diff options
-rw-r--r-- | CONTRIBUTING.md | 7 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/profile-a-l/avidemux.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/lifeograph.profile | 58 | ||||
-rw-r--r-- | etc/profile-m-z/io.github.lainsce.Notejot.profile | 61 | ||||
-rw-r--r-- | etc/profile-m-z/rednotebook.profile | 67 | ||||
-rw-r--r-- | etc/profile-m-z/zim.profile | 72 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 23 | ||||
-rw-r--r-- | src/firejail/main.c | 189 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/output.c | 12 | ||||
-rw-r--r-- | src/firejail/util.c | 5 | ||||
-rwxr-xr-x | test/profiles/profile_syntax.exp | 2 | ||||
-rw-r--r-- | test/profiles/test.profile | 2 |
16 files changed, 399 insertions, 114 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 688101d13..0f868d6c4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -34,6 +34,13 @@ If you want to write a new profile, the easiest way to do this is to use the | |||
34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). |
35 | If you have already written a profile, please make sure it follows the rules described in the template. | 35 | If you have already written a profile, please make sure it follows the rules described in the template. |
36 | 36 | ||
37 | If you add a new command, here's the checklist: | ||
38 | |||
39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) | ||
40 | - [ ] Update shell completions | ||
41 | - [ ] Update vim syntax files | ||
42 | - [ ] Update --help | ||
43 | |||
37 | # Editing the wiki | 44 | # Editing the wiki |
38 | 45 | ||
39 | You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). | 46 | You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). |
@@ -236,3 +236,5 @@ $ ./profstats *.profile | |||
236 | ``` | 236 | ``` |
237 | 237 | ||
238 | ### New profiles: | 238 | ### New profiles: |
239 | |||
240 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta | ||
@@ -2,6 +2,7 @@ firejail (0.9.67) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * deprecated --disable-whitelist at compile time | 3 | * deprecated --disable-whitelist at compile time |
4 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | 4 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config |
5 | * new profiles: microsoft-edge-beta | ||
5 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 | 6 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 |
6 | 7 | ||
7 | firejail (0.9.66) baseline; urgency=low | 8 | firejail (0.9.66) baseline; urgency=low |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index fd907034f..44983dd14 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -320,6 +320,7 @@ blacklist ${HOME}/.config/meld | |||
320 | blacklist ${HOME}/.config/menulibre.cfg | 320 | blacklist ${HOME}/.config/menulibre.cfg |
321 | blacklist ${HOME}/.config/meteo-qt | 321 | blacklist ${HOME}/.config/meteo-qt |
322 | blacklist ${HOME}/.config/mfusion | 322 | blacklist ${HOME}/.config/mfusion |
323 | blacklist ${HOME}/.config/microsoft-edge-beta | ||
323 | blacklist ${HOME}/.config/microsoft-edge-dev | 324 | blacklist ${HOME}/.config/microsoft-edge-dev |
324 | blacklist ${HOME}/.config/midori | 325 | blacklist ${HOME}/.config/midori |
325 | blacklist ${HOME}/.config/mirage | 326 | blacklist ${HOME}/.config/mirage |
@@ -449,6 +450,7 @@ blacklist ${HOME}/.config/youtube-music-desktop-app | |||
449 | blacklist ${HOME}/.config/youtube-viewer | 450 | blacklist ${HOME}/.config/youtube-viewer |
450 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 451 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
451 | blacklist ${HOME}/.config/zathura | 452 | blacklist ${HOME}/.config/zathura |
453 | blacklist ${HOME}/.config/zim | ||
452 | blacklist ${HOME}/.config/zoomus.conf | 454 | blacklist ${HOME}/.config/zoomus.conf |
453 | blacklist ${HOME}/.conkeror.mozdev.org | 455 | blacklist ${HOME}/.conkeror.mozdev.org |
454 | blacklist ${HOME}/.crawl | 456 | blacklist ${HOME}/.crawl |
@@ -684,6 +686,7 @@ blacklist ${HOME}/.local/share/godot | |||
684 | blacklist ${HOME}/.local/share/gradio | 686 | blacklist ${HOME}/.local/share/gradio |
685 | blacklist ${HOME}/.local/share/gwenview | 687 | blacklist ${HOME}/.local/share/gwenview |
686 | blacklist ${HOME}/.local/share/i2p | 688 | blacklist ${HOME}/.local/share/i2p |
689 | blacklist ${HOME}/.local/share/io.github.lainsce.Notejot | ||
