diff options
-rw-r--r-- | Makefile.in | 17 | ||||
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/allow-gjs.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/firefox-common.profile | 3 | ||||
-rw-r--r-- | etc/shortwave.profile | 50 | ||||
-rw-r--r-- | etc/templates/profile.template | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 3 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 28 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 14 | ||||
-rwxr-xr-x | test/fs/mkdir.exp | 26 | ||||
-rw-r--r-- | test/fs/mkdir.profile | 4 |
14 files changed, 123 insertions, 33 deletions
diff --git a/Makefile.in b/Makefile.in index 0a0715023..4eee3c073 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -28,12 +28,12 @@ SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary secco | |||
28 | endif | 28 | endif |
29 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) | 29 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) |
30 | 30 | ||
31 | .PHONY: apps filters man mylibs | 31 | .PHONY: all_items $(ALL_ITEMS) |
32 | all_items: $(ALL_ITEMS) | 32 | all_items: $(ALL_ITEMS) |
33 | $(ALL_ITEMS): | 33 | $(ALL_ITEMS): $(MYDIRS) |
34 | $(MAKE) -C $(dir $@) | 34 | $(MAKE) -C $(dir $@) |
35 | 35 | ||
36 | .PHONY: mydirs | 36 | .PHONY: mydirs $(MYDIRS) |
37 | mydirs: $(MYDIRS) | 37 | mydirs: $(MYDIRS) |
38 | $(MYDIRS): | 38 | $(MYDIRS): |
39 | $(MAKE) -C $@ | 39 | $(MAKE) -C $@ |
@@ -94,12 +94,8 @@ endif | |||
94 | install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/. | 94 | install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/. |
95 | # libraries and plugins | 95 | # libraries and plugins |
96 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail | 96 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail |
97 | for file in $(MYLIBS) $(SECCOMP_FILTERS); do \ | 97 | install -m 0644 -t $(DESTDIR)/$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
98 | install -c -m 0644 $$file $(DESTDIR)/$(libdir)/firejail/; \ | 98 | install -m 0755 -t $(DESTDIR)/$(libdir)/firejail $(SBOX_APPS) |
99 | done | ||
100 | for app in $(SBOX_APPS); do \ | ||
101 | install -c -m 0755 $$app $(DESTDIR)/$(libdir)/firejail/; \ | ||
102 | done | ||
103 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 99 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
104 | install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/. | 100 | install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/. |
105 | install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/. | 101 | install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/. |
@@ -121,9 +117,6 @@ ifeq ($(BUSYBOX_WORKAROUND),yes) | |||
121 | endif | 117 | endif |
122 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 118 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
123 | install -m 0644 -t $(DESTDIR)/$(sysconfdir)/firejail etc/*.profile etc/*.inc etc/*.net etc/firejail.config | 119 | install -m 0644 -t $(DESTDIR)/$(sysconfdir)/firejail etc/*.profile etc/*.inc etc/*.net etc/firejail.config |
124 | # for file in etc/*.profile etc/*.inc etc/*.net etc/firejail.config; do \ | ||
125 | # install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ | ||
126 | # done | ||
127 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 120 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
128 | ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | 121 | ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) |
129 | # install apparmor profile | 122 | # install apparmor profile |
@@ -37,6 +37,7 @@ Maintainer: | |||
37 | Committers | 37 | Committers |
38 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 38 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
39 | - crass (https://github.com/crass) | 39 | - crass (https://github.com/crass) |
40 | - curiosityseeker (https://github.com/curiosityseeker) | ||
40 | - glitsj16 (https://github.com/glitsj16) | 41 | - glitsj16 (https://github.com/glitsj16) |
41 | - Fred-Barclay (https://github.com/Fred-Barclay) | 42 | - Fred-Barclay (https://github.com/Fred-Barclay) |
42 | - Kristóf Marussy (https://github.com/kris7t) | 43 | - Kristóf Marussy (https://github.com/kris7t) |
