "proc /proc proc" |
71 | } | 71 | } |
72 | # expect { | ||
73 | # timeout {puts "TESTING ERROR 3.2\n";exit} | ||
74 | # "proc /proc proc" | ||
75 | # } | ||
76 | expect { | 72 | expect { |
77 | timeout {puts "TESTING ERROR 3.3\n";exit} | 73 | timeout {puts "TESTING ERROR 3.3\n";exit} |
78 | "proc /proc/sys proc" | 74 | "proc /proc/sys proc" |
@@ -115,10 +111,6 @@ if { $chroot == "chroot" } { | |||
115 | "proc /proc proc" | 111 | "proc /proc proc" |
116 | } | 112 | } |
117 | expect { | 113 | expect { |
118 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
119 | "proc /proc proc" | ||
120 | } | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 5.3\n";exit} | 114 | timeout {puts "TESTING ERROR 5.3\n";exit} |
123 | "proc /proc/sys proc" | 115 | "proc /proc/sys proc" |
124 | } | 116 | } |
@@ -126,10 +118,10 @@ if { $chroot == "chroot" } { | |||
126 | timeout {puts "TESTING ERROR 5.4\n";exit} | 118 | timeout {puts "TESTING ERROR 5.4\n";exit} |
127 | "proc /proc/sysrq-trigger proc" | 119 | "proc /proc/sysrq-trigger proc" |
128 | } | 120 | } |
129 | expect { | 121 | # expect { |
130 | timeout {puts "TESTING ERROR 5.5\n";exit} | 122 | # timeout {puts "TESTING ERROR 5.5\n";exit} |
131 | "proc /proc/sys/kernel/hotplug" | 123 | # "proc /proc/sys/kernel/hotplug" |
132 | } | 124 | # } |
133 | expect { | 125 | expect { |
134 | timeout {puts "TESTING ERROR 5.6\n";exit} | 126 | timeout {puts "TESTING ERROR 5.6\n";exit} |
135 | "proc /proc/irq proc" | 127 | "proc /proc/irq proc" |
diff --git a/test/features/3.1.exp b/test/features/3.1.exp index bcac4bf04..a66fbdae1 100755 --- a/test/features/3.1.exp +++ b/test/features/3.1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # | 2 | # |
3 | # tmpfs | 3 | # private |
4 | # | 4 | # |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -12,20 +12,49 @@ set chroot [lindex $argv 1] | |||
12 | # | 12 | # |
13 | # N | 13 | # N |
14 | # | 14 | # |
15 | send -- "touch ~/.config/firejail-test-file\r" | 15 | send -- "firejail --noprofile --private\r" |
16 | sleep 1 | ||
17 | send -- "firejail --noprofile --tmpfs=/home/netblue/.config\r" | ||
18 | expect { | 16 | expect { |
19 | timeout {puts "TESTING ERROR 0\n";exit} | 17 | timeout {puts "TESTING ERROR 0\n";exit} |
20 | "Child process initialized" | 18 | "Child process initialized" |
21 | } | 19 | } |
22 | sleep 1 | 20 | sleep 1 |
23 | 21 | ||
24 | send -- "ls ~/.config | wc -l\r" | 22 | send -- "ls -al | wc -l\r" |
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "5" | ||
26 | } | ||
27 | |||
28 | send -- "ls -al .bashrc\r" | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
31 | "netblue" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
35 | "netblue" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
39 | ".bashrc" | ||
40 | } | ||
41 | |||
42 | send -- "ls -al .Xauthority\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
45 | "netblue" | ||
46 | } | ||
25 | expect { | 47 | expect { |
26 | timeout {puts "TESTING ERROR 1\n";exit} | 48 | timeout {puts "TESTING ERROR 1.6\n";exit} |
27 | "0" | 49 | "netblue" |
28 | } | 50 | } |
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
53 | ".Xauthority" | ||
54 | } | ||
55 | |||
56 | |||
57 | |||
29 | after 100 | 58 | after 100 |
30 | send -- "exit\r" | 59 | send -- "exit\r" |
31 | sleep 1 | 60 | sleep 1 |
@@ -34,18 +63,47 @@ sleep 1 | |||
34 | # O | 63 | # O |
35 | # | 64 | # |
36 | if { $overlay == "overlay" } { | 65 | if { $overlay == "overlay" } { |
37 | send -- "firejail --noprofile --overlay --tmpfs=/home/netblue/.config\r" | 66 | send -- "firejail --noprofile --overlay --private\r" |
38 | expect { | 67 | expect { |
39 | timeout {puts "TESTING ERROR 2\n";exit} | 68 | timeout {puts "TESTING ERROR 2\n";exit} |
40 | "Child process initialized" | 69 | "Child process initialized" |
41 | } | 70 | } |
42 | sleep 1 | 71 | sleep 1 |
43 | 72 | ||
44 | send -- "ls ~/.config | wc -l\r" | 73 | send -- "ls -al | wc -l\r" |
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
76 | "5" | ||
77 | } | ||
78 | |||
79 | send -- "ls -al .bashrc\r" | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
82 | "netblue" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
86 | "netblue" | ||
87 | } | ||
45 | expect { | 88 | expect { |
46 | timeout {puts "TESTING ERROR 3\n";exit} | 89 | timeout {puts "TESTING ERROR 3.4\n";exit} |
47 | "0" | 90 | ".bashrc" |
48 | } | 91 | } |
92 | |||
93 | send -- "ls -al .Xauthority\r" | ||
94 | expect { | ||
95 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
96 | "netblue" | ||
97 | } | ||
98 | expect { | ||
99 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
100 | "netblue" | ||
101 | } | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
104 | ".Xauthority" | ||
105 | } | ||
106 | |||
49 | after 100 | 107 | after 100 |
50 | send -- "exit\r" | 108 | send -- "exit\r" |
51 | sleep 1 | 109 | sleep 1 |
@@ -55,20 +113,47 @@ if { $overlay == "overlay" } { | |||
55 | # C | 113 | # C |
56 | # | 114 | # |
57 | if { $chroot == "chroot" } { | 115 | if { $chroot == "chroot" } { |
58 | send -- "touch /tmp/chroot/home/netblue/.config/firejail-test-file\r" | 116 | send -- "firejail --noprofile --chroot=/tmp/chroot --private\r" |
59 | sleep 1 | ||
60 | send -- "firejail --noprofile --chroot=/tmp/chroot --tmpfs=/home/netblue/.config\r" | ||
61 | expect { | 117 | expect { |
62 | timeout {puts "TESTING ERROR 4\n";exit} | 118 | timeout {puts "TESTING ERROR 4\n";exit} |
63 | "Child process initialized" | 119 | "Child process initialized" |
64 | } | 120 | } |
65 | sleep 1 | 121 | sleep 1 |
66 | 122 | ||
67 | send -- "ls ~/.config | wc -l\r" | 123 | send -- "ls -al | wc -l\r" |
124 | expect { | ||
125 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
126 | "5" | ||
127 | } | ||
128 | |||
129 | send -- "ls -al .bashrc\r" | ||
68 | expect { | 130 | expect { |
69 | timeout {puts "TESTING ERROR 5\n";exit} | 131 | timeout {puts "TESTING ERROR 5.2\n";exit} |
70 | "0" | 132 | "netblue" |
71 | } | 133 | } |
134 | expect { | ||
135 | timeout {puts "TESTING ERROR 5.3\n";exit} | ||
136 | "netblue" | ||
137 | } | ||
138 | expect { | ||
139 | timeout {puts "TESTING ERROR 5.4\n";exit} | ||
140 | ".bashrc" | ||
141 | } | ||
142 | |||
143 | send -- "ls -al .Xauthority\r" | ||
144 | expect { | ||
145 | timeout {puts "TESTING ERROR 5.5\n";exit} | ||
146 | "netblue" | ||
147 | } | ||
148 | expect { | ||
149 | timeout {puts "TESTING ERROR 5.6\n";exit} | ||
150 | "netblue" | ||
151 | } | ||
152 | expect { | ||
153 | timeout {puts "TESTING ERROR 5.7\n";exit} | ||
154 | ".Xauthority" | ||
155 | } | ||
156 | |||
72 | after 100 | 157 | after 100 |