687 | blacklist ${HOME}/.local/share/jami | 690 | blacklist ${HOME}/.local/share/jami |
688 | blacklist ${HOME}/.local/share/kaffeine | 691 | blacklist ${HOME}/.local/share/kaffeine |
689 | blacklist ${HOME}/.local/share/kalgebra | 692 | blacklist ${HOME}/.local/share/kalgebra |
@@ -840,6 +843,7 @@ blacklist ${HOME}/.qgis2 | |||
840 | blacklist ${HOME}/.qmmp | 843 | blacklist ${HOME}/.qmmp |
841 | blacklist ${HOME}/.quodlibet | 844 | blacklist ${HOME}/.quodlibet |
842 | blacklist ${HOME}/.redeclipse | 845 | blacklist ${HOME}/.redeclipse |
846 | blacklist ${HOME}/.rednotebook | ||
843 | blacklist ${HOME}/.remmina | 847 | blacklist ${HOME}/.remmina |
844 | blacklist ${HOME}/.repo_.gitconfig.json | 848 | blacklist ${HOME}/.repo_.gitconfig.json |
845 | blacklist ${HOME}/.repoconfig | 849 | blacklist ${HOME}/.repoconfig |
@@ -1010,6 +1014,7 @@ blacklist ${HOME}/.cache/gummi | |||
1010 | blacklist ${HOME}/.cache/icedove | 1014 | blacklist ${HOME}/.cache/icedove |
1011 | blacklist ${HOME}/.cache/inkscape | 1015 | blacklist ${HOME}/.cache/inkscape |
1012 | blacklist ${HOME}/.cache/inox | 1016 | blacklist ${HOME}/.cache/inox |
1017 | blacklist ${HOME}/.cache/io.github.lainsce.Notejot | ||
1013 | blacklist ${HOME}/.cache/iridium | 1018 | blacklist ${HOME}/.cache/iridium |
1014 | blacklist ${HOME}/.cache/JetBrains/CLion* | 1019 | blacklist ${HOME}/.cache/JetBrains/CLion* |
1015 | blacklist ${HOME}/.cache/kcmshell5 | 1020 | blacklist ${HOME}/.cache/kcmshell5 |
@@ -1031,6 +1036,7 @@ blacklist ${HOME}/.cache/liferea | |||
1031 | blacklist ${HOME}/.cache/lutris | 1036 | blacklist ${HOME}/.cache/lutris |
1032 | blacklist ${HOME}/.cache/marker | 1037 | blacklist ${HOME}/.cache/marker |
1033 | blacklist ${HOME}/.cache/matrix-mirage | 1038 | blacklist ${HOME}/.cache/matrix-mirage |
1039 | blacklist ${HOME}/.cache/microsoft-edge-beta | ||
1034 | blacklist ${HOME}/.cache/microsoft-edge-dev | 1040 | blacklist ${HOME}/.cache/microsoft-edge-dev |
1035 | blacklist ${HOME}/.cache/midori | 1041 | blacklist ${HOME}/.cache/midori |
1036 | blacklist ${HOME}/.cache/minetest | 1042 | blacklist ${HOME}/.cache/minetest |
@@ -1066,6 +1072,7 @@ blacklist ${HOME}/.cache/qBittorrent | |||
1066 | blacklist ${HOME}/.cache/quodlibet | 1072 | blacklist ${HOME}/.cache/quodlibet |
1067 | blacklist ${HOME}/.cache/qupzilla | 1073 | blacklist ${HOME}/.cache/qupzilla |
1068 | blacklist ${HOME}/.cache/qutebrowser | 1074 | blacklist ${HOME}/.cache/qutebrowser |
1075 | blacklist ${HOME}/.cache/rednotebook | ||
1069 | blacklist ${HOME}/.cache/rhythmbox | 1076 | blacklist ${HOME}/.cache/rhythmbox |
1070 | blacklist ${HOME}/.cache/shotwell | 1077 | blacklist ${HOME}/.cache/shotwell |
1071 | blacklist ${HOME}/.cache/simple-scan | 1078 | blacklist ${HOME}/.cache/simple-scan |
@@ -1096,3 +1103,4 @@ blacklist ${HOME}/.cache/yandex-browser | |||
1096 | blacklist ${HOME}/.cache/yandex-browser-beta | 1103 | blacklist ${HOME}/.cache/yandex-browser-beta |
1097 | blacklist ${HOME}/.cache/youtube-dl | 1104 | blacklist ${HOME}/.cache/youtube-dl |
1098 | blacklist ${HOME}/.cache/youtube-viewer | 1105 | blacklist ${HOME}/.cache/youtube-viewer |
1106 | blacklist ${HOME}/.cache/zim | ||
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile index 1ecc03da1..7f9d0f6e7 100644 --- a/etc/profile-a-l/avidemux.profile +++ b/etc/profile-a-l/avidemux.profile | |||
@@ -23,6 +23,7 @@ mkdir ${HOME}/.config/avidemux3_qt5rc | |||
23 | whitelist ${HOME}/.avidemux6 | 23 | whitelist ${HOME}/.avidemux6 |
24 | whitelist ${HOME}/.config/avidemux3_qt5rc | 24 | whitelist ${HOME}/.config/avidemux3_qt5rc |
25 | whitelist ${VIDEOS} | 25 | whitelist ${VIDEOS} |
26 | |||
26 | include whitelist-common.inc | 27 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile new file mode 100644 index 000000000..b9ed0de8e --- /dev/null +++ b/etc/profile-a-l/lifeograph.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for lifeograph | ||
2 | # Description: Lifeograph is a diary program to take personal notes | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lifeograph.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | nodeny ${DOCUMENTS} | ||
10 | |||
11 | deny /usr/libexec | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | allow ${DOCUMENTS} | ||
23 | allow /usr/share/lifeograph | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | machine-id | ||