@@ -187,4 +187,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom | |||
187 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, | 187 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, |
188 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, | 188 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, |
189 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, | 189 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, |
190 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop,,fdns | 190 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns |
@@ -7,9 +7,10 @@ firejail (0.9.63) baseline; urgency=low | |||
7 | /etc/firejail/firejail.config file. | 7 | /etc/firejail/firejail.config file. |
8 | * DHCP client support | 8 | * DHCP client support |
9 | * SELinux labeling support | 9 | * SELinux labeling support |
10 | * 32-bit seccomp filter | 10 | * custom 32-bit seccomp filter support |
11 | * restrict ${RUNUSER} in serveral profiles | 11 | * restrict ${RUNUSER} in serveral profiles |
12 | * whitelist globbing | 12 | * whitelist globbing |
13 | * mkdir and mkfile support for /run/user directory | ||
13 | * new condition: HAS_NOSOUND | 14 | * new condition: HAS_NOSOUND |
14 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster | 15 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
15 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl | 16 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
diff --git a/etc/allow-gjs.inc b/etc/allow-gjs.inc index f552ede9d..f4f9926cd 100644 --- a/etc/allow-gjs.inc +++ b/etc/allow-gjs.inc | |||
@@ -8,3 +8,4 @@ noblacklist /usr/lib/gjs | |||
8 | noblacklist /usr/lib64/gjs | 8 | noblacklist /usr/lib64/gjs |
9 | noblacklist /usr/lib/libgjs* | 9 | noblacklist /usr/lib/libgjs* |
10 | noblacklist /usr/lib64/libgjs* | 10 | noblacklist /usr/lib64/libgjs* |
11 | noblacklist /usr/lib64/libmozjs-* | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 59eac1ee8..ffe60e283 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -501,6 +501,7 @@ blacklist ${HOME}/.local/share/QGIS | |||
501 | blacklist ${HOME}/.local/share/QMediathekView | 501 | blacklist ${HOME}/.local/share/QMediathekView |
502 | blacklist ${HOME}/.local/share/QuiteRss | 502 | blacklist ${HOME}/.local/share/QuiteRss |
503 | blacklist ${HOME}/.local/share/Ricochet | 503 | blacklist ${HOME}/.local/share/Ricochet |
504 | blacklist ${HOME}/.local/share/Shortwave | ||
504 | blacklist ${HOME}/.local/share/Steam | 505 | blacklist ${HOME}/.local/share/Steam |
505 | blacklist ${HOME}/.local/share/SuperHexagon | 506 | blacklist ${HOME}/.local/share/SuperHexagon |
506 | blacklist ${HOME}/.local/share/TelegramDesktop | 507 | blacklist ${HOME}/.local/share/TelegramDesktop |
@@ -759,6 +760,7 @@ blacklist ${HOME}/.cache/Franz | |||
759 | blacklist ${HOME}/.cache/INRIA | 760 | blacklist ${HOME}/.cache/INRIA |
760 | blacklist ${HOME}/.cache/MusicBrainz | 761 | blacklist ${HOME}/.cache/MusicBrainz |
761 | blacklist ${HOME}/.cache/QuiteRss | 762 | blacklist ${HOME}/.cache/QuiteRss |
763 | blacklist ${HOME}/.cache/Shortwave | ||
762 | blacklist ${HOME}/.cache/Tox | 764 | blacklist ${HOME}/.cache/Tox |
763 | blacklist ${HOME}/.cache/Zeal | 765 | blacklist ${HOME}/.cache/Zeal |
764 | blacklist ${HOME}/.cache/agenda | 766 | blacklist ${HOME}/.cache/agenda |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index bc64a5abf..7c343c26d 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -44,8 +44,7 @@ notv | |||
44 | protocol unix,inet,inet6,netlink | 44 | protocol unix,inet,inet6,netlink |
45 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | 45 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. |
46 | seccomp !chroot | 46 | seccomp !chroot |
47 | # Uncomment the next line (or put it into your firefox-common.local) if your firefox doesn't require a shell to lauch. | 47 | shell none |
48 | #shell none | ||
49 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. | 48 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. |
50 | #tracelog | 49 | #tracelog |
51 | 50 | ||