73 | send -- "exit\r" | 158 | send -- "exit\r" |
74 | sleep 1 | 159 | sleep 1 |
diff --git a/test/features/3.10.exp b/test/features/3.10.exp new file mode 100755 index 000000000..47da7f1c2 --- /dev/null +++ b/test/features/3.10.exp | |||
@@ -0,0 +1,183 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # whitelist tmp | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "mkdir /tmp/test1dir\r" | ||
16 | sleep 1 | ||
17 | send -- "touch /tmp/test1dir/test1\r" | ||
18 | sleep 1 | ||
19 | send -- "firejail --noprofile --whitelist=/tmp/test1dir\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 0\n";exit} | ||
22 | "Child process initialized" | ||
23 | } | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "ls -l /tmp | wc -l\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
29 | "2" | ||
30 | } | ||
31 | send -- "ls -l /tmp\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
34 | "netblue" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
38 | "netblue" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
42 | "test1dir" | ||
43 | } | ||
44 | |||
45 | send -- "ls -l /tmp/test1dir | wc -l\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
48 | "2" | ||
49 | } | ||
50 | send -- "ls -l /tmp/test1dir\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
53 | "netblue" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
57 | "netblue" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 1.8\n";exit} | ||
61 | "test1" | ||
62 | } | ||
63 | |||
64 | |||
65 | after 100 | ||
66 | send -- "exit\r" | ||
67 | sleep 1 | ||
68 | |||
69 | |||
70 | # | ||
71 | # O | ||
72 | # | ||
73 | if { $overlay == "overlay" } { | ||
74 | send -- "firejail --noprofile --overlay --whitelist=/tmp/test1dir\r" | ||
75 | expect { | ||
76 | timeout {puts "TESTING ERROR 2\n";exit} | ||
77 | "Child process initialized" | ||
78 | } | ||
79 | sleep 1 | ||
80 | |||
81 | send -- "ls -l /tmp | wc -l\r" | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
84 | "2" | ||
85 | } | ||
86 | send -- "ls -l /tmp\r" | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
89 | "netblue" | ||
90 | } | ||
91 | expect { | ||
92 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
93 | "netblue" | ||
94 | } | ||
95 | expect { | ||
96 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
97 | "test1dir" | ||
98 | } | ||
99 | |||
100 | send -- "ls -l /tmp/test1dir | wc -l\r" | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
103 | "2" | ||
104 | } | ||
105 | send -- "ls -l /tmp/test1dir\r" | ||
106 | expect { | ||
107 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
108 | "netblue" | ||
109 | } | ||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
112 | "netblue" | ||
113 | } | ||
114 | expect { | ||
115 | timeout {puts "TESTING ERROR 3.8\n";exit} | ||
116 | "test1" | ||
117 | } | ||
118 | |||
119 | after 100 | ||
120 | send -- "exit\r" | ||
121 | sleep 1 | ||
122 | } | ||
123 | |||
124 | # | ||
125 | # C | ||
126 | # | ||
127 | if { $chroot == "chroot" } { | ||
128 | send -- "mkdir /tmp/chroot/tmp/test1dir\r" | ||
129 | sleep 1 | ||
130 | send -- "touch /tmp/chroot/tmp/test1dir/test1\r" | ||
131 | sleep 1 | ||
132 | send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/tmp/test1dir\r" | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 4\n";exit} | ||
135 | "Child process initialized" | ||
136 | } | ||
137 | sleep 1 | ||
138 | |||
139 | send -- "ls -l /tmp | wc -l\r" | ||
140 | expect { | ||
141 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
142 | "2" | ||
143 | } | ||
144 | send -- "ls -l /tmp\r" | ||
145 | expect { | ||
146 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
147 | "netblue" | ||
148 | } | ||
149 | expect { | ||
150 | timeout {puts "TESTING ERROR 5.3\n";exit} | ||
151 | "netblue" | ||
152 | } | ||
153 | expect { | ||
154 | timeout {puts "TESTING ERROR 5.4\n";exit} | ||
155 | "test1dir" | ||
156 | } | ||
157 | |||
158 | send -- "ls -l /tmp/test1dir | wc -l\r" | ||
159 | expect { | ||
160 | timeout {puts "TESTING ERROR 5.5\n";exit} | ||
161 | "2" | ||
162 | } | ||
163 | send -- "ls -l /tmp/test1dir\r" | ||
164 | expect { | ||
165 | timeout {puts "TESTING ERROR 5.6\n";exit} | ||
166 | "netblue" | ||
167 | } | ||
168 | expect { | ||
169 | timeout {puts "TESTING ERROR 5.7\n";exit} | ||
170 | "netblue" | ||
171 | } | ||
172 | expect { | ||
173 | timeout {puts "TESTING ERROR 5.8\n";exit} | ||
174 | "test1" | ||
175 | } | ||
176 | |||
177 | after 100 | ||
178 | send -- "exit\r" | ||
179 | sleep 1 | ||
180 | } | ||
181 | |||
182 | |||
183 | puts "\nall done\n" | ||
diff --git a/test/features/3.4.exp b/test/features/3.4.exp index f81dc6e0a..996312334 100755 --- a/test/features/3.4.exp +++ b/test/features/3.4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # | 2 | # |
3 | # whitelist | 3 | # whitelist home |
4 | # | 4 | # |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -19,11 +19,54 @@ expect { | |||
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
21 | 21 | ||
22 | send -- "ls -al ~/. | wc -l\r" | 22 | send -- "ls -al | wc -l\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 1\n";exit} | 24 | timeout {puts "TESTING ERROR 1.1\n";exit} |
25 | "6" | 25 | "6" |
26 | } | 26 | } |
27 | |||
28 | send -- "ls -al .bashrc\r" | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
31 | "netblue" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
35 | "netblue" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
39 | ".bashrc" | ||
40 | } | ||
41 | |||
42 | send -- "ls -al .Xauthority\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
45 | "netblue" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
49 | "netblue" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
53 | ".Xauthority" | ||
54 | } | ||
55 | |||
56 | send -- "ls -al | grep config\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 1.8\n";exit} | ||
59 | "netblue" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 1.9\n";exit} | ||
63 | "netblue" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 1.10\n";exit} | ||
67 | ".config" | ||
68 | } | ||
69 | |||
27 | after 100 | 70 | after 100 |
28 | send -- "exit\r" | 71 | send -- "exit\r" |
29 | sleep 1 | 72 | sleep 1 |
@@ -40,11 +83,54 @@ if { $overlay == "overlay" } { | |||
40 | } | 83 | } |
41 | sleep 1 | 84 | sleep 1 |
42 | 85 | ||
43 | send -- "ls -al ~/. | wc -l\r" | 86 | send -- "ls -al | wc -l\r" |
44 | expect { | 87 | expect { |
45 | timeout {puts "TESTING ERROR 1\n";exit} | 88 | timeout {puts "TESTING ERROR 3.1\n";exit} |
46 | "6" | 89 | "6" |
47 | } | 90 | } |
91 | |||
92 | send -- "ls -al .bashrc\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
95 | "netblue" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
99 | "netblue" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
103 | ".bashrc" | ||
104 | } | ||
105 | |||
106 | send -- "ls -al .Xauthority\r" | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
109 | "netblue" | ||
110 | } | ||
111 | expect { | ||
112 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
113 | "netblue" | ||
114 | } | ||
115 | expect { | ||
116 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
117 | ".Xauthority" | ||
118 | } | ||
119 | |||
120 | send -- "ls -al | grep config\r" | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 3.8\n";exit} | ||
123 | "netblue" | ||
124 | } | ||
125 | expect { | ||
126 | timeout {puts "TESTING ERROR 3.9\n";exit} | ||
127 | "netblue" | ||
128 | } | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 3.10\n";exit} | ||
131 | ".config" | ||
132 | } | ||
133 | |||
48 | after 100 | 134 | after 100 |
49 | send -- "exit\r" | 135 | send -- "exit\r" |
50 | sleep 1 | 136 | sleep 1 |
@@ -61,11 +147,54 @@ if { $chroot == "chroot" } { | |||
61 | } | 147 | } |
62 | sleep 1 | 148 | sleep 1 |
63 | 149 | ||
64 | send -- "ls -al ~/. | wc -l\r" | 150 | send -- "ls -al | wc -l\r" |
65 | expect { | 151 | expect { |
66 | timeout {puts "TESTING ERROR 1\n";exit} | 152 | timeout {puts "TESTING ERROR 5.1\n";exit} |
67 | "6" | 153 | "6" |
68 | } | 154 | } |
155 | |||
156 | send -- "ls -al .bashrc\r" | ||
157 | expect { | ||
158 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
159 | "netblue" | ||
160 | } | ||
161 | expect { | ||
162 | timeout {puts "TESTING ERROR 5.3\n";exit} | ||
163 | "netblue" | ||
164 | } | ||
165 | expect { | ||
166 | timeout {puts "TESTING ERROR 5.4\n";exit} | ||
167 | ".bashrc" | ||
168 | } | ||
169 | |||
170 | send -- "ls -al .Xauthority\r" | ||
171 | expect { | ||
172 | timeout {puts "TESTING ERROR 5.5\n";exit} | ||
173 | "netblue" | ||
174 | } | ||
175 | expect { | ||
176 | timeout {puts "TESTING ERROR 5.6\n";exit} | ||
177 | "netblue" | ||
178 | } | ||
179 | expect { | ||
180 | timeout {puts "TESTING ERROR 5.7\n";exit} | ||
181 | ".Xauthority" | ||
182 | } | ||
183 | |||
184 | send -- "ls -al | grep config\r" | ||
185 | expect { | ||
186 | timeout {puts "TESTING ERROR 5.8\n";exit} | ||
187 | "netblue" | ||
188 | } | ||
189 | expect { | ||
190 | timeout {puts "TESTING ERROR 5.9\n";exit} | ||
191 | "netblue" | ||
192 | } | ||
193 | expect { | ||
194 | timeout {puts "TESTING ERROR 5.10\n";exit} | ||
195 | ".config" | ||
196 | } | ||
197 | |||
69 | after 100 | 198 | after 100 |
70 | send -- "exit\r" | 199 | send -- "exit\r" |
71 | sleep 1 | 200 | sleep 1 |
diff --git a/test/features/3.5.exp b/test/features/3.5.exp new file mode 100755 index 000000000..d190ef36f --- /dev/null +++ b/test/features/3.5.exp | |||
@@ -0,0 +1,77 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # private-dev | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "firejail --noprofile --private-dev\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "ls -al /dev | wc -l\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "14" | ||
26 | } | ||
27 | |||
28 | after 100 | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | # | ||
33 | # O | ||
34 | # | ||
35 | if { $overlay == "overlay" } { | ||
36 | send -- "firejail --noprofile --overlay --private-dev\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 2\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 1 | ||
42 | |||
43 | send -- "ls -al /dev | wc -l\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
46 | "13" | ||
47 | } | ||
48 | |||
49 | after 100 | ||
50 | send -- "exit\r" | ||
51 | sleep 1 | ||
52 | } | ||
53 | |||
54 | # | ||
55 | # C | ||
56 | # | ||
57 | if { $chroot == "chroot" } { | ||
58 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-dev\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 4\n";exit} | ||
61 | "Child process initialized" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | send -- "ls -al /dev | wc -l\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
68 | "13" | ||
69 | } | ||
70 | |||
71 | after 100 | ||
72 | send -- "exit\r" | ||
73 | sleep 1 | ||
74 | } | ||
75 | |||
76 | |||
77 | puts "\nall done\n" | ||
diff --git a/test/features/3.6.exp b/test/features/3.6.exp new file mode 100755 index 000000000..6117485da --- /dev/null +++ b/test/features/3.6.exp | |||
@@ -0,0 +1,77 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # private-etc | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "firejail --noprofile --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "ls -al /etc | wc -l\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "10" | ||
26 | } | ||
27 | |||
28 | after 100 | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | # | ||
33 | # O | ||
34 | # | ||
35 | if { $overlay == "overlay" } { | ||
36 | send -- "firejail --noprofile --overlay --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 2\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 1 | ||
42 | |||
43 | send -- "ls -al /etc | wc -l\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
46 | "10" | ||
47 | } | ||
48 | |||
49 | after 100 | ||
50 | send -- "exit\r" | ||
51 | sleep 1 | ||
52 | } | ||
53 | |||
54 | # | ||
55 | # C | ||
56 | # | ||
57 | if { $chroot == "chroot" } { | ||
58 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 4\n";exit} | ||
61 | "Child process initialized" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | send -- "ls -al /etc | wc -l\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
68 | "10" | ||
69 | } | ||
70 | |||
71 | after 100 | ||
72 | send -- "exit\r" | ||
73 | sleep 1 | ||
74 | } | ||
75 | |||
76 | |||
77 | puts "\nall done\n" | ||
diff --git a/test/features/3.7.exp b/test/features/3.7.exp new file mode 100755 index 000000000..d8236b851 --- /dev/null +++ b/test/features/3.7.exp | |||
@@ -0,0 +1,91 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # private-tmp | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "touch /tmp/test1\r" | ||
16 | sleep 1 | ||
17 | send -- "touch /tmp/test2\r" | ||
18 | sleep 1 | ||
19 | send -- "firejail --noprofile --private-tmp\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 0\n";exit} | ||
22 | "Child process initialized" | ||
23 | } | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "ls -al /tmp | wc -l\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
29 | "3" | ||
30 | } | ||
31 | |||
32 | |||
33 | after 100 | ||
34 | send -- "exit\r" | ||
35 | sleep 1 | ||
36 | |||
37 | # | ||
38 | # O | ||
39 | # | ||
40 | if { $overlay == "overlay" } { | ||
41 | send -- "touch /tmp/test1\r" | ||
42 | sleep 1 | ||