32 | net none | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | noinput | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin lifeograph | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user filter | ||
57 | dbus-user.talk ca.desrt.dconf | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/io.github.lainsce.Notejot.profile b/etc/profile-m-z/io.github.lainsce.Notejot.profile new file mode 100644 index 000000000..a8029db72 --- /dev/null +++ b/etc/profile-m-z/io.github.lainsce.Notejot.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for notejot | ||
2 | # Description: Jot your ideas | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include io.github.lainsce.Notejot.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | nodeny ${HOME}/.cache/io.github.lainsce.Notejot | ||
10 | nodeny ${HOME}/.local/share/io.github.lainsce.Notejot | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/io.github.lainsce.Notejot | ||
22 | mkdir ${HOME}/.local/share/io.github.lainsce.Notejot | ||
23 | allow ${HOME}/.cache/io.github.lainsce.Notejot | ||
24 | allow ${HOME}/.local/share/io.github.lainsce.Notejot | ||
25 | allow /usr/libexec/webkit2gtk-4.0 | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | machine-id | ||
34 | net none | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | noinput | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin io.github.lainsce.Notejot | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user filter | ||
59 | dbus-user.own io.github.lainsce.Notejot | ||
60 | dbus-user.talk ca.desrt.dconf | ||
61 | dbus-system none | ||
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile new file mode 100644 index 000000000..67281c518 --- /dev/null +++ b/etc/profile-m-z/rednotebook.profile | |||
@@ -0,0 +1,67 @@ | |||
1 | # Firejail profile for rednotebook | ||
2 | # Description: Daily journal with calendar, templates and keyword searching | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rednotebook.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | nodeny ${HOME}/.cache/rednotebook | ||
10 | nodeny ${HOME}/.rednotebook | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-shell.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/rednotebook | ||
24 | mkdir ${HOME}/.rednotebook | ||
25 | allow ${HOME}/.cache/rednotebook | ||
26 | allow ${HOME}/.rednotebook | ||
27 | allow ${DESKTOP} | ||
28 | allow ${DOCUMENTS} | ||
29 | allow ${DOWNLOADS} | ||
30 | allow ${MUSIC} | ||
31 | allow ${PICTURES} | ||
32 | allow ${VIDEOS} | ||
33 | allow /usr/libexec/webkit2gtk-4.0 | ||
34 | include whitelist-common.inc | ||
35 | include whitelist-runuser-common.inc | ||
36 | include whitelist-usr-share-common.inc | ||
37 | include whitelist-var-common.inc | ||
38 | |||
39 | apparmor | ||
40 | caps.drop all | ||
41 | machine-id | ||
42 | net none | ||
43 | no3d | ||
44 | nodvd | ||
45 | nogroups | ||
46 | noinput | ||
47 | nonewprivs | ||
48 | noroot | ||
49 | nosound | ||
50 | notv | ||
51 | nou2f | ||
52 | novideo | ||
53 | protocol unix | ||
54 | seccomp | ||
55 | seccomp.block-secondary | ||
56 | shell none | ||
57 | tracelog | ||
58 | |||
59 | disable-mnt | ||
60 | private-bin python3*,rednotebook | ||
61 | private-cache | ||
62 | private-dev | ||
63 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 | ||
64 | private-tmp | ||
65 | |||
66 | dbus-user none | ||
67 | dbus-system none | ||
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile new file mode 100644 index 000000000..5ae9cddb3 --- /dev/null +++ b/etc/profile-m-z/zim.profile | |||
@@ -0,0 +1,72 @@ | |||
1 | # Firejail profile for Zim | ||
2 | # Description: Desktop wiki & notekeeper | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zim.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | nodeny ${HOME}/.cache/zim | ||
10 | nodeny ${HOME}/.config/zim | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | deny /usr/libexec | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | |||
26 | mkdir ${HOME}/.cache/zim | ||
27 | mkdir ${HOME}/.config/zim | ||
28 | mkdir ${HOME}/Notebooks | ||
29 | allow ${HOME}/.cache/zim | ||
30 | allow ${HOME}/.config/zim | ||
31 | allow ${HOME}/Notebooks | ||
32 | allow ${DESKTOP} | ||
33 | allow ${DOCUMENTS} | ||
34 | allow ${DOWNLOADS} | ||
35 | allow ${MUSIC} | ||
36 | allow ${PICTURES} | ||