diff --git a/etc/shortwave.profile b/etc/shortwave.profile new file mode 100644 index 000000000..ee2314833 --- /dev/null +++ b/etc/shortwave.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for shortwave | ||
2 | # Description: Listen to internet radio | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include shortwave.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Shortwave | ||
10 | noblacklist ${HOME}/.local/share/Shortwave | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/Shortwave | ||
21 | mkdir ${HOME}/.local/share/Shortwave | ||
22 | whitelist ${HOME}/.cache/Shortwave | ||
23 | whitelist ${HOME}/.local/share/Shortwave | ||
24 | whitelist /usr/share/shortwave | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin shortwave | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | ||
50 | private-tmp | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index b3ebd4996..d339ce476 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -119,7 +119,7 @@ include globals.local | |||
119 | ##mkfile PATH | 119 | ##mkfile PATH |
120 | #whitelist PATH | 120 | #whitelist PATH |
121 | #include whitelist-common.inc | 121 | #include whitelist-common.inc |
122 | #GTK3 only: include whitelist-runuser-common.inc | 122 | #include whitelist-runuser-common.inc |
123 | #include whitelist-usr-share-common.inc | 123 | #include whitelist-usr-share-common.inc |
124 | #include whitelist-var-common.inc | 124 | #include whitelist-var-common.inc |
125 | 125 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index cd5f2a1d4..809ab3129 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -258,7 +258,7 @@ gist-paste | |||
258 | gitg | 258 | gitg |
259 | github-desktop | 259 | github-desktop |
260 | gitter | 260 | gitter |
261 | gjs | 261 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 |
262 | globaltime | 262 | globaltime |
263 | gmpc | 263 | gmpc |
264 | gnome-2048 | 264 | gnome-2048 |
@@ -602,6 +602,7 @@ seamonkey | |||
602 | seamonkey-bin | 602 | seamonkey-bin |
603 | secret-tool | 603 | secret-tool |
604 | shellcheck | 604 | shellcheck |
605 | shortwave | ||
605 | shotcut | 606 | shotcut |
606 | signal-cli | 607 | signal-cli |
607 | signal-desktop | 608 | signal-desktop |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index eb660df90..0e213f2f8 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -25,6 +25,22 @@ | |||
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | #include <string.h> | 26 | #include <string.h> |
27 | 27 | ||
28 | |||
29 | static void check(const char *fname) { | ||
30 | // manufacture /run/user directory | ||
31 | char *runuser; | ||
32 | if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1) | ||
33 | errExit("asprintf"); | ||
34 | |||
35 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 && | ||
36 | strncmp(fname, "/tmp", 4) != 0 && | ||
37 | strncmp(fname, runuser, strlen(runuser)) != 0) { | ||
38 | fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n"); | ||
39 | exit(1); | ||
40 | } | ||
41 | free(runuser); | ||
42 | } | ||
43 | |||
28 | static void mkdir_recursive(char *path) { | 44 | static void mkdir_recursive(char *path) { |
29 | char *subdir = NULL; | 45 | char *subdir = NULL; |
30 | struct stat s; | 46 | struct stat s; |
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) { | |||
61 | // check directory name | 77 | // check directory name |
62 | invalid_filename(name, 0); // no globbing | 78 | invalid_filename(name, 0); // no globbing |
63 | char *expanded = expand_macros(name); | 79 | char *expanded = expand_macros(name); |
64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 80 | check(expanded); // will exit if wrong path |
65 | strncmp(expanded, "/tmp", 4) != 0) { | ||
66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); | ||
67 | exit(1); | ||
68 | } | ||
69 | 81 | ||
70 | struct stat s; | 82 | struct stat s; |
71 | if (stat(expanded, &s) == 0) { | 83 | if (stat(expanded, &s) == 0) { |
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) { | |||
101 | // check file name | 113 | // check file name |
102 | invalid_filename(name, 0); // no globbing | 114 | invalid_filename(name, 0); // no globbing |