43 | send -- "touch /tmp/test2\r" | ||
44 | sleep 1 | ||
45 | send -- "firejail --noprofile --overlay --private-tmp\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 2\n";exit} | ||
48 | "Child process initialized" | ||
49 | } | ||
50 | sleep 1 | ||
51 | |||
52 | send -- "ls -al /tmp | wc -l\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
55 | "3" | ||
56 | } | ||
57 | |||
58 | |||
59 | after 100 | ||
60 | send -- "exit\r" | ||
61 | sleep 1 | ||
62 | } | ||
63 | |||
64 | # | ||
65 | # C | ||
66 | # | ||
67 | if { $chroot == "chroot" } { | ||
68 | send -- "touch /tmp/test1\r" | ||
69 | sleep 1 | ||
70 | send -- "touch /tmp/test2\r" | ||
71 | sleep 1 | ||
72 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-tmp\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 4\n";exit} | ||
75 | "Child process initialized" | ||
76 | } | ||
77 | sleep 1 | ||
78 | |||
79 | send -- "ls -al /tmp | wc -l\r" | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
82 | "3" | ||
83 | } | ||
84 | |||
85 | after 100 | ||
86 | send -- "exit\r" | ||
87 | sleep 1 | ||
88 | } | ||
89 | |||
90 | |||
91 | puts "\nall done\n" | ||
diff --git a/test/features/3.8.exp b/test/features/3.8.exp new file mode 100755 index 000000000..2405e4fdb --- /dev/null +++ b/test/features/3.8.exp | |||
@@ -0,0 +1,79 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # private-bin | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "firejail --noprofile --private-bin=bash,cat,cp,ls,wc\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "ls -l /usr/bin | wc -l\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "6" | ||
26 | } | ||
27 | |||
28 | |||
29 | after 100 | ||
30 | send -- "exit\r" | ||
31 | sleep 1 | ||
32 | |||
33 | # | ||
34 | # O | ||
35 | # | ||
36 | if { $overlay == "overlay" } { | ||
37 | send -- "firejail --noprofile --overlay --private-bin=bash,cat,cp,ls,wc\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 2\n";exit} | ||
40 | "Child process initialized" | ||
41 | } | ||
42 | sleep 1 | ||
43 | |||
44 | send -- "ls -l /usr/bin | wc -l\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
47 | "6" | ||
48 | } | ||
49 | |||
50 | |||
51 | after 100 | ||
52 | send -- "exit\r" | ||
53 | sleep 1 | ||
54 | } | ||
55 | |||
56 | # | ||
57 | # C | ||
58 | # | ||
59 | if { $chroot == "chroot" } { | ||
60 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 4\n";exit} | ||
63 | "Child process initialized" | ||
64 | } | ||
65 | sleep 1 | ||
66 | |||
67 | send -- "ls -l /usr/bin | wc -l\r" | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
70 | "6" | ||
71 | } | ||
72 | |||
73 | after 100 | ||
74 | send -- "exit\r" | ||
75 | sleep 1 | ||
76 | } | ||
77 | |||
78 | |||
79 | puts "\nall done\n" | ||
diff --git a/test/features/3.9.exp b/test/features/3.9.exp new file mode 100755 index 000000000..1dc556d78 --- /dev/null +++ b/test/features/3.9.exp | |||
@@ -0,0 +1,80 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # whitelist dev | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "ls -l /dev | wc -l\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "4" | ||
26 | } | ||
27 | |||
28 | |||
29 | after 100 | ||
30 | send -- "exit\r" | ||
31 | sleep 1 | ||
32 | |||
33 | |||
34 | # | ||
35 | # O | ||
36 | # | ||
37 | if { $overlay == "overlay" } { | ||
38 | send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 2\n";exit} | ||
41 | "Child process initialized" | ||
42 | } | ||
43 | sleep 1 | ||
44 | |||
45 | send -- "ls -l /dev | wc -l\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
48 | "4" | ||
49 | } | ||
50 | |||
51 | |||
52 | after 100 | ||
53 | send -- "exit\r" | ||
54 | sleep 1 | ||
55 | } | ||
56 | |||
57 | # | ||
58 | # C | ||
59 | # | ||
60 | if { $chroot == "chroot" } { | ||
61 | send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r" | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 4\n";exit} | ||
64 | "Child process initialized" | ||
65 | } | ||
66 | sleep 1 | ||
67 | |||
68 | send -- "ls -l /dev | wc -l\r" | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
71 | "4" | ||
72 | } | ||
73 | |||
74 | after 100 | ||
75 | send -- "exit\r" | ||
76 | sleep 1 | ||
77 | } | ||
78 | |||
79 | |||
80 | puts "\nall done\n" | ||
diff --git a/test/features/features.txt b/test/features/features.txt index d372d2f7a..4d8821a92 100644 --- a/test/features/features.txt +++ b/test/features/features.txt | |||
@@ -9,11 +9,7 @@ C - chroot filesystem | |||
9 | 1. Default features (tesing with --noprofile) | 9 | 1. Default features (tesing with --noprofile) |
10 | 10 | ||
11 | 1.1 disable /boot | 11 | 1.1 disable /boot |
12 | - N, O, C | ||
13 | |||
14 | 1.2 new /proc | 12 | 1.2 new /proc |
15 | - N, O, C | ||
16 | |||
17 | 1.3 new /sys | 13 | 1.3 new /sys |
18 | - N, O fails remount, C fails remount | 14 | - N, O fails remount, C fails remount |
19 | 15 | ||
@@ -23,53 +19,44 @@ C - chroot filesystem | |||
23 | - /etc/group: N, O, C to test | 19 | - /etc/group: N, O, C to test |
24 | 20 | ||
25 | 1.5 PID namespace | 21 | 1.5 PID namespace |
26 | - N, O, C | ||
27 | |||
28 | 1.6 new /var/log | 22 | 1.6 new /var/log |
29 | - N, O, C | ||
30 | |||
31 | 1.7 new /var/tmp | 23 | 1.7 new /var/tmp |
32 | -N, O, C | ||
33 | |||
34 | 1.8 disable /etc/firejail and ~/.config/firejail | 24 | 1.8 disable /etc/firejail and ~/.config/firejail |
35 | -N, O, C | ||
36 | |||
37 | 1.9 mount namespace | 25 | 1.9 mount namespace |
38 | |||
39 | 1.10 disable /selinux | 26 | 1.10 disable /selinux |
40 | - N, O, C | ||
41 | |||
42 | |||
43 | 27 | ||
44 | 2. Networking features | 28 | 2. Networking features |
45 | 29 | ||
46 | 2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname) | 30 | 2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname) |
47 | - N, O, C | ||
48 | - ping disabled for C by default seccomp filter, use "getent hosts bingo" | 31 | - ping disabled for C by default seccomp filter, use "getent hosts bingo" |
49 | 32 | ||
50 | 2.2 DNS (use --dns=4.2.2.1, use "dig google.com") | 33 | 2.2 DNS (use --dns=4.2.2.1, use "dig google.com") |
51 | - N, O, C | ||
52 | |||
53 | 2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com) | 34 | 2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com) |
54 | - N, O, C | ||
55 | - test --ip: N, O, C | ||
56 | |||
57 | 2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw) | 35 | 2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw) |
58 | - N, O, C | ||
59 | - ping disabled for C by default seccomp filter - transfer test not implemented for C | 36 | - ping disabled for C by default seccomp filter - transfer test not implemented for C |
60 | - test --ip: N, O, C | ||
61 | |||