37 | allow ${VIDEOS} | ||
38 | allow /usr/share/zim | ||
39 | include whitelist-common.inc | ||
40 | include whitelist-runuser-common.inc | ||
41 | include whitelist-usr-share-common.inc | ||
42 | include whitelist-var-common.inc | ||
43 | |||
44 | apparmor | ||
45 | caps.drop all | ||
46 | machine-id | ||
47 | net none | ||
48 | no3d | ||
49 | nodvd | ||
50 | nogroups | ||
51 | noinput | ||
52 | nonewprivs | ||
53 | noroot | ||
54 | nosound | ||
55 | notv | ||
56 | nou2f | ||
57 | novideo | ||
58 | protocol unix | ||
59 | seccomp | ||
60 | seccomp.block-secondary | ||
61 | shell none | ||
62 | tracelog | ||
63 | |||
64 | disable-mnt | ||
65 | private-bin python*,zim | ||
66 | private-cache | ||
67 | private-dev | ||
68 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 | ||
69 | private-tmp | ||
70 | |||
71 | dbus-user none | ||
72 | dbus-system none | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 7052f7509..3b0ad0aed 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -45,8 +45,8 @@ amule | |||
45 | amuled | 45 | amuled |
46 | android-studio | 46 | android-studio |
47 | anydesk | 47 | anydesk |
48 | apostrophe | ||
49 | apktool | 48 | apktool |
49 | apostrophe | ||
50 | # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 50 | # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
51 | arch-audit | 51 | arch-audit |
52 | archaudit-report | 52 | archaudit-report |
@@ -143,8 +143,8 @@ clawsker | |||
143 | clementine | 143 | clementine |
144 | clion | 144 | clion |
145 | clion-eap | 145 | clion-eap |
146 | clipit | ||
147 | clipgrab | 146 | clipgrab |
147 | clipit | ||
148 | cliqz | 148 | cliqz |
149 | clocks | 149 | clocks |
150 | cmus | 150 | cmus |
@@ -168,6 +168,7 @@ crow | |||
168 | cryptocat | 168 | cryptocat |
169 | cvlc | 169 | cvlc |
170 | cyberfox | 170 | cyberfox |
171 | d-feet | ||
171 | darktable | 172 | darktable |
172 | dconf-editor | 173 | dconf-editor |
173 | ddgr | 174 | ddgr |
@@ -198,13 +199,12 @@ dragon | |||
198 | drawio | 199 | drawio |
199 | drill | 200 | drill |
200 | dropbox | 201 | dropbox |
201 | d-feet | ||
202 | easystroke | 202 | easystroke |
203 | ebook-viewer | ||
204 | ebook-convert | 203 | ebook-convert |
205 | ebook-edit | 204 | ebook-edit |
206 | ebook-meta | 205 | ebook-meta |
207 | ebook-polish | 206 | ebook-polish |
207 | ebook-viewer | ||
208 | electron-mail | 208 | electron-mail |
209 | electrum | 209 | electrum |
210 | element-desktop | 210 | element-desktop |
@@ -295,8 +295,8 @@ gimp-2.10 | |||
295 | gimp-2.8 | 295 | gimp-2.8 |
296 | gist | 296 | gist |
297 | gist-paste | 297 | gist-paste |
298 | gitg | ||
299 | git-cola | 298 | git-cola |
299 | gitg | ||
300 | github-desktop | 300 | github-desktop |
301 | gitter | 301 | gitter |
302 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 | 302 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 |
@@ -387,14 +387,15 @@ icecat | |||
387 | icedove | 387 | icedove |
388 | iceweasel | 388 | iceweasel |
389 | idea | 389 | idea |
390 | ideaIC | ||
391 | idea.sh | 390 | idea.sh |
391 | ideaIC | ||
392 | imagej | 392 | imagej |
393 | img2txt | 393 | img2txt |
394 | impressive | 394 | impressive |
395 | inkscape | 395 | inkscape |
396 | inkview | 396 | inkview |
397 | inox | 397 | inox |
398 | io.github.lainsce.Notejot | ||
398 | ipcalc | 399 | ipcalc |
399 | ipcalc-ng | 400 | ipcalc-ng |
400 | iridium | 401 | iridium |
@@ -453,6 +454,7 @@ librecad | |||
453 | libreoffice | 454 | libreoffice |
454 | librewolf | 455 | librewolf |
455 | librewolf-nightly | 456 | librewolf-nightly |
457 | lifeograph | ||
456 | liferea | 458 | liferea |
457 | lightsoff | 459 | lightsoff |
458 | lincity-ng | 460 | lincity-ng |
@@ -508,6 +510,7 @@ mendeleydesktop | |||
508 | menulibre | 510 | menulibre |
509 | meteo-qt | 511 | meteo-qt |
510 | microsoft-edge | 512 | microsoft-edge |
513 | microsoft-edge-beta | ||
511 | microsoft-edge-dev | 514 | microsoft-edge-dev |
512 | midori | 515 | midori |
513 | min | 516 | min |
@@ -524,7 +527,6 @@ mp3splt-gtk | |||
524 | mp3wrap | 527 | mp3wrap |
525 | mpDris2 | 528 | mpDris2 |
526 | mpg123 | 529 | mpg123 |
527 | mpg123.bin | ||
528 | mpg123-alsa | 530 | mpg123-alsa |
529 | mpg123-id3dump | 531 | mpg123-id3dump |
530 | mpg123-jack | 532 | mpg123-jack |
@@ -534,6 +536,7 @@ mpg123-oss | |||
534 | mpg123-portaudio | 536 | mpg123-portaudio |
