diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/JDownloader.profile | 51 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/jdownloader.profile | 10 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 16 | ||||
-rw-r--r-- | src/firejail/main.c | 78 |
9 files changed, 118 insertions, 46 deletions
@@ -656,6 +656,7 @@ Veeti Paananen (https://github.com/veeti) | |||
656 | veloute (https://github.com/veloute) | 656 | veloute (https://github.com/veloute) |
657 | - added standardnotes profile | 657 | - added standardnotes profile |
658 | - added flameshot profile | 658 | - added flameshot profile |
659 | - added jdownloader profile | ||
659 | Vincent43 (https://github.com/Vincent43) | 660 | Vincent43 (https://github.com/Vincent43) |
660 | - apparmor enhancements | 661 | - apparmor enhancements |
661 | vismir2 (https://github.com/vismir2) | 662 | vismir2 (https://github.com/vismir2) |
@@ -167,4 +167,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
167 | ## New profiles | 167 | ## New profiles |
168 | Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio, standardnotes-desktop, | 168 | Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio, standardnotes-desktop, |
169 | shellcheck, patch, flameshot, rview, rvim, vimcat, vimdiff, vimpager, vimtutor, | 169 | shellcheck, patch, flameshot, rview, rvim, vimcat, vimdiff, vimpager, vimtutor, |
170 | xxd, Beaker, electrum, clamtk, pybitmessage, dig, whois | 170 | xxd, Beaker, electrum, clamtk, pybitmessage, dig, whois, jdownloader |
@@ -19,7 +19,8 @@ firejail (0.9.56~rc1) baseline; urgency=low | |||
19 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, | 19 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, |
20 | * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, | 20 | * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, |
21 | * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, | 21 | * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, |
22 | * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois | 22 | * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, |
23 | * new profiles: jdownloader | ||
23 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Aug 2018 08:00:00 -0500 | 24 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Aug 2018 08:00:00 -0500 |
24 | 25 | ||
25 | firejail (0.9.54) baseline; urgency=low | 26 | firejail (0.9.54) baseline; urgency=low |
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile new file mode 100644 index 000000000..659a41603 --- /dev/null +++ b/etc/JDownloader.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for JDownloader | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/JDownloader.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.jd | ||
10 | |||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-interpreters.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.jd | ||
25 | whitelist ${HOME}/.jd | ||
26 | whitelist ${DOWNLOADS} | ||
27 | include /etc/firejail/whitelist-common.inc | ||
28 | include /etc/firejail/whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodbus | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | |||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index d685fceed..1213e4f24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -287,6 +287,7 @@ blacklist ${HOME}/.inkscape | |||
287 | blacklist ${HOME}/.jack-server | 287 | blacklist ${HOME}/.jack-server |
288 | blacklist ${HOME}/.jack-settings | 288 | blacklist ${HOME}/.jack-settings |
289 | blacklist ${HOME}/.java | 289 | blacklist ${HOME}/.java |
290 | blacklist ${HOME}/.jd | ||
290 | blacklist ${HOME}/.jitsi | 291 | blacklist ${HOME}/.jitsi |
291 | blacklist ${HOME}/.kde/share/apps/digikam | 292 | blacklist ${HOME}/.kde/share/apps/digikam |
292 | blacklist ${HOME}/.kde/share/apps/gwenview | 293 | blacklist ${HOME}/.kde/share/apps/gwenview |
diff --git a/etc/jdownloader.profile b/etc/jdownloader.profile new file mode 100644 index 000000000..dbcc85e8d --- /dev/null +++ b/etc/jdownloader.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for jdownloader | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/jdownloader.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/JDownloader.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5ae1c28cd..676c2d90a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -10,6 +10,7 @@ Discord | |||