62 | 2.5 interface | 37 | 2.5 interface |
63 | - N, O, C | ||
64 | |||
65 | 2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn) | 38 | 2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn) |
66 | - N, O, C | ||
67 | |||
68 | |||
69 | 39 | ||
70 | 3. Filesystem features (use --noprofile) | 40 | 3. Filesystem features (use --noprofile) |
71 | 41 | ||
72 | 3.1 tmpfs | 42 | 3.1 private |
73 | 3.2 read-only | 43 | 3.2 read-only |
74 | 3.3 blacklist | 44 | 3.3 blacklist |
75 | 3.4 whitelist | 45 | 3.4 whitelist home |
46 | - N braking on Fedora | ||
47 | 3.5 private-dev | ||
48 | - O, C - somehow /dev/log is missing | ||
49 | - N - problems on Debian wheezy 32-bit, Fedora | ||
50 | 3.6 private-etc | ||
51 | - O not working - todo | ||
52 | 3.7 private-tmp | ||
53 | 3.8 private-bin | ||
54 | - O, C not working - todo | ||
55 | 3.9 whitelist dev | ||
56 | - N not working on Debian wheezy (32-bit and 64-bit) - todo | ||
57 | 3.10 whitelist tmp | ||
58 | - O not working on Arch Linux - todo | ||
59 | |||
60 | |||
61 | |||
62 | |||
diff --git a/test/features/test.sh b/test/features/test.sh index d4bcead0b..495996551 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -83,7 +83,7 @@ fi | |||
83 | #################### | 83 | #################### |
84 | # filesystem features | 84 | # filesystem features |
85 | #################### | 85 | #################### |
86 | echo "TESTING: 3.1 tmpfs" | 86 | echo "TESTING: 3.1 private" |
87 | ./3.1.exp $OVERLAY $CHROOT | 87 | ./3.1.exp $OVERLAY $CHROOT |
88 | 88 | ||
89 | echo "TESTING: 3.2 read-only" | 89 | echo "TESTING: 3.2 read-only" |
@@ -92,6 +92,24 @@ echo "TESTING: 3.2 read-only" | |||
92 | echo "TESTING: 3.3 blacklist" | 92 | echo "TESTING: 3.3 blacklist" |
93 | ./3.3.exp $OVERLAY $CHROOT | 93 | ./3.3.exp $OVERLAY $CHROOT |
94 | 94 | ||
95 | echo "TESTING: 3.4 whitelist" | 95 | echo "TESTING: 3.4 whitelist home" |
96 | ./3.4.exp $OVERLAY $CHROOT | 96 | ./3.4.exp $OVERLAY $CHROOT |
97 | 97 | ||
98 | echo "TESTING: 3.5 private-dev" | ||
99 | ./3.5.exp $OVERLAY $CHROOT | ||
100 | |||
101 | echo "TESTING: 3.6 private-etc" | ||
102 | ./3.6.exp notworking $CHROOT | ||
103 | |||
104 | echo "TESTING: 3.7 private-tmp" | ||
105 | ./3.7.exp $OVERLAY $CHROOT | ||
106 | |||
107 | echo "TESTING: 3.8 private-bin" | ||
108 | ./3.8.exp notworking notworking | ||
109 | |||
110 | echo "TESTING: 3.9 whitelist dev" | ||
111 | ./3.9.exp $OVERLAY $CHROOT | ||
112 | |||
113 | echo "TESTING: 3.10 whitelist tmp" | ||
114 | ./3.10.exp $OVERLAY $CHROOT | ||
115 | |||
diff --git a/test/fscheck-shell.exp b/test/fscheck-shell.exp index 548955e60..6a3b5829c 100755 --- a/test/fscheck-shell.exp +++ b/test/fscheck-shell.exp | |||
@@ -37,12 +37,12 @@ expect { | |||
37 | after 100 | 37 | after 100 |
38 | 38 | ||
39 | # file link | 39 | # file link |
40 | send -- "firejail --net=br0 --shell=fscheck-file-link\r" | 40 | #send -- "firejail --net=br0 --shell=fscheck-file-link\r" |
41 | expect { | 41 | #expect { |
42 | timeout {puts "TESTING ERROR 4\n";exit} | 42 | # timeout {puts "TESTING ERROR 4\n";exit} |
43 | "Error" | 43 | # "Error" |
44 | } | 44 | #} |
45 | after 100 | 45 | #after 100 |
46 | 46 | ||
47 | # .. | 47 | # .. |
48 | send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r" | 48 | send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r" |
diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp index e496e4aaf..dd1fa4634 100755 --- a/test/invalid_filename.exp +++ b/test/invalid_filename.exp | |||
@@ -124,22 +124,6 @@ expect { | |||
124 | } | 124 | } |
125 | after 100 | 125 | after 100 |
126 | 126 | ||
127 | send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r" | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 8.1\n";exit} | ||
130 | "Checking filename bla&&bla" | ||
131 | } | ||
132 | expect { | ||
133 | timeout {puts "TESTING ERROR 8.2\n";exit} | ||
134 | "Error:" | ||
135 | } | ||
136 | expect { | ||
137 | timeout {puts "TESTING ERROR 8.3\n";exit} | ||
138 | "is an invalid filename" | ||
139 | } | ||
140 | after 100 | ||
141 | |||
142 | |||
143 | send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" | 127 | send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" |
144 | expect { | 128 | expect { |
145 | timeout {puts "TESTING ERROR 9.1\n";exit} | 129 | timeout {puts "TESTING ERROR 9.1\n";exit} |
@@ -200,20 +184,6 @@ expect { | |||
200 | } | 184 | } |
201 | after 100 | 185 | after 100 |
202 | 186 | ||
203 | send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" | ||
204 | expect { | ||
205 | timeout {puts "TESTING ERROR 13.1\n";exit} | ||
206 | "Checking filename bla&&bla" | ||
207 | } | ||
208 | expect { | ||
209 | timeout {puts "TESTING ERROR 13.2\n";exit} | ||
210 | "Error:" | ||
211 | } | ||
212 | expect { | ||
213 | timeout {puts "TESTING ERROR 13.3\n";exit} | ||
214 | "is an invalid filename" | ||
215 | } | ||
216 | after 100 | ||
217 | 187 | ||
218 | send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" | 188 | send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" |
219 | expect { | 189 | expect { |
diff --git a/test/ip6.exp b/test/ip6.exp index 4dc11d3dc..19a822ee2 100755 --- a/test/ip6.exp +++ b/test/ip6.exp | |||
@@ -14,30 +14,26 @@ expect { | |||
14 | "DROP" | 14 | "DROP" |
15 | } | 15 | } |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 17 | timeout {puts "TESTING ERROR 2\n";exit} |
18 | "DROP" | 18 | "2001:db8:1f0a:3ec::2" |
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "2001:db8:1f0a:3ec::2/128" | ||
23 | } | 19 | } |
24 | expect { | 20 | expect { |
25 | timeout {puts "TESTING ERROR 1\n";exit} | 21 | timeout {puts "TESTING ERROR 3\n";exit} |
26 | "Child process initialized" | 22 | "Child process initialized" |
27 | } | 23 | } |
28 | sleep 2 | 24 | sleep 2 |
29 | 25 | ||
30 | send -- "/sbin/ifconfig\r" | 26 | send -- "/sbin/ifconfig\r" |
31 | expect { | 27 | expect { |
32 | timeout {puts "TESTING ERROR 1\n";exit} | 28 | timeout {puts "TESTING ERROR 4\n";exit} |
33 | "inet6 addr" | 29 | "inet6 addr" |
34 | } | 30 | } |
35 | expect { | 31 | expect { |
36 | timeout {puts "TESTING ERROR 1\n";exit} | 32 | timeout {puts "TESTING ERROR 5\n";exit} |
37 | "2001:db8:0:f101::1/64" | 33 | "2001:db8:0:f101::1/64" |
38 | } | 34 | } |
39 | expect { | 35 | expect { |
40 | timeout {puts "TESTING ERROR 1\n";exit} | 36 | timeout {puts "TESTING ERROR 6\n";exit} |
41 | "Scope:Global" | 37 | "Scope:Global" |
42 | } | 38 | } |
43 | 39 | ||
diff --git a/test/kmsg.exp b/test/kmsg.exp new file mode 100755 index 000000000..096bdb708 --- /dev/null +++ b/test/kmsg.exp | |||
@@ -0,0 +1,29 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "cat /dev/kmsg\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "Permission denied" | ||
18 | } | ||
19 | sleep 1 | ||
20 | |||
21 | send -- "cat /proc/kmsg\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "Permission denied" | ||
25 | } | ||
26 | sleep 1 | ||
27 | |||
28 | puts "\nall done\n" | ||
29 | |||
diff --git a/test/login_ssh.exp b/test/login_ssh.exp index 163ee91b2..23c775763 100755 --- a/test/login_ssh.exp +++ b/test/login_ssh.exp | |||
@@ -56,4 +56,4 @@ expect { | |||
56 | } | 56 | } |
57 | sleep 1 | 57 | sleep 1 |
58 | 58 | ||
59 | puts "\n" | 59 | puts "\nall done\n" |
diff --git a/test/name.profile b/test/name.profile index 69e605600..1aa9f2d64 100644 --- a/test/name.profile +++ b/test/name.profile | |||
@@ -1 +1 @@ | |||
name svntesting | name jointesting | ||
diff --git a/test/nice.exp b/test/nice.exp new file mode 100755 index 000000000..f4afb547d --- /dev/null +++ b/test/nice.exp | |||
@@ -0,0 +1,80 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --nice=15\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "top -b -n 1\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "netblue" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "15" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "bash" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "netblu" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "15" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 6\n";exit} | ||
37 | "top" | ||
38 | } | ||
39 | |||
40 | sleep 1 | ||
41 | send -- "exit\r" | ||
42 | sleep 1 | ||
43 | |||
44 | send -- "firejail --profile=nice.profile\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 10\n";exit} | ||
47 | "Child process initialized" | ||
48 | } | ||
49 | sleep 1 | ||
50 | |||
51 | send -- "top -b -n 1\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 11\n";exit} | ||
54 | "netblue" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 12\n";exit} | ||
58 | "15" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 13\n";exit} | ||
62 | "bash" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 14\n";exit} | ||
66 | "netblu" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 15\n";exit} | ||
70 | "15" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 16\n";exit} | ||
74 | "top" | ||
75 | } | ||
76 | |||
77 | |||
78 | |||
79 | puts "\nall done\n" | ||
80 | |||
diff --git a/test/nice.profile b/test/nice.profile new file mode 100644 index 000000000..d02c8f58b --- /dev/null +++ b/test/nice.profile | |||
@@ -0,0 +1 @@ | |||
nice 15 | |||
diff --git a/test/option-join-profile.exp b/test/option-join-profile.exp index 8f9c10bf7..9200980a1 100755 --- a/test/option-join-profile.exp +++ b/test/option-join-profile.exp | |||
@@ -12,16 +12,16 @@ expect { | |||
12 | sleep 3 | 12 | sleep 3 |
13 | 13 | ||
14 | spawn $env(SHELL) | 14 | spawn $env(SHELL) |
15 | send -- "firejail --join=svntesting;pwd\r" | 15 | send -- "firejail --join=jointesting;pwd\r" |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "Switching to pid" | 18 | "Switching to pid" |
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 3 |
21 | 21 | ||
22 | 22 | ||
23 | spawn $env(SHELL) | 23 | spawn $env(SHELL) |
24 | send -- "firejail --shutdown=svntesting;pwd\r" | 24 | send -- "firejail --shutdown=jointesting;pwd\r" |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
27 | "home" | 27 | "home" |
@@ -31,7 +31,7 @@ sleep 5 | |||
31 | send -- "firejail --list;pwd\r" | 31 | send -- "firejail --list;pwd\r" |
32 | expect { | 32 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 33 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "svntesting" {puts "TESTING ERROR 5\n";exit} | 34 | "jointesting" {puts "TESTING ERROR 5\n";exit} |
35 | "home" | 35 | "home" |
36 | } | 36 | } |
37 | sleep 1 | 37 | sleep 1 |
diff --git a/test/option-shutdown.exp b/test/option-shutdown.exp index 260a5b84f..e869f7611 100755 --- a/test/option-shutdown.exp +++ b/test/option-shutdown.exp | |||
@@ -4,7 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail --name=svntesting\r" | 7 | send -- "firejail --name=shutdowntesting\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 10 | "Child process initialized" |
@@ -12,7 +12,7 @@ expect { | |||
12 | sleep 3 | 12 | sleep 3 |
13 | 13 | ||
14 | spawn $env(SHELL) | 14 | spawn $env(SHELL) |
15 | send -- "firejail --shutdown=svntesting;pwd\r" | 15 | send -- "firejail --shutdown=shutdowntesting;pwd\r" |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 4\n";exit} | 17 | timeout {puts "TESTING ERROR 4\n";exit} |
18 | "home" | 18 | "home" |
@@ -22,9 +22,9 @@ sleep 1 | |||
22 | send -- "firejail --list;pwd\r" | 22 | send -- "firejail --list;pwd\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 5\n";exit} | 24 | timeout {puts "TESTING ERROR 5\n";exit} |
25 | "svntesting" {puts "TESTING ERROR 6\n";exit} | 25 | "shutdowntesting" {puts "TESTING ERROR 6\n";exit} |
26 | "home" | 26 | "home" |
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | puts "\n" | 30 | puts "\nalldone\n" |
diff --git a/test/option_tmpfs.exp b/test/option_tmpfs.exp index 1ff47ab13..6522ef2d3 100755 --- a/test/option_tmpfs.exp +++ b/test/option_tmpfs.exp | |||
@@ -18,9 +18,27 @@ expect { | |||
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "home" | 21 | "/root" |
22 | } | 22 | } |
23 | sleep 1 | 23 | sleep 1 |
24 | send -- "exit\r" | ||
25 | sleep 2 | ||
24 | 26 | ||
25 | puts "\n" | 27 | send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" |
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 13.1\n";exit} | ||
30 | "Checking filename bla&&bla" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 13.2\n";exit} | ||
34 | "Error:" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 13.3\n";exit} | ||
38 | "is an invalid filename" | ||
39 | } | ||
40 | after 100 | ||
41 | |||
42 | |||
43 | puts "\nalldone\n" | ||
26 | 44 | ||
diff --git a/test/private-keep.exp b/test/private-keep.exp deleted file mode 100755 index 163aa2741..000000000 --- a/test/private-keep.exp +++ /dev/null | |||
@@ -1,192 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | #************************************************************** | ||
8 | send -- "firejail --noprofile --private-home=.mozilla,.config/firejail\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 0\n";exit} | ||
11 | "Child process initialized" | ||
12 | } | ||
13 | sleep 1 | ||
14 | |||
15 | send -- "ls -al\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
18 | ".config" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
22 | ".mozilla" | ||
23 | } | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "find .config\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