535 | mpg123-pulse | 537 | mpg123-pulse |
536 | mpg123-strip | 538 | mpg123-strip |
539 | mpg123.bin | ||
537 | mplayer | 540 | mplayer |
538 | mpsyt | 541 | mpsyt |
539 | mpv | 542 | mpv |
@@ -675,6 +678,7 @@ qupzilla | |||
675 | qutebrowser | 678 | qutebrowser |
676 | rambox | 679 | rambox |
677 | redeclipse | 680 | redeclipse |
681 | rednotebook | ||
678 | redshift | 682 | redshift |
679 | regextester | 683 | regextester |
680 | remmina | 684 | remmina |
@@ -735,8 +739,8 @@ steam | |||
735 | steam-native | 739 | steam-native |
736 | steam-runtime | 740 | steam-runtime |
737 | stellarium | 741 | stellarium |
738 | strawberry | ||
739 | straw-viewer | 742 | straw-viewer |
743 | strawberry | ||
740 | strings | 744 | strings |
741 | studio.sh | 745 | studio.sh |
742 | subdownloader | 746 | subdownloader |
@@ -863,10 +867,10 @@ wire-desktop | |||
863 | wireshark | 867 | wireshark |
864 | wireshark-gtk | 868 | wireshark-gtk |
865 | wireshark-qt | 869 | wireshark-qt |
870 | wordwarvi | ||
866 | wpp | 871 | wpp |
867 | wps | 872 | wps |
868 | wpspdf | 873 | wpspdf |
869 | wordwarvi | ||
870 | x2goclient | 874 | x2goclient |
871 | xbill | 875 | xbill |
872 | xcalc | 876 | xcalc |
@@ -908,6 +912,7 @@ zaproxy | |||
908 | zart | 912 | zart |
909 | zathura | 913 | zathura |
910 | zeal | 914 | zeal |
915 | zim | ||
911 | zoom | 916 | zoom |
912 | # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 917 | # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
913 | # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 918 | # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f64994e02..655e6e9d0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -985,24 +985,16 @@ int main(int argc, char **argv, char **envp) { | |||
985 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 985 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
986 | char **ptr; | 986 | char **ptr; |
987 | 987 | ||
988 | #ifndef HAVE_SUID | ||
989 | if (geteuid() != 0) { | ||
990 | fprintf(stderr, "Error: Firejail needs to be SUID.\n"); | ||
991 | fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n"); | ||
992 | fprintf(stderr, " chmod u+s /usr/bin/firejail\n"); | ||
993 | } | ||
994 | #endif | ||
995 | |||
996 | // sanitize the umask | 988 | // sanitize the umask |
997 | orig_umask = umask(022); | 989 | orig_umask = umask(022); |
998 | 990 | ||
999 | // check standard streams before printing anything | ||
1000 | fix_std_streams(); | ||
1001 | |||
1002 | // drop permissions by default and rise them when required | 991 | // drop permissions by default and rise them when required |
1003 | EUID_INIT(); | 992 | EUID_INIT(); |
1004 | EUID_USER(); | 993 | EUID_USER(); |
1005 | 994 | ||
995 | // check standard streams before opening any file | ||
996 | fix_std_streams(); | ||
997 | |||
1006 | // argument count should be larger than 0 | 998 | // argument count should be larger than 0 |
1007 | if (argc == 0 || !argv || strlen(argv[0]) == 0) { | 999 | if (argc == 0 || !argv || strlen(argv[0]) == 0) { |
1008 | fprintf(stderr, "Error: argv is invalid\n"); | 1000 | fprintf(stderr, "Error: argv is invalid\n"); |
@@ -1012,16 +1004,6 @@ int main(int argc, char **argv, char **envp) { | |||
1012 | exit(1); | 1004 | exit(1); |
1013 | } | 1005 | } |
1014 | 1006 | ||
1015 | // Stash environment variables | ||
1016 | for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) | ||
1017 | env_store(*ptr, SETENV); | ||
1018 | |||
1019 | // sanity check for environment variables | ||
1020 | if (i >= MAX_ENVS) { | ||
1021 | fprintf(stderr, "Error: too many environment variables\n"); | ||
1022 | exit(1); | ||
1023 | } | ||
1024 | |||
1025 | // sanity check for arguments | 1007 | // sanity check for arguments |
1026 | for (i = 0; i < argc; i++) { | 1008 | for (i = 0; i < argc; i++) { |
1027 | if (*argv[i] == 0) { | 1009 | if (*argv[i] == 0) { |
@@ -1034,82 +1016,29 @@ int main(int argc, char **argv, char **envp) { | |||
1034 | } | 1016 | } |
1035 | } | 1017 | } |
1036 | 1018 | ||
1019 | // Stash environment variables | ||
1020 | for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) | ||
1021 | env_store(*ptr, SETENV); | ||
1022 | |||
1023 | // sanity check for environment variables | ||
1024 | if (i >= MAX_ENVS) { | ||
1025 | fprintf(stderr, "Error: too many environment variables\n"); | ||
1026 | exit(1); | ||