103 | char *expanded = expand_macros(name); | 115 | char *expanded = expand_macros(name); |
104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 116 | check(expanded); // will exit if wrong path |
105 | strncmp(expanded, "/tmp", 4) != 0) { | ||
106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); | ||
107 | exit(1); | ||
108 | } | ||
109 | 117 | ||
110 | struct stat s; | 118 | struct stat s; |
111 | if (stat(expanded, &s) == 0) { | 119 | if (stat(expanded, &s) == 0) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6405fd301..df2d2a2e8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -211,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access. | |||
211 | /var/tmp directory is untouched. | 211 | /var/tmp directory is untouched. |
212 | .TP | 212 | .TP |
213 | \fBmkdir directory | 213 | \fBmkdir directory |
214 | Create a directory in user home or under /tmp before the sandbox is started. | 214 | Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started. |
215 | The directory is created if it doesn't already exist. | 215 | The directory is created if it doesn't already exist. |
216 | .br | 216 | .br |
217 | 217 | ||
@@ -230,10 +230,18 @@ whitelist ~/.mozilla | |||
230 | mkdir ~/.cache/mozilla/firefox | 230 | mkdir ~/.cache/mozilla/firefox |
231 | .br | 231 | .br |
232 | whitelist ~/.cache/mozilla/firefox | 232 | whitelist ~/.cache/mozilla/firefox |
233 | .br | ||
234 | |||
235 | .br | ||
236 | For files in /run/user/<PID> use ${RUNUSER} macro: | ||
237 | .br | ||
238 | |||
239 | .br | ||
240 | mkdir ${RUNUSER}/firejail-testing | ||
233 | .TP | 241 | .TP |
234 | \fBmkfile file | 242 | \fBmkfile file |
235 | Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started. | 243 | Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID> |
236 | The file is created if it doesn't already exist. | 244 | before the sandbox is started. The file is created if it doesn't already exist. |
237 | .TP | 245 | .TP |
238 | \fBnoexec file_or_directory | 246 | \fBnoexec file_or_directory |
239 | Remount the file or the directory noexec, nodev and nosuid. | 247 | Remount the file or the directory noexec, nodev and nosuid. |
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp index 8a7ac9d97..59005e1a2 100755 --- a/test/fs/mkdir.exp +++ b/test/fs/mkdir.exp | |||
@@ -17,10 +17,32 @@ expect { | |||
17 | send -- "rm -rf ~/.firejail_test\r" | 17 | send -- "rm -rf ~/.firejail_test\r" |
18 | after 100 | 18 | after 100 |
19 | 19 | ||
20 | send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
23 | "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit} | ||
24 | "No such file or directory" { puts "TESTING ERROR 2.3\n";exit} | ||
25 | "/tmp/.firejail_test/a/b/c/d.txt" | ||
26 | } | ||
27 | send -- "rm -rf /tmp/.firejail_test\r" | ||
28 | after 100 | ||
29 | |||
30 | set UID [exec id -u] | ||
31 | send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
34 | "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit} | ||
35 | "No such file or directory" { puts "TESTING ERROR 3.3\n";exit} | ||
36 | "/run/user/$UID/.firejail_test/a/b/c/d.txt" | ||
37 | } | ||
38 | send -- "rm -rf /run/user/$UID/.firejail_test\r" | ||
39 | after 100 | ||
40 | |||
41 | |||
20 | send -- "firejail --profile=mkdir2.profile\r" | 42 | send -- "firejail --profile=mkdir2.profile\r" |
21 | expect { | 43 | expect { |
22 | timeout {puts "TESTING ERROR 2\n";exit} | 44 | timeout {puts "TESTING ERROR 4\n";exit} |
23 | "only directories in user home or /tmp" | 45 | "only files or directories in user home, /tmp, or /run/user/<UID>" |
24 | } | 46 | } |
25 | after 100 | 47 | after 100 |
26 | 48 | ||
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile index 61b44c9ac..35c27c872 100644 --- a/test/fs/mkdir.profile +++ b/test/fs/mkdir.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | mkdir ~/.firejail_test/a/b/c | 1 | mkdir ~/.firejail_test/a/b/c |
2 | mkfile ~/.firejail_test/a/b/c/d.txt | 2 | mkfile ~/.firejail_test/a/b/c/d.txt |
3 | mkdir /tmp/.firejail_test/a/b/c | ||
4 | mkfile /tmp/.firejail_test/a/b/c/d.txt | ||
5 | mkdir ${RUNUSER}/.firejail_test/a/b/c | ||
6 | mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt | ||