diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | etc/cmus.profile | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 | ||||
-rwxr-xr-x | test/firefox-x11.exp | 14 | ||||
-rwxr-xr-x | test/firefox.exp | 14 | ||||
-rwxr-xr-x | test/test-profile.exp | 2 |
9 files changed, 37 insertions, 6 deletions
@@ -100,6 +100,7 @@ avoidr (https://github.com/avoidr) | |||
100 | - hostname support in profile file | 100 | - hostname support in profile file |
101 | - Google Chrome profile rework | 101 | - Google Chrome profile rework |
102 | - added cmus profile | 102 | - added cmus profile |
103 | - man page fixes | ||
103 | Bruno Nova (https://github.com/brunonova) | 104 | Bruno Nova (https://github.com/brunonova) |
104 | - whitelist fix | 105 | - whitelist fix |
105 | - bash arguments fix | 106 | - bash arguments fix |
diff --git a/etc/cmus.profile b/etc/cmus.profile index bfefd3100..72b43a70f 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -15,4 +15,3 @@ noroot | |||
15 | private-bin cmus | 15 | private-bin cmus |
16 | private-etc group | 16 | private-etc group |
17 | shell none | 17 | shell none |
18 | noroot | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 660085194..89064d816 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -4,6 +4,7 @@ blacklist ${HOME}/.remmina | |||
4 | blacklist ${HOME}/.tconn | 4 | blacklist ${HOME}/.tconn |
5 | blacklist ${HOME}/.FBReader | 5 | blacklist ${HOME}/.FBReader |
6 | blacklist ${HOME}/.wine | 6 | blacklist ${HOME}/.wine |
7 | blacklist ${HOME}/.config/cmus | ||
7 | 8 | ||
8 | # HTTP / FTP / Mail | 9 | # HTTP / FTP / Mail |
9 | blacklist ${HOME}/.icedove | 10 | blacklist ${HOME}/.icedove |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0269ff585..a66e10e0f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1268,8 +1268,8 @@ int main(int argc, char **argv) { | |||
1268 | fprintf(stderr, "Error: invalid private-bin option\n"); | 1268 | fprintf(stderr, "Error: invalid private-bin option\n"); |
1269 | exit(1); | 1269 | exit(1); |
1270 | } | 1270 | } |
1271 | fs_check_bin_list(); | ||
1272 | arg_private_bin = 1; | 1271 | arg_private_bin = 1; |
1272 | fs_check_bin_list(); | ||
1273 | } | 1273 | } |
1274 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1274 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1275 | arg_private_tmp = 1; | 1275 | arg_private_tmp = 1; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d7ea4a550..d2894d463 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -385,8 +385,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
385 | // private /bin list of files | 385 | // private /bin list of files |
386 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 386 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
387 | cfg.bin_private_keep = ptr + 12; | 387 | cfg.bin_private_keep = ptr + 12; |
388 | fs_check_bin_list(); | ||
389 | arg_private_bin = 1; | 388 | arg_private_bin = 1; |
389 | fs_check_bin_list(); | ||
390 | return 0; | 390 | return 0; |
391 | } | 391 | } |
392 | 392 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 732ebf27e..ccddeb888 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -227,8 +227,14 @@ static void start_application(void) { | |||
227 | } | 227 | } |
228 | } | 228 | } |
229 | 229 | ||
230 | if (cfg.original_program_index == 0) { | ||
231 | fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); | ||
232 | exit(1); | ||
233 | } | ||
234 | |||
230 | if (!arg_command && !arg_quiet) | 235 | if (!arg_command && !arg_quiet) |
231 | printf("Child process initialized\n"); | 236 | printf("Child process initialized\n"); |
237 | |||
232 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 238 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
233 | } | 239 | } |
234 | //**************************************** | 240 | //**************************************** |
diff --git a/test/firefox-x11.exp b/test/firefox-x11.exp index c82408896..8bc7fbd25 100755 --- a/test/firefox-x11.exp +++ b/test/firefox-x11.exp | |||
@@ -4,7 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail --name=test --x11 --net=br0 firefox www.gentoo.org\r" | 7 | send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r" |
8 | sleep 10 | 8 | sleep 10 |
9 | 9 | ||
10 | spawn $env(SHELL) | 10 | spawn $env(SHELL) |
@@ -18,6 +18,10 @@ expect { | |||
18 | "firefox" {puts "firefox detected\n";} | 18 | "firefox" {puts "firefox detected\n";} |
19 | "iceweasel" {puts "iceweasel detected\n";} | 19 | "iceweasel" {puts "iceweasel detected\n";} |
20 | } | 20 | } |
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
23 | "no-remote" | ||
24 | } | ||
21 | sleep 1 | 25 | sleep 1 |
22 | send -- "firejail --name=blablabla\r" | 26 | send -- "firejail --name=blablabla\r" |
23 | expect { | 27 | expect { |
@@ -34,6 +38,10 @@ expect { | |||
34 | " iceweasel" {puts "iceweasel detected\n";} | 38 | " iceweasel" {puts "iceweasel detected\n";} |
35 | } | 39 | } |
36 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
42 | "no-remote" | ||
43 | } | ||
44 | expect { | ||
37 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | 45 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} |
38 | "Seccomp: 2" | 46 | "Seccomp: 2" |
39 | } | 47 | } |
@@ -49,6 +57,10 @@ expect { | |||
49 | " iceweasel" {puts "iceweasel detected\n";} | 57 | " iceweasel" {puts "iceweasel detected\n";} |
50 | } | 58 | } |
51 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
61 | "no-remote" | ||
62 | } | ||
63 | expect { | ||
52 | timeout {puts "TESTING ERROR 6.1\n";exit} | 64 | timeout {puts "TESTING ERROR 6.1\n";exit} |
53 | "CapBnd:" | 65 | "CapBnd:" |
54 | } | 66 | } |
diff --git a/test/firefox.exp b/test/firefox.exp index c2e64e04f..d531cf977 100755 --- a/test/firefox.exp +++ b/test/firefox.exp | |||
@@ -4,7 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail firefox www.gentoo.org\r" | 7 | send -- "firejail firefox -no-remote www.gentoo.org\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Reading profile /etc/firejail/firefox.profile" | 10 | "Reading profile /etc/firejail/firefox.profile" |
@@ -26,6 +26,10 @@ expect { | |||
26 | "firefox" {puts "firefox detected\n";} | 26 | "firefox" {puts "firefox detected\n";} |
27 | "iceweasel" {puts "iceweasel detected\n";} | 27 | "iceweasel" {puts "iceweasel detected\n";} |
28 | } | 28 | } |
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
31 | "no-remote" | ||
32 | } | ||
29 | sleep 1 | 33 | sleep 1 |
30 | send -- "firejail --name=blablabla\r" | 34 | send -- "firejail --name=blablabla\r" |
31 | expect { | 35 | expect { |
@@ -42,6 +46,10 @@ expect { | |||
42 | " iceweasel" {puts "iceweasel detected\n";} | 46 | " iceweasel" {puts "iceweasel detected\n";} |
43 | } | 47 | } |
44 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
50 | "no-remote" | ||
51 | } | ||
52 | expect { | ||
45 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | 53 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} |
46 | "Seccomp: 2" | 54 | "Seccomp: 2" |
47 | } | 55 | } |
@@ -57,6 +65,10 @@ expect { | |||
57 | " iceweasel" {puts "iceweasel detected\n";} | 65 | " iceweasel" {puts "iceweasel detected\n";} |
58 | } | 66 | } |
59 | expect { | 67 | expect { |
68 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
69 | "no-remote" | ||
70 | } | ||
71 | expect { | ||
60 | timeout {puts "TESTING ERROR 6.1\n";exit} | 72 | timeout {puts "TESTING ERROR 6.1\n";exit} |
61 | "CapBnd:" | 73 | "CapBnd:" |
62 | } | 74 | } |
diff --git a/test/test-profile.exp b/test/test-profile.exp index 89fe9c10a..a03e8db31 100755 --- a/test/test-profile.exp +++ b/test/test-profile.exp | |||
@@ -10,7 +10,7 @@ if { $argc != 1 } { | |||
10 | exit | 10 | exit |
11 | } | 11 | } |
12 | 12 | ||
13 | send -- "firejail --profile=$argv\r" | 13 | send -- "firejail --profile=$argv /bin/bash\r" |
14 | expect { | 14 | expect { |
15 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "Child process initialized" | 16 | "Child process initialized" |