1027 | } | ||
1028 | |||
1037 | // Reapply a minimal set of environment variables | 1029 | // Reapply a minimal set of environment variables |
1038 | env_apply_whitelist(); | 1030 | env_apply_whitelist(); |
1039 | 1031 | ||
1040 | // check if the user is allowed to use firejail | 1032 | // process --quiet |
1041 | init_cfg(argc, argv); | ||
1042 | |||
1043 | // get starting timestamp, process --quiet | ||
1044 | timetrace_start(); | ||
1045 | const char *env_quiet = env_get("FIREJAIL_QUIET"); | 1033 | const char *env_quiet = env_get("FIREJAIL_QUIET"); |
1046 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) | 1034 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) |
1047 | arg_quiet = 1; | 1035 | arg_quiet = 1; |
1048 | 1036 | ||
1049 | // cleanup at exit | 1037 | // check if the user is allowed to use firejail |
1050 | EUID_ROOT(); | 1038 | init_cfg(argc, argv); |
1051 | atexit(clear_atexit); | ||
1052 | |||
1053 | // build /run/firejail directory structure | ||
1054 | preproc_build_firejail_dir(); | ||
1055 | const char *container_name = env_get("container"); | ||
1056 | if (!container_name || strcmp(container_name, "firejail")) { | ||
1057 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
1058 | if (lockfd_directory != -1) { | ||
1059 | int rv = fchown(lockfd_directory, 0, 0); | ||
1060 | (void) rv; | ||
1061 | flock(lockfd_directory, LOCK_EX); | ||
1062 | } | ||
1063 | preproc_clean_run(); | ||
1064 | flock(lockfd_directory, LOCK_UN); | ||
1065 | close(lockfd_directory); | ||
1066 | } | ||
1067 | EUID_USER(); | ||
1068 | |||
1069 | // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) | ||
1070 | // these paths are disabled in disable-common.inc | ||
1071 | if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { | ||
1072 | if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { | ||
1073 | profile_add("noblacklist /sbin"); | ||
1074 | profile_add("noblacklist /usr/sbin"); | ||
1075 | } | ||
1076 | } | ||
1077 | |||
1078 | // for appimages we need to remove "include disable-shell.inc from the profile | ||
1079 | // a --profile command can show up before --appimage | ||
1080 | if (check_arg(argc, argv, "--appimage", 1)) | ||
1081 | arg_appimage = 1; | ||
1082 | |||
1083 | // process allow-debuggers | ||
1084 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { | ||
1085 | // check kernel version | ||
1086 | struct utsname u; | ||
1087 | int rv = uname(&u); | ||
1088 | if (rv != 0) | ||
1089 | errExit("uname"); | ||
1090 | int major; | ||
1091 | int minor; | ||
1092 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
1093 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
1094 | exit(1); | ||
1095 | } | ||
1096 | if (major < 4 || (major == 4 && minor < 8)) { | ||
1097 | fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " | ||
1098 | "A bug in ptrace call allows a full bypass of the seccomp filter. " | ||
1099 | "Your current kernel version is %d.%d.\n", major, minor); | ||
1100 | exit(1); | ||
1101 | } | ||
1102 | |||
1103 | arg_allow_debuggers = 1; | ||
1104 | char *cmd = strdup("noblacklist ${PATH}/strace"); | ||
1105 | if (!cmd) | ||
1106 | errExit("strdup"); | ||
1107 | profile_add(cmd); | ||
1108 | } | ||
1109 | 1039 | ||
1110 | // profile builder | 1040 | // get starting timestamp |
1111 | if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename | 1041 | timetrace_start(); |
1112 | run_builder(argc, argv); // this function will not return | ||
1113 | 1042 | ||
1114 | // check argv[0] symlink wrapper if this is not a login shell | 1043 | // check argv[0] symlink wrapper if this is not a login shell |
1115 | if (*argv[0] != '-') | 1044 | if (*argv[0] != '-') |
@@ -1134,15 +1063,40 @@ int main(int argc, char **argv, char **envp) { | |||
1134 | __builtin_unreachable(); | 1063 | __builtin_unreachable(); |
1135 | } | 1064 | } |
1136 | } | 1065 | } |
1137 | EUID_ASSERT(); | ||
1138 | 1066 | ||
1067 | // profile builder | ||
1068 | if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename | ||
1069 | run_builder(argc, argv); // this function will not return | ||
1139 | 1070 | ||
1140 | // check firejail directories | ||
1141 | EUID_ROOT(); | 1071 | EUID_ROOT(); |
1142 | delete_run_files(sandbox_pid); | 1072 | #ifndef HAVE_SUID |
1073 | if (geteuid() != 0) { | ||
1074 | fprintf(stderr, "Error: Firejail needs to be SUID.\n"); | ||
1075 | fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n"); | ||
1076 | fprintf(stderr, " chmod u+s /usr/bin/firejail\n"); | ||
1077 | } | ||
1078 | #endif | ||
1079 | |||
1080 | // build /run/firejail directory structure | ||
1081 | preproc_build_firejail_dir(); | ||
1082 | const char *container_name = env_get("container"); | ||
1083 | if (!container_name || strcmp(container_name, "firejail")) { | ||
1084 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
1085 | if (lockfd_directory != -1) { | ||
1086 | int rv = fchown(lockfd_directory, 0, 0); | ||
1087 | (void) rv; | ||
1088 | flock(lockfd_directory, LOCK_EX); | ||
1089 | } | ||
1090 | preproc_clean_run(); | ||
1091 | flock(lockfd_directory, LOCK_UN); | ||
1092 | close(lockfd_directory); | ||
1093 | } | ||
1094 | |||
1095 | delete_run_files(getpid()); | ||
1096 | atexit(clear_atexit); | ||
1143 | EUID_USER(); | 1097 | EUID_USER(); |
1144 | 1098 | ||
1145 | //check if the parent is sshd daemon | 1099 | // check if the parent is sshd daemon |
1146 | int parent_sshd = 0; | 1100 | int parent_sshd = 0; |
1147 | { | 1101 | { |
1148 | pid_t ppid = getppid(); | 1102 | pid_t ppid = getppid(); |
@@ -1199,7 +1153,8 @@ int main(int argc, char **argv, char **envp) { | |||
1199 | } | 1153 | } |
1200 | EUID_ASSERT(); | 1154 | EUID_ASSERT(); |
1201 | 1155 | ||
1202 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users | 1156 | // is this a login shell, or a command passed by sshd, |
1157 | // insert command line options from /etc/firejail/login.users | ||
1203 | if (*argv[0] == '-' || parent_sshd) { | 1158 | if (*argv[0] == '-' || parent_sshd) { |
1204 | if (argc == 1) | 1159 | if (argc == 1) |
1205 | login_shell = 1; | 1160 | login_shell = 1; |
@@ -1251,6 +1206,47 @@ int main(int argc, char **argv, char **envp) { | |||
1251 | #endif | 1206 | #endif |
1252 | EUID_ASSERT(); | 1207 | EUID_ASSERT(); |
1253 | 1208 | ||
1209 | // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) | ||
1210 | // these paths are disabled in disable-common.inc | ||
1211 | if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { | ||
1212 | if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { | ||
1213 | profile_add("noblacklist /sbin"); | ||
1214 | profile_add("noblacklist /usr/sbin"); | ||
1215 | } | ||
1216 | } | ||
1217 | |||
1218 | // process allow-debuggers | ||
1219 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { | ||
1220 | // check kernel version | ||
1221 | struct utsname u; | ||
1222 | int rv = uname(&u); | ||
1223 | if (rv != 0) | ||
1224 | errExit("uname"); | ||
1225 | int major; | ||
1226 | int minor; | ||
1227 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
1228 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
1229 | exit(1); | ||
1230 | } | ||
1231 | if (major < 4 || (major == 4 && minor < 8)) { | ||
1232 | fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " | ||
1233 | "A bug in ptrace call allows a full bypass of the seccomp filter. " | ||
1234 | "Your current kernel version is %d.%d.\n", major, minor); | ||
1235 | exit(1); | ||
1236 | } | ||
1237 | |||
1238 | arg_allow_debuggers = 1; | ||
1239 | char *cmd = strdup("noblacklist ${PATH}/strace"); | ||
1240 | if (!cmd) | ||
1241 | errExit("strdup"); | ||
1242 | profile_add(cmd); | ||
1243 | } | ||
1244 | |||
1245 | // for appimages we need to remove "include disable-shell.inc from the profile | ||
1246 | // a --profile command can show up before --appimage | ||
1247 | if (check_arg(argc, argv, "--appimage", 1)) | ||
1248 | arg_appimage = 1; | ||
1249 | |||
1254 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1250 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
1255 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1251 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
1256 | arg_nonewprivs = 1; | 1252 | arg_nonewprivs = 1; |
@@ -2680,8 +2676,9 @@ int main(int argc, char **argv, char **envp) { | |||
2680 | //************************************* | 2676 | //************************************* |
2681 | else if (strncmp(argv[i], "--timeout=", 10) == 0) | 2677 | else if (strncmp(argv[i], "--timeout=", 10) == 0) |
2682 | cfg.timeout = extract_timeout(argv[i] + 10); | 2678 | cfg.timeout = extract_timeout(argv[i] + 10); |
2683 | else if (strcmp(argv[i], "--appimage") == 0) | 2679 | else if (strcmp(argv[i], "--appimage") == 0) { |
