aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README1
-rw-r--r--README.md2
-rw-r--r--RELNOTES3
-rw-r--r--etc/JDownloader.profile51
-rw-r--r--etc/disable-programs.inc1
-rw-r--r--etc/jdownloader.profile10
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firejail/fs.c16
-rw-r--r--src/firejail/main.c78
9 files changed, 118 insertions, 46 deletions
diff --git a/README b/README
index d84c36fa1..9ca6e6f60 100644
--- a/README
+++ b/README
@@ -656,6 +656,7 @@ Veeti Paananen (https://github.com/veeti)
656veloute (https://github.com/veloute) 656veloute (https://github.com/veloute)
657 - added standardnotes profile 657 - added standardnotes profile
658 - added flameshot profile 658 - added flameshot profile
659 - added jdownloader profile
659Vincent43 (https://github.com/Vincent43) 660Vincent43 (https://github.com/Vincent43)
660 - apparmor enhancements 661 - apparmor enhancements
661vismir2 (https://github.com/vismir2) 662vismir2 (https://github.com/vismir2)
diff --git a/README.md b/README.md
index 89b85a09a..18cdeb407 100644
--- a/README.md
+++ b/README.md
@@ -167,4 +167,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
167## New profiles 167## New profiles
168Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio, standardnotes-desktop, 168Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio, standardnotes-desktop,
169shellcheck, patch, flameshot, rview, rvim, vimcat, vimdiff, vimpager, vimtutor, 169shellcheck, patch, flameshot, rview, rvim, vimcat, vimdiff, vimpager, vimtutor,
170xxd, Beaker, electrum, clamtk, pybitmessage, dig, whois 170xxd, Beaker, electrum, clamtk, pybitmessage, dig, whois, jdownloader
diff --git a/RELNOTES b/RELNOTES
index 74c7551f5..7d78aab58 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -19,7 +19,8 @@ firejail (0.9.56~rc1) baseline; urgency=low
19 * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, 19 * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
20 * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, 20 * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
21 * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, 21 * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
22 * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois 22 * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
23 * new profiles: jdownloader
23 -- netblue30 <netblue30@yahoo.com> Sat, 11 Aug 2018 08:00:00 -0500 24 -- netblue30 <netblue30@yahoo.com> Sat, 11 Aug 2018 08:00:00 -0500
24 25
25firejail (0.9.54) baseline; urgency=low 26firejail (0.9.54) baseline; urgency=low
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
new file mode 100644
index 000000000..659a41603
--- /dev/null
+++ b/etc/JDownloader.profile
@@ -0,0 +1,51 @@
1# Firejail profile for JDownloader
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/JDownloader.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.jd
10
11# Allow access to java
12noblacklist ${PATH}/java
13noblacklist /usr/lib/java
14noblacklist /etc/java
15noblacklist /usr/share/java
16
17include /etc/firejail/disable-common.inc
18include /etc/firejail/disable-devel.inc
19include /etc/firejail/disable-interpreters.inc
20include /etc/firejail/disable-passwdmgr.inc
21include /etc/firejail/disable-programs.inc
22include /etc/firejail/disable-xdg.inc
23
24mkdir ${HOME}/.jd
25whitelist ${HOME}/.jd
26whitelist ${DOWNLOADS}
27include /etc/firejail/whitelist-common.inc
28include /etc/firejail/whitelist-var-common.inc
29
30caps.drop all
31ipc-namespace
32netfilter
33no3d
34nodbus
35nodvd
36nogroups
37nonewprivs
38noroot
39nosound
40notv
41novideo
42protocol unix,inet,inet6
43seccomp
44shell none
45
46private-cache
47private-dev
48private-tmp
49
50noexec ${HOME}
51noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index d685fceed..1213e4f24 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -287,6 +287,7 @@ blacklist ${HOME}/.inkscape
287blacklist ${HOME}/.jack-server 287blacklist ${HOME}/.jack-server
288blacklist ${HOME}/.jack-settings 288blacklist ${HOME}/.jack-settings
289blacklist ${HOME}/.java 289blacklist ${HOME}/.java
290blacklist ${HOME}/.jd
290blacklist ${HOME}/.jitsi 291blacklist ${HOME}/.jitsi
291blacklist ${HOME}/.kde/share/apps/digikam 292blacklist ${HOME}/.kde/share/apps/digikam
292blacklist ${HOME}/.kde/share/apps/gwenview 293blacklist ${HOME}/.kde/share/apps/gwenview
diff --git a/etc/jdownloader.profile b/etc/jdownloader.profile
new file mode 100644
index 000000000..dbcc85e8d
--- /dev/null
+++ b/etc/jdownloader.profile
@@ -0,0 +1,10 @@
1# Firejail profile for jdownloader
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/jdownloader.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/JDownloader.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 5ae1c28cd..676c2d90a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -10,6 +10,7 @@ Discord
10DiscordCanary 10DiscordCanary
11FossaMail 11FossaMail
12Fritzing 12Fritzing
13JDownloader
13Mathematica 14Mathematica
14Natron 15Natron
15Telegram 16Telegram
@@ -218,6 +219,7 @@ inox
218iridium 219iridium
219iridium-browser 220iridium-browser
220jd-gui 221jd-gui
222jdownloader
221jitsi 223jitsi
222k3b 224k3b
223kaffeine 225kaffeine
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 09c26fc92..fa3b3da0a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1160,7 +1160,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1160 if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) 1160 if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)
1161 errExit("asprintf"); 1161 errExit("asprintf");
1162 if (strncmp(rootdir, overlay, strlen(overlay)) == 0) { 1162 if (strncmp(rootdir, overlay, strlen(overlay)) == 0) {
1163 fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); 1163 fprintf(stderr, "Error: invalid chroot directory: no directories in ~/.firejail are allowed\n");
1164 exit(1); 1164 exit(1);
1165 } 1165 }
1166 free(overlay); 1166 free(overlay);
@@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1171 fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); 1171 fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir);
1172 exit(1); 1172 exit(1);
1173 } 1173 }
1174 // rootdir has to be owned by root and is not allowed to be world-writable; 1174 // rootdir has to be owned by root and is not allowed to be generally writable,
1175 // this also excludes /tmp, /var/tmp and such 1175 // this also excludes /tmp, /var/tmp and such
1176 if (fstat(parentfd, &s) == -1) 1176 if (fstat(parentfd, &s) == -1)
1177 errExit("fstat"); 1177 errExit("fstat");
@@ -1179,8 +1179,8 @@ void fs_check_chroot_dir(const char *rootdir) {
1179 fprintf(stderr, "Error: chroot directory should be owned by root\n"); 1179 fprintf(stderr, "Error: chroot directory should be owned by root\n");
1180 exit(1); 1180 exit(1);
1181 } 1181 }
1182 if ((S_IWOTH & s.st_mode) != 0) { 1182 if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
1183 fprintf(stderr, "Error: chroot directory should not be world-writable\n"); 1183 fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n");
1184 exit(1); 1184 exit(1);
1185 } 1185 }
1186 1186
@@ -1252,8 +1252,8 @@ void fs_check_chroot_dir(const char *rootdir) {
1252 fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); 1252 fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n");
1253 exit(1); 1253 exit(1);
1254 } 1254 }
1255 if ((S_IWOTH & s.st_mode) != 0) { 1255 if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
1256 fprintf(stderr, "Error: chroot /etc should not be world-writable\n"); 1256 fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n");
1257 exit(1); 1257 exit(1);
1258 } 1258 }
1259 close(fd); 1259 close(fd);
@@ -1346,8 +1346,8 @@ void fs_chroot(const char *rootdir) {
1346 fprintf(stderr, "Error: chroot /run should be a directory owned by root\n"); 1346 fprintf(stderr, "Error: chroot /run should be a directory owned by root\n");
1347 exit(1); 1347 exit(1);
1348 } 1348 }
1349 if ((S_IWOTH & s.st_mode) != 0) { 1349 if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
1350 fprintf(stderr, "Error: chroot /run should not be world-writable\n"); 1350 fprintf(stderr, "Error: only root user should be given write permission on chroot /run\n");
1351 exit(1); 1351 exit(1);
1352 } 1352 }
1353 } 1353 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b5d46808a..3f8640e9a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -860,6 +860,8 @@ int main(int argc, char **argv) {
860 int lockfd_directory = -1; 860 int lockfd_directory = -1;
861 int option_cgroup = 0; 861 int option_cgroup = 0;
862 int custom_profile = 0; // custom profile loaded 862 int custom_profile = 0; // custom profile loaded
863 int arg_seccomp_cmdline = 0; // seccomp requested on command line (used to break --chroot)
864 int arg_caps_cmdline = 0; // seccomp requested on command line (used to break --chroot)
863 865
864 // drop permissions by default and rise them when required 866 // drop permissions by default and rise them when required
865 EUID_INIT(); 867 EUID_INIT();
@@ -1144,6 +1146,7 @@ int main(int argc, char **argv) {
1144 } 1146 }
1145 arg_seccomp = 1; 1147 arg_seccomp = 1;
1146 cfg.seccomp_list = seccomp_check_list(argv[i] + 10); 1148 cfg.seccomp_list = seccomp_check_list(argv[i] + 10);
1149 arg_seccomp_cmdline = 1;
1147 } 1150 }
1148 else 1151 else
1149 exit_err_feature("seccomp"); 1152 exit_err_feature("seccomp");
@@ -1156,6 +1159,7 @@ int main(int argc, char **argv) {
1156 } 1159 }
1157 arg_seccomp = 1; 1160 arg_seccomp = 1;
1158 cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); 1161 cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15);
1162 arg_seccomp_cmdline = 1;
1159 } 1163 }
1160 else 1164 else
1161 exit_err_feature("seccomp"); 1165 exit_err_feature("seccomp");
@@ -1168,6 +1172,7 @@ int main(int argc, char **argv) {
1168 } 1172 }
1169 arg_seccomp = 1; 1173 arg_seccomp = 1;
1170 cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); 1174 cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15);
1175 arg_seccomp_cmdline = 1;
1171 } 1176 }
1172 else 1177 else
1173 exit_err_feature("seccomp"); 1178 exit_err_feature("seccomp");
@@ -1186,8 +1191,10 @@ int main(int argc, char **argv) {
1186 exit_err_feature("seccomp"); 1191 exit_err_feature("seccomp");
1187 } 1192 }
1188#endif 1193#endif
1189 else if (strcmp(argv[i], "--caps") == 0) 1194 else if (strcmp(argv[i], "--caps") == 0) {
1190 arg_caps_default_filter = 1; 1195 arg_caps_default_filter = 1;
1196 arg_caps_cmdline = 1;
1197 }
1191 else if (strcmp(argv[i], "--caps.drop=all") == 0) 1198 else if (strcmp(argv[i], "--caps.drop=all") == 0)
1192 arg_caps_drop_all = 1; 1199 arg_caps_drop_all = 1;
1193 else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { 1200 else if (strncmp(argv[i], "--caps.drop=", 12) == 0) {
@@ -1197,6 +1204,7 @@ int main(int argc, char **argv) {
1197 errExit("strdup"); 1204 errExit("strdup");
1198 // verify caps list and exit if problems 1205 // verify caps list and exit if problems
1199 caps_check_list(arg_caps_list, NULL); 1206 caps_check_list(arg_caps_list, NULL);
1207 arg_caps_cmdline = 1;
1200 } 1208 }
1201 else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { 1209 else if (strncmp(argv[i], "--caps.keep=", 12) == 0) {
1202 arg_caps_keep = 1; 1210 arg_caps_keep = 1;
@@ -1205,9 +1213,8 @@ int main(int argc, char **argv) {
1205 errExit("strdup"); 1213 errExit("strdup");
1206 // verify caps list and exit if problems 1214 // verify caps list and exit if problems
1207 caps_check_list(arg_caps_list, NULL); 1215 caps_check_list(arg_caps_list, NULL);
1216 arg_caps_cmdline = 1;
1208 } 1217 }
1209
1210
1211 else if (strcmp(argv[i], "--trace") == 0) 1218 else if (strcmp(argv[i], "--trace") == 0)
1212 arg_trace = 1; 1219 arg_trace = 1;
1213 else if (strcmp(argv[i], "--tracelog") == 0) 1220 else if (strcmp(argv[i], "--tracelog") == 0)
@@ -2218,6 +2225,14 @@ int main(int argc, char **argv) {
2218 } 2225 }
2219 EUID_ASSERT(); 2226 EUID_ASSERT();
2220 2227
2228 // exit for --chroot sandboxes when secomp or caps are explicitly specified on command line
2229 if (getuid() != 0 && cfg.chrootdir && (arg_seccomp_cmdline || arg_caps_cmdline)) {
2230 fprintf(stderr, "Error: for chroot sandboxes, default seccomp and capabilities filters are\n"
2231 "enabled by default. Please remove all --seccomp and --caps options from the\n"
2232 "command line.\n");
2233 exit(1);
2234 }
2235
2221 // prog_index could still be -1 if no program was specified 2236 // prog_index could still be -1 if no program was specified
2222 if (prog_index == -1 && arg_shell_none) { 2237 if (prog_index == -1 && arg_shell_none) {
2223 fprintf(stderr, "Error: shell=none configured, but no program specified\n"); 2238 fprintf(stderr, "Error: shell=none configured, but no program specified\n");
@@ -2232,12 +2247,12 @@ int main(int argc, char **argv) {
2232 // check user namespace (--noroot) options 2247 // check user namespace (--noroot) options
2233 if (arg_noroot) { 2248 if (arg_noroot) {
2234 if (arg_overlay) { 2249 if (arg_overlay) {
2235 fprintf(stderr, "Error: --overlay and --noroot are mutually exclusive.\n"); 2250 fwarning("--overlay and --noroot are mutually exclusive, --noroot disabled...\n");
2236 exit(1); 2251 arg_noroot = 0;
2237 } 2252 }
2238 else if (cfg.chrootdir) { 2253 else if (cfg.chrootdir) {
2239 fprintf(stderr, "Error: --chroot and --noroot are mutually exclusive.\n"); 2254 fwarning("--chroot and --noroot are mutually exclusive, --noroot disabled...\n");
2240 exit(1); 2255 arg_noroot = 0;
2241 } 2256 }
2242 } 2257 }
2243 2258
@@ -2311,39 +2326,30 @@ int main(int argc, char **argv) {
2311 2326
2312 // use default.profile as the default 2327 // use default.profile as the default
2313 if (!custom_profile && !arg_noprofile) { 2328 if (!custom_profile && !arg_noprofile) {
2314 if (cfg.chrootdir) { 2329 char *profile_name = DEFAULT_USER_PROFILE;
2315 fwarning("default profile disabled by --chroot option\n"); 2330 if (getuid() == 0)
2316 } 2331 profile_name = DEFAULT_ROOT_PROFILE;
2317// else if (arg_overlay) { 2332 if (arg_debug)
2318// fwarning("default profile disabled by --overlay option\n"); 2333 printf("Attempting to find %s.profile...\n", profile_name);
2319// }
2320 else {
2321 // try to load a default profile
2322 char *profile_name = DEFAULT_USER_PROFILE;
2323 if (getuid() == 0)
2324 profile_name = DEFAULT_ROOT_PROFILE;
2325 if (arg_debug)
2326 printf("Attempting to find %s.profile...\n", profile_name);
2327
2328 // look for the profile in ~/.config/firejail directory
2329 char *usercfgdir;
2330 if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
2331 errExit("asprintf");
2332 custom_profile = profile_find(profile_name, usercfgdir);
2333 free(usercfgdir);
2334 2334
2335 if (!custom_profile) 2335 // look for the profile in ~/.config/firejail directory
2336 // look for the profile in /etc/firejail directory 2336 char *usercfgdir;
2337 custom_profile = profile_find(profile_name, SYSCONFDIR); 2337 if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
2338 errExit("asprintf");
2339 custom_profile = profile_find(profile_name, usercfgdir);
2340 free(usercfgdir);
2338 2341
2339 if (!custom_profile) { 2342 if (!custom_profile)
2340 fprintf(stderr, "Error: no default.profile installed\n"); 2343 // look for the profile in /etc/firejail directory
2341 exit(1); 2344 custom_profile = profile_find(profile_name, SYSCONFDIR);
2342 }
2343 2345
2344 if (custom_profile) 2346 if (!custom_profile) {
2345 fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); 2347 fprintf(stderr, "Error: no default.profile installed\n");
2348 exit(1);
2346 } 2349 }
2350
2351 if (custom_profile)
2352 fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
2347 } 2353 }
2348 EUID_ASSERT(); 2354 EUID_ASSERT();
2349 2355
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-23 01:51:41 +0000