10 | DiscordCanary | 10 | DiscordCanary |
11 | FossaMail | 11 | FossaMail |
12 | Fritzing | 12 | Fritzing |
13 | JDownloader | ||
13 | Mathematica | 14 | Mathematica |
14 | Natron | 15 | Natron |
15 | Telegram | 16 | Telegram |
@@ -218,6 +219,7 @@ inox | |||
218 | iridium | 219 | iridium |
219 | iridium-browser | 220 | iridium-browser |
220 | jd-gui | 221 | jd-gui |
222 | jdownloader | ||
221 | jitsi | 223 | jitsi |
222 | k3b | 224 | k3b |
223 | kaffeine | 225 | kaffeine |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 09c26fc92..fa3b3da0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1160,7 +1160,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1160 | if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) | 1160 | if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) |
1161 | errExit("asprintf"); | 1161 | errExit("asprintf"); |
1162 | if (strncmp(rootdir, overlay, strlen(overlay)) == 0) { | 1162 | if (strncmp(rootdir, overlay, strlen(overlay)) == 0) { |
1163 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); | 1163 | fprintf(stderr, "Error: invalid chroot directory: no directories in ~/.firejail are allowed\n"); |
1164 | exit(1); | 1164 | exit(1); |
1165 | } | 1165 | } |
1166 | free(overlay); | 1166 | free(overlay); |
@@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1171 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); | 1171 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); |
1172 | exit(1); | 1172 | exit(1); |
1173 | } | 1173 | } |
1174 | // rootdir has to be owned by root and is not allowed to be world-writable; | 1174 | // rootdir has to be owned by root and is not allowed to be generally writable, |
1175 | // this also excludes /tmp, /var/tmp and such | 1175 | // this also excludes /tmp, /var/tmp and such |
1176 | if (fstat(parentfd, &s) == -1) | 1176 | if (fstat(parentfd, &s) == -1) |
1177 | errExit("fstat"); | 1177 | errExit("fstat"); |
@@ -1179,8 +1179,8 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1179 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); | 1179 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); |
1180 | exit(1); | 1180 | exit(1); |
1181 | } | 1181 | } |
1182 | if ((S_IWOTH & s.st_mode) != 0) { | 1182 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1183 | fprintf(stderr, "Error: chroot directory should not be world-writable\n"); | 1183 | fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n"); |
1184 | exit(1); | 1184 | exit(1); |
1185 | } | 1185 | } |
1186 | 1186 | ||
@@ -1252,8 +1252,8 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1252 | fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); | 1252 | fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); |
1253 | exit(1); | 1253 | exit(1); |
1254 | } | 1254 | } |
1255 | if ((S_IWOTH & s.st_mode) != 0) { | 1255 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1256 | fprintf(stderr, "Error: chroot /etc should not be world-writable\n"); | 1256 | fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); |
1257 | exit(1); | 1257 | exit(1); |
1258 | } | 1258 | } |
1259 | close(fd); | 1259 | close(fd); |
@@ -1346,8 +1346,8 @@ void fs_chroot(const char *rootdir) { | |||
1346 | fprintf(stderr, "Error: chroot /run should be a directory owned by root\n"); | 1346 | fprintf(stderr, "Error: chroot /run should be a directory owned by root\n"); |
1347 | exit(1); | 1347 | exit(1); |
1348 | } | 1348 | } |
1349 | if ((S_IWOTH & s.st_mode) != 0) { | 1349 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1350 | fprintf(stderr, "Error: chroot /run should not be world-writable\n"); | 1350 | fprintf(stderr, "Error: only root user should be given write permission on chroot /run\n"); |
1351 | exit(1); | 1351 | exit(1); |
1352 | } | 1352 | } |
1353 | } | 1353 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b5d46808a..3f8640e9a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -860,6 +860,8 @@ int main(int argc, char **argv) { | |||