2684 | arg_appimage = 1; | 2680 | // already handled |
2681 | } | ||
2685 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2682 | else if (strcmp(argv[i], "--shell=none") == 0) { |
2686 | arg_shell_none = 1; | 2683 | arg_shell_none = 1; |
2687 | if (cfg.shell) { | 2684 | if (cfg.shell) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 665bef73d..0e5562d90 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -49,6 +49,7 @@ int check_namespace_virt(void) { | |||
49 | // check PID 1 container environment variable | 49 | // check PID 1 container environment variable |
50 | EUID_ROOT(); | 50 | EUID_ROOT(); |
51 | FILE *fp = fopen("/proc/1/environ", "re"); | 51 | FILE *fp = fopen("/proc/1/environ", "re"); |
52 | EUID_USER(); | ||
52 | if (fp) { | 53 | if (fp) { |
53 | int c = 0; | 54 | int c = 0; |
54 | while (c != EOF) { | 55 | while (c != EOF) { |
@@ -69,7 +70,6 @@ int check_namespace_virt(void) { | |||
69 | // found it | 70 | // found it |
70 | if (is_container(buf + 10)) { | 71 | if (is_container(buf + 10)) { |
71 | fclose(fp); | 72 | fclose(fp); |
72 | EUID_USER(); | ||
73 | return 1; | 73 | return 1; |
74 | } | 74 | } |
75 | } | 75 | } |
@@ -79,7 +79,6 @@ int check_namespace_virt(void) { | |||
79 | fclose(fp); | 79 | fclose(fp); |
80 | } | 80 | } |
81 | 81 | ||
82 | EUID_USER(); | ||
83 | return 0; | 82 | return 0; |
84 | } | 83 | } |
85 | 84 | ||
diff --git a/src/firejail/output.c b/src/firejail/output.c index 835dff2db..ce10ab157 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -50,13 +50,21 @@ void check_output(int argc, char **argv) { | |||
50 | if (!outindex) | 50 | if (!outindex) |
51 | return; | 51 | return; |
52 | 52 | ||
53 | |||
54 | // check filename | ||
55 | drop_privs(0); | 53 | drop_privs(0); |
56 | char *outfile = argv[outindex]; | 54 | char *outfile = argv[outindex]; |
57 | outfile += (enable_stderr)? 16:9; | 55 | outfile += (enable_stderr)? 16:9; |
56 | |||
57 | // check filename | ||
58 | invalid_filename(outfile, 0); // no globbing | 58 | invalid_filename(outfile, 0); // no globbing |
59 | 59 | ||
60 | // expand user home directory | ||
61 | if (outfile[0] == '~') { | ||
62 | char *full; | ||
63 | if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1) | ||
64 | errExit("asprintf"); | ||
65 | outfile = full; | ||
66 | } | ||
67 | |||
60 | // do not accept directories, links, and files with ".." | 68 | // do not accept directories, links, and files with ".." |
61 | if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) { | 69 | if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) { |
62 | fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); | 70 | fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index de31ebdd6..094a68c60 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1513,8 +1513,7 @@ void check_homedir(const char *dir) { | |||
1513 | exit(1); | 1513 | exit(1); |
1514 | } | 1514 | } |
1515 | // symlinks are rejected in many places | 1515 | // symlinks are rejected in many places |
1516 | if (has_link(dir)) { | 1516 | if (has_link(dir)) |
1517 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" | 1517 | fmessage("No full support for symbolic links in path of user directory.\n" |
1518 | "Please provide resolved path in password database (/etc/passwd).\n\n"); | 1518 | "Please provide resolved path in password database (/etc/passwd).\n\n"); |
1519 | } | ||
1520 | } | 1519 | } |
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index 258089a39..a2cccb0d4 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp | |||
@@ -22,7 +22,7 @@ expect { | |||
22 | } | 22 | } |
23 | 23 | ||
24 | sleep 1 | 24 | sleep 1 |
25 | send -- "ls -l /etc/shadow\r" | 25 | send -- "ls -l /dev/console\r" |
26 | expect { | 26 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "root root" | 28 | "root root" |
diff --git a/test/profiles/test.profile b/test/profiles/test.profile index 26d6de849..27cb99606 100644 --- a/test/profiles/test.profile +++ b/test/profiles/test.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | blacklist /sbin/iptables | 1 | blacklist /sbin/iptables |
2 | blacklist /etc/shadow | 2 | blacklist /dev/console |
3 | blacklist /bin/rmdir | 3 | blacklist /bin/rmdir |
4 | blacklist ${PATH}/umount | 4 | blacklist ${PATH}/umount |
5 | blacklist ${PATH}/mount | 5 | blacklist ${PATH}/mount |