29 | ".config" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
33 | ".config/firejail" | ||
34 | } | ||
35 | sleep 1 | ||
36 | puts "\n" | ||
37 | send -- "exit\r" | ||
38 | sleep 2 | ||
39 | |||
40 | |||
41 | #************************************************************** | ||
42 | send -- "firejail --profile=private-keep.profile\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 1.0\n";exit} | ||
45 | "Child process initialized" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | send -- "ls -al\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
52 | ".config" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
56 | ".mozilla" | ||
57 | } | ||
58 | sleep 1 | ||
59 | |||
60 | send -- "find .config\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
63 | ".config" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
67 | ".config/firejail" | ||
68 | } | ||
69 | sleep 1 | ||
70 | puts "\n" | ||
71 | send -- "exit\r" | ||
72 | sleep 2 | ||
73 | |||
74 | |||
75 | #************************************************************** | ||
76 | send -- "firejail --noprofile --private-home=~/.mozilla,~/.config/firejail\r" | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 2\n";exit} | ||
79 | "Child process initialized" | ||
80 | } | ||
81 | sleep 1 | ||
82 | |||
83 | send -- "ls -al\r" | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
86 | ".config" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
90 | ".mozilla" | ||
91 | } | ||
92 | sleep 1 | ||
93 | |||
94 | send -- "find .config\r" | ||
95 | expect { | ||
96 | timeout {puts "TESTING ERROR 2.3\n";exit} | ||
97 | ".config" | ||
98 | } | ||
99 | expect { | ||
100 | timeout {puts "TESTING ERROR 2.4\n";exit} | ||
101 | ".config/firejail" | ||
102 | } | ||
103 | sleep 1 | ||
104 | puts "\n" | ||
105 | send -- "exit\r" | ||
106 | sleep 2 | ||
107 | |||
108 | |||
109 | #************************************************************** | ||
110 | send -- "firejail --noprofile --private-home=~/.mozilla,~/.config/firejail\r" | ||
111 | expect { | ||
112 | timeout {puts "TESTING ERROR 3\n";exit} | ||
113 | "Child process initialized" | ||
114 | } | ||
115 | sleep 1 | ||
116 | |||
117 | send -- "ls -al\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
120 | ".config" | ||
121 | } | ||
122 | expect { | ||
123 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
124 | ".mozilla" | ||
125 | } | ||
126 | sleep 1 | ||
127 | |||
128 | send -- "find .config\r" | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
131 | ".config" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
135 | ".config/firejail" | ||
136 | } | ||
137 | sleep 1 | ||
138 | puts "\n" | ||
139 | send -- "exit\r" | ||
140 | sleep 2 | ||
141 | |||
142 | #************************************************************** | ||
143 | send -- "firejail --noprofile --private-home=/home/netblue/.mozilla,/home/netblue/.config/firejail\r" | ||
144 | expect { | ||
145 | timeout {puts "TESTING ERROR 4\n";exit} | ||
146 | "Child process initialized" | ||
147 | } | ||
148 | sleep 1 | ||
149 | |||
150 | send -- "ls -al\r" | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
153 | ".config" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 4.2\n";exit} | ||
157 | ".mozilla" | ||
158 | } | ||
159 | sleep 1 | ||
160 | |||
161 | send -- "find .config\r" | ||
162 | expect { | ||
163 | timeout {puts "TESTING ERROR 4.3\n";exit} | ||
164 | ".config" | ||
165 | } | ||
166 | expect { | ||
167 | timeout {puts "TESTING ERROR 4.4\n";exit} | ||
168 | ".config/firejail" | ||
169 | } | ||
170 | sleep 1 | ||
171 | puts "\n" | ||
172 | send -- "exit\r" | ||
173 | sleep 2 | ||
174 | |||
175 | #************************************************************** | ||
176 | send -- "firejail --noprofile --private-home=/home/netblue/../netblue/.mozilla,/home/netblue/.config/firejail\r" | ||
177 | expect { | ||
178 | timeout {puts "TESTING ERROR 5\n";exit} | ||
179 | "Error: invalid private-home list" | ||
180 | } | ||
181 | sleep 1 | ||
182 | |||
183 | #************************************************************** | ||
184 | send -- "firejail --noprofile --private-home=/root\r" | ||
185 | expect { | ||
186 | timeout {puts "TESTING ERROR 6\n";exit} | ||
187 | "Error: only files or directories created by the current user are allowed" | ||
188 | } | ||
189 | sleep 1 | ||
190 | |||
191 | puts "all done\n" | ||
192 | |||
diff --git a/test/servers3.exp b/test/servers3.exp index 20a20a88d..eccdaa1d9 100755 --- a/test/servers3.exp +++ b/test/servers3.exp | |||
@@ -45,7 +45,7 @@ expect { | |||
45 | send -- "cat index.html\r" | 45 | send -- "cat index.html\r" |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 4\n";exit} | 47 | timeout {puts "TESTING ERROR 4\n";exit} |
48 | "This is the default web page for this server" | 48 | "DOCTYPE html PUBLIC" |
49 | } | 49 | } |
50 | 50 | ||
51 | sleep 1 | 51 | sleep 1 |
@@ -63,6 +63,13 @@ expect { | |||
63 | "ppp" {puts "TESTING ERROR 6\n";exit} | 63 | "ppp" {puts "TESTING ERROR 6\n";exit} |
64 | "log" | 64 | "log" |
65 | } | 65 | } |
66 | sleep 1 | ||
67 | send -- "ls -al /tmp;pwd\r" | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 10\n";exit} | ||
70 | "X11-unix" {puts "TESTING ERROR 11\n";exit} | ||
71 | "/root" | ||
72 | } | ||
66 | sleep 2 | 73 | sleep 2 |
67 | 74 | ||
68 | puts "\nall done\n" | 75 | puts "\nall done\n" |
diff --git a/test/servers6.exp b/test/servers6.exp index 2179f6f98..9ef4ea514 100755 --- a/test/servers6.exp +++ b/test/servers6.exp | |||
@@ -45,7 +45,7 @@ expect { | |||
45 | send -- "cat index.html\r" | 45 | send -- "cat index.html\r" |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 4\n";exit} | 47 | timeout {puts "TESTING ERROR 4\n";exit} |
48 | "Welcome to nginx" | 48 | "DOCTYPE html PUBLIC" |
49 | } | 49 | } |
50 | 50 | ||
51 | sleep 1 | 51 | sleep 1 |
@@ -63,6 +63,13 @@ expect { | |||
63 | "ppp" {puts "TESTING ERROR 6\n";exit} | 63 | "ppp" {puts "TESTING ERROR 6\n";exit} |
64 | "log" | 64 | "log" |
65 | } | 65 | } |
66 | sleep 1 | ||
67 | send -- "ls -al /tmp;pwd\r" | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 10\n";exit} | ||
70 | "X11-unix" {puts "TESTING ERROR 11\n";exit} | ||
71 | "/root" | ||
72 | } | ||
66 | sleep 2 | 73 | sleep 2 |
67 | 74 | ||
68 | puts "\nall done\n" | 75 | puts "\nall done\n" |
diff --git a/test/test-root.sh b/test/test-root.sh index ac6b2ef00..1c3fc4c96 100755 --- a/test/test-root.sh +++ b/test/test-root.sh | |||
@@ -2,6 +2,12 @@ | |||
2 | 2 | ||
3 | ./chk_config.exp | 3 | ./chk_config.exp |
4 | 4 | ||
5 | echo "TESTING: tmpfs" | ||
6 | ./option_tmpfs.exp | ||
7 | |||