860 | int lockfd_directory = -1; | 860 | int lockfd_directory = -1; |
861 | int option_cgroup = 0; | 861 | int option_cgroup = 0; |
862 | int custom_profile = 0; // custom profile loaded | 862 | int custom_profile = 0; // custom profile loaded |
863 | int arg_seccomp_cmdline = 0; // seccomp requested on command line (used to break --chroot) | ||
864 | int arg_caps_cmdline = 0; // seccomp requested on command line (used to break --chroot) | ||
863 | 865 | ||
864 | // drop permissions by default and rise them when required | 866 | // drop permissions by default and rise them when required |
865 | EUID_INIT(); | 867 | EUID_INIT(); |
@@ -1144,6 +1146,7 @@ int main(int argc, char **argv) { | |||
1144 | } | 1146 | } |
1145 | arg_seccomp = 1; | 1147 | arg_seccomp = 1; |
1146 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); | 1148 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); |
1149 | arg_seccomp_cmdline = 1; | ||
1147 | } | 1150 | } |
1148 | else | 1151 | else |
1149 | exit_err_feature("seccomp"); | 1152 | exit_err_feature("seccomp"); |
@@ -1156,6 +1159,7 @@ int main(int argc, char **argv) { | |||
1156 | } | 1159 | } |
1157 | arg_seccomp = 1; | 1160 | arg_seccomp = 1; |
1158 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); | 1161 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); |
1162 | arg_seccomp_cmdline = 1; | ||
1159 | } | 1163 | } |
1160 | else | 1164 | else |
1161 | exit_err_feature("seccomp"); | 1165 | exit_err_feature("seccomp"); |
@@ -1168,6 +1172,7 @@ int main(int argc, char **argv) { | |||
1168 | } | 1172 | } |
1169 | arg_seccomp = 1; | 1173 | arg_seccomp = 1; |
1170 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); | 1174 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); |
1175 | arg_seccomp_cmdline = 1; | ||
1171 | } | 1176 | } |
1172 | else | 1177 | else |
1173 | exit_err_feature("seccomp"); | 1178 | exit_err_feature("seccomp"); |
@@ -1186,8 +1191,10 @@ int main(int argc, char **argv) { | |||
1186 | exit_err_feature("seccomp"); | 1191 | exit_err_feature("seccomp"); |
1187 | } | 1192 | } |
1188 | #endif | 1193 | #endif |
1189 | else if (strcmp(argv[i], "--caps") == 0) | 1194 | else if (strcmp(argv[i], "--caps") == 0) { |
1190 | arg_caps_default_filter = 1; | 1195 | arg_caps_default_filter = 1; |
1196 | arg_caps_cmdline = 1; | ||
1197 | } | ||
1191 | else if (strcmp(argv[i], "--caps.drop=all") == 0) | 1198 | else if (strcmp(argv[i], "--caps.drop=all") == 0) |
1192 | arg_caps_drop_all = 1; | 1199 | arg_caps_drop_all = 1; |
1193 | else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { | 1200 | else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { |
@@ -1197,6 +1204,7 @@ int main(int argc, char **argv) { | |||
1197 | errExit("strdup"); | 1204 | errExit("strdup"); |
1198 | // verify caps list and exit if problems | 1205 | // verify caps list and exit if problems |
1199 | caps_check_list(arg_caps_list, NULL); | 1206 | caps_check_list(arg_caps_list, NULL); |
1207 | arg_caps_cmdline = 1; | ||
1200 | } | 1208 | } |
1201 | else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { | 1209 | else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { |
1202 | arg_caps_keep = 1; | 1210 | arg_caps_keep = 1; |
@@ -1205,9 +1213,8 @@ int main(int argc, char **argv) { | |||
1205 | errExit("strdup"); | 1213 | errExit("strdup"); |
1206 | // verify caps list and exit if problems | 1214 | // verify caps list and exit if problems |
1207 | caps_check_list(arg_caps_list, NULL); | 1215 | caps_check_list(arg_caps_list, NULL); |
1216 | arg_caps_cmdline = 1; | ||
1208 | } | 1217 | } |
1209 | |||
1210 | |||
1211 | else if (strcmp(argv[i], "--trace") == 0) | 1218 | else if (strcmp(argv[i], "--trace") == 0) |
1212 | arg_trace = 1; | 1219 | arg_trace = 1; |
1213 | else if (strcmp(argv[i], "--tracelog") == 0) | 1220 | else if (strcmp(argv[i], "--tracelog") == 0) |
@@ -2218,6 +2225,14 @@ int main(int argc, char **argv) { | |||
2218 | } | 2225 | } |
2219 | EUID_ASSERT(); | 2226 | EUID_ASSERT(); |
2220 | 2227 | ||
2228 | // exit for --chroot sandboxes when secomp or caps are explicitly specified on command line | ||