8 | echo "TESTING: profile tmpfs" | ||
9 | ./profile_tmpfs.exp | ||
10 | |||
5 | echo "TESTING: network interfaces" | 11 | echo "TESTING: network interfaces" |
6 | ./net_interface.exp | 12 | ./net_interface.exp |
7 | 13 | ||
@@ -16,7 +22,7 @@ fi | |||
16 | 22 | ||
17 | if [ -f /etc/init.d/apache2 ] | 23 | if [ -f /etc/init.d/apache2 ] |
18 | then | 24 | then |
19 | echo "TESTING: servers apache2, private-dev" | 25 | echo "TESTING: servers apache2, private-dev, private-tmp" |
20 | ./servers3.exp | 26 | ./servers3.exp |
21 | fi | 27 | fi |
22 | 28 | ||
@@ -28,13 +34,13 @@ fi | |||
28 | 34 | ||
29 | if [ -f /etc/init.d/unbound ] | 35 | if [ -f /etc/init.d/unbound ] |
30 | then | 36 | then |
31 | echo "TESTING: servers unbound, private-dev" | 37 | echo "TESTING: servers unbound, private-dev, private-tmp" |
32 | ./servers5.exp | 38 | ./servers5.exp |
33 | fi | 39 | fi |
34 | 40 | ||
35 | if [ -f /etc/init.d/nginx ] | 41 | if [ -f /etc/init.d/nginx ] |
36 | then | 42 | then |
37 | echo "TESTING: servers nginx, private-dev" | 43 | echo "TESTING: servers nginx, private-dev, private-tmp" |
38 | ./servers6.exp | 44 | ./servers6.exp |
39 | fi | 45 | fi |
40 | 46 | ||
@@ -66,3 +72,10 @@ then | |||
66 | echo "TESTING: firemon --cgroup" | 72 | echo "TESTING: firemon --cgroup" |
67 | ./firemon-cgroup.exp | 73 | ./firemon-cgroup.exp |
68 | fi | 74 | fi |
75 | |||
76 | echo "TESTING: chroot resolv.conf" | ||
77 | rm -f tmpfile | ||
78 | touch tmpfile | ||
79 | ln -s tmp /tmp/chroot/etc/resolv.conf | ||
80 | ./chroot-resolvconf.exp | ||
81 | rm -f tmpfile | ||
diff --git a/test/test.sh b/test/test.sh index 44bb7ba99..923a9b390 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -6,6 +6,9 @@ | |||
6 | 6 | ||
7 | ./fscheck.sh | 7 | ./fscheck.sh |
8 | 8 | ||
9 | echo "TESTING: nice" | ||
10 | ./nice.exp | ||
11 | |||
9 | echo "TESTING: protocol" | 12 | echo "TESTING: protocol" |
10 | ./protocol.exp | 13 | ./protocol.exp |
11 | 14 | ||
@@ -15,6 +18,9 @@ echo "TESTING: invalid filename" | |||
15 | echo "TESTING: environment variables" | 18 | echo "TESTING: environment variables" |
16 | ./env.exp | 19 | ./env.exp |
17 | 20 | ||
21 | echo "TESTING: whitelist empty" | ||
22 | ./whitelist-empty.exp | ||
23 | |||
18 | echo "TESTING: ignore command" | 24 | echo "TESTING: ignore command" |
19 | ./ignore.exp | 25 | ./ignore.exp |
20 | 26 | ||
@@ -86,6 +92,9 @@ rm -f index.html* | |||
86 | echo "TESTING: extract command" | 92 | echo "TESTING: extract command" |
87 | ./extract_command.exp | 93 | ./extract_command.exp |
88 | 94 | ||
95 | echo "TESTING: kmsg access" | ||
96 | ./kmsg.exp | ||
97 | |||
89 | echo "TESTING: rlimit" | 98 | echo "TESTING: rlimit" |
90 | ./option_rlimit.exp | 99 | ./option_rlimit.exp |
91 | 100 | ||
@@ -107,9 +116,6 @@ echo "TESTING: firejail in firejail - force new sandbox" | |||
107 | echo "TESTING: chroot overlay" | 116 | echo "TESTING: chroot overlay" |
108 | ./option_chroot_overlay.exp | 117 | ./option_chroot_overlay.exp |
109 | 118 | ||
110 | echo "TESTING: tmpfs" | ||
111 | ./option_tmpfs.exp | ||
112 | |||
113 | echo "TESTING: blacklist directory" | 119 | echo "TESTING: blacklist directory" |
114 | ./option_blacklist.exp | 120 | ./option_blacklist.exp |
115 | 121 | ||
@@ -175,9 +181,6 @@ echo "TESTING: profile rlimit" | |||
175 | echo "TESTING: profile read-only" | 181 | echo "TESTING: profile read-only" |
176 | ./profile_readonly.exp | 182 | ./profile_readonly.exp |
177 | 183 | ||
178 | echo "TESTING: profile tmpfs" | ||
179 | ./profile_tmpfs.exp | ||
180 | |||
181 | echo "TESTING: private" | 184 | echo "TESTING: private" |
182 | ./private.exp `whoami` | 185 | ./private.exp `whoami` |
183 | 186 | ||
@@ -193,29 +196,8 @@ mkdir dirprivate | |||
193 | ./private_dir_profile.exp | 196 | ./private_dir_profile.exp |
194 | rm -fr dirprivate | 197 | rm -fr dirprivate |
195 | 198 | ||
196 | echo "TESTING: private keep" | 199 | echo "TESTING: overlayfs" |
197 | ./private-keep.exp | 200 | ./fs_overlay.exp |
198 | |||
199 | uname -r | grep "3.18" | ||
200 | if [ "$?" -eq 0 ]; | ||
201 | then | ||
202 | echo "TESTING: overlayfs on 3.18 kernel" | ||
203 | ./fs_overlay.exp | ||
204 | fi | ||
205 | |||
206 | grep "openSUSE" /etc/os-release | ||
207 | if [ "$?" -eq 0 ]; | ||
208 | then | ||
209 | echo "TESTING: overlayfs" | ||
210 | ./fs_overlay.exp | ||
211 | fi | ||
212 | |||
213 | grep "Ubuntu" /etc/os-release | ||
214 | if [ "$?" -eq 0 ]; | ||
215 | then | ||
216 | echo "TESTING: overlayfs" | ||
217 | ./fs_overlay.exp | ||
218 | fi | ||
219 | 201 | ||
220 | echo "TESTING: seccomp debug" | 202 | echo "TESTING: seccomp debug" |
221 | ./seccomp-debug.exp | 203 | ./seccomp-debug.exp |
@@ -269,6 +251,7 @@ echo "TESTING: network IP" | |||
269 | ./net_ip.exp | 251 | ./net_ip.exp |
270 | 252 | ||
271 | echo "TESTING: network MAC" | 253 | echo "TESTING: network MAC" |
254 | sleep 2 | ||
272 | ./net_mac.exp | 255 | ./net_mac.exp |
273 | 256 | ||
274 | echo "TESTING: network MTU" | 257 | echo "TESTING: network MTU" |
diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp new file mode 100755 index 000000000..226b019db --- /dev/null +++ b/test/whitelist-empty.exp | |||
@@ -0,0 +1,50 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 30 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "ls -l ~/ | wc -l\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "0" | ||
18 | } | ||
19 | |||
20 | send -- "ls -l /tmp | wc -l\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2\n";exit} | ||
23 | "0" | ||
24 | } | ||
25 | |||
26 | send -- "ls -l /media | wc -l\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "0" | ||
30 | } | ||
31 | |||
32 | send -- "ls -l /var | wc -l\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4\n";exit} | ||
35 | "0" | ||
36 | } | ||
37 | |||
38 | send -- "ls -l /dev | wc -l\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | "0" | ||
42 | } | ||
43 | send -- "ls -l /opt | wc -l\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 6\n";exit} | ||
46 | "0" | ||
47 | } | ||
48 | |||
49 | |||
50 | puts "\nall done\n" | ||
@@ -115,3 +115,9 @@ The POSIX standard defines what a “portable filename” is. This turns out to | |||
115 | http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276 | 115 | http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276 |
116 | 116 | ||
117 | 22. --shutdown does not clear sandboxes started with --join on Debian jessie | 117 | 22. --shutdown does not clear sandboxes started with --join on Debian jessie |
118 | |||
119 | 23. to document: | ||
120 | |||
121 | http://lwn.net/Articles/414813/ | ||
122 | echo 1 > /proc/sys/kernel/dmesg_restrict | ||
123 | |||