2229 | if (getuid() != 0 && cfg.chrootdir && (arg_seccomp_cmdline || arg_caps_cmdline)) { | ||
2230 | fprintf(stderr, "Error: for chroot sandboxes, default seccomp and capabilities filters are\n" | ||
2231 | "enabled by default. Please remove all --seccomp and --caps options from the\n" | ||
2232 | "command line.\n"); | ||
2233 | exit(1); | ||
2234 | } | ||
2235 | |||
2221 | // prog_index could still be -1 if no program was specified | 2236 | // prog_index could still be -1 if no program was specified |
2222 | if (prog_index == -1 && arg_shell_none) { | 2237 | if (prog_index == -1 && arg_shell_none) { |
2223 | fprintf(stderr, "Error: shell=none configured, but no program specified\n"); | 2238 | fprintf(stderr, "Error: shell=none configured, but no program specified\n"); |
@@ -2232,12 +2247,12 @@ int main(int argc, char **argv) { | |||
2232 | // check user namespace (--noroot) options | 2247 | // check user namespace (--noroot) options |
2233 | if (arg_noroot) { | 2248 | if (arg_noroot) { |
2234 | if (arg_overlay) { | 2249 | if (arg_overlay) { |
2235 | fprintf(stderr, "Error: --overlay and --noroot are mutually exclusive.\n"); | 2250 | fwarning("--overlay and --noroot are mutually exclusive, --noroot disabled...\n"); |
2236 | exit(1); | 2251 | arg_noroot = 0; |
2237 | } | 2252 | } |
2238 | else if (cfg.chrootdir) { | 2253 | else if (cfg.chrootdir) { |
2239 | fprintf(stderr, "Error: --chroot and --noroot are mutually exclusive.\n"); | 2254 | fwarning("--chroot and --noroot are mutually exclusive, --noroot disabled...\n"); |
2240 | exit(1); | 2255 | arg_noroot = 0; |
2241 | } | 2256 | } |
2242 | } | 2257 | } |
2243 | 2258 | ||
@@ -2311,39 +2326,30 @@ int main(int argc, char **argv) { | |||
2311 | 2326 | ||
2312 | // use default.profile as the default | 2327 | // use default.profile as the default |
2313 | if (!custom_profile && !arg_noprofile) { | 2328 | if (!custom_profile && !arg_noprofile) { |
2314 | if (cfg.chrootdir) { | 2329 | char *profile_name = DEFAULT_USER_PROFILE; |
2315 | fwarning("default profile disabled by --chroot option\n"); | 2330 | if (getuid() == 0) |
2316 | } | 2331 | profile_name = DEFAULT_ROOT_PROFILE; |
2317 | // else if (arg_overlay) { | 2332 | if (arg_debug) |
2318 | // fwarning("default profile disabled by --overlay option\n"); | 2333 | printf("Attempting to find %s.profile...\n", profile_name); |
2319 | // } | ||
2320 | else { | ||
2321 | // try to load a default profile | ||
2322 | char *profile_name = DEFAULT_USER_PROFILE; | ||
2323 | if (getuid() == 0) | ||
2324 | profile_name = DEFAULT_ROOT_PROFILE; | ||
2325 | if (arg_debug) | ||
2326 | printf("Attempting to find %s.profile...\n", profile_name); | ||
2327 | |||
2328 | // look for the profile in ~/.config/firejail directory | ||
2329 | char *usercfgdir; | ||
2330 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
2331 | errExit("asprintf"); | ||
2332 | custom_profile = profile_find(profile_name, usercfgdir); | ||
2333 | free(usercfgdir); | ||
2334 | 2334 | ||
2335 | if (!custom_profile) | 2335 | // look for the profile in ~/.config/firejail directory |
2336 | // look for the profile in /etc/firejail directory | 2336 | char *usercfgdir; |
2337 | custom_profile = profile_find(profile_name, SYSCONFDIR); | 2337 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) |
2338 | errExit("asprintf"); | ||
2339 | custom_profile = profile_find(profile_name, usercfgdir); | ||
2340 | free(usercfgdir); | ||
2338 | 2341 | ||
2339 | if (!custom_profile) { | 2342 | if (!custom_profile) |
2340 | fprintf(stderr, "Error: no default.profile installed\n"); | 2343 | // look for the profile in /etc/firejail directory |
2341 | exit(1); | 2344 | custom_profile = profile_find(profile_name, SYSCONFDIR); |
2342 | } | ||
2343 | 2345 | ||
2344 | if (custom_profile) | 2346 | if (!custom_profile) { |
2345 | fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); | 2347 | fprintf(stderr, "Error: no default.profile installed\n"); |
2348 | exit(1); | ||
2346 | } | 2349 | } |
2350 | |||
2351 | if (custom_profile) | ||
2352 | fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); | ||
2347 | } | 2353 | } |
2348 | EUID_ASSERT(); | 2354 | EUID_ASSERT(); |
2349 | 2355 | ||