diff options
48 files changed, 247 insertions, 216 deletions
diff --git a/.gitignore b/.gitignore index 34a228a76..0d5979c8b 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -18,4 +18,4 @@ src/firecfg/firecfg | |||
18 | src/ftee/ftee | 18 | src/ftee/ftee |
19 | src/tags | 19 | src/tags |
20 | src/faudit/faudit | 20 | src/faudit/faudit |
21 | 21 | uids.h | |
diff --git a/Makefile.in b/Makefile.in index 6837d59cd..2a90a0fdd 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -290,7 +290,7 @@ uninstall: | |||
290 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 290 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
291 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 291 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
292 | 292 | ||
293 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES" | 293 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" |
294 | DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils" | 294 | DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils" |
295 | 295 | ||
296 | dist: | 296 | dist: |
@@ -37,6 +37,8 @@ Thomas Jarosch (https://github.com/thomasjfox) | |||
37 | - added tar (gtar), unzip and unrar profile | 37 | - added tar (gtar), unzip and unrar profile |
38 | - added file profile | 38 | - added file profile |
39 | - improved profile list | 39 | - improved profile list |
40 | - fixed small variable glitch in stat64() / lstat64() (libtracelog) | ||
41 | - added lstat() / lstat64() support to libtrace | ||
40 | Niklas Haas (https://github.com/haasn) | 42 | Niklas Haas (https://github.com/haasn) |
41 | - blacklisting for keybase.io's client | 43 | - blacklisting for keybase.io's client |
42 | Aleksey Manevich (https://github.com/manevich) | 44 | Aleksey Manevich (https://github.com/manevich) |
diff --git a/etc/0ad.profile b/etc/0ad.profile index 11fb45463..217cdeee0 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -8,16 +8,12 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
9 | 9 | ||
10 | # Whitelists | 10 | # Whitelists |
11 | mkdir ~/.cache | ||
12 | mkdir ~/.cache/0ad | 11 | mkdir ~/.cache/0ad |
13 | whitelist ~/.cache/0ad | 12 | whitelist ~/.cache/0ad |
14 | 13 | ||
15 | mkdir ~/.config | ||
16 | mkdir ~/.config/0ad | 14 | mkdir ~/.config/0ad |
17 | whitelist ~/.config/0ad | 15 | whitelist ~/.config/0ad |
18 | 16 | ||
19 | mkdir ~/.local | ||
20 | mkdir ~/.local/share | ||
21 | mkdir ~/.local/share/0ad | 17 | mkdir ~/.local/share/0ad |
22 | whitelist ~/.local/share/0ad | 18 | whitelist ~/.local/share/0ad |
23 | 19 | ||
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 65247e7d3..4aa18aa90 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -17,8 +17,6 @@ tracelog | |||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | mkdir ~/.mozilla | 18 | mkdir ~/.mozilla |
19 | whitelist ~/.mozilla | 19 | whitelist ~/.mozilla |
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/mozilla | ||
22 | mkdir ~/.cache/mozilla/abrowser | 20 | mkdir ~/.cache/mozilla/abrowser |
23 | whitelist ~/.cache/mozilla/abrowser | 21 | whitelist ~/.cache/mozilla/abrowser |
24 | whitelist ~/dwhelper | 22 | whitelist ~/dwhelper |
diff --git a/etc/aweather.profile b/etc/aweather.profile index d617fb701..da93e8ba3 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | 7 | ||
8 | # Whitelist | 8 | # Whitelist |
9 | mkdir ~/.config | ||
10 | mkdir ~/.config/aweather | 9 | mkdir ~/.config/aweather |
11 | whitelist ~/.config/aweather | 10 | whitelist ~/.config/aweather |
12 | 11 | ||
diff --git a/etc/brave.profile b/etc/brave.profile index 4c42e9faa..4fc3a5bb0 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -14,6 +14,5 @@ seccomp | |||
14 | 14 | ||
15 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | 16 | ||
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/brave | 17 | mkdir ~/.config/brave |
19 | whitelist ~/.config/brave | 18 | whitelist ~/.config/brave |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7b6238d98..76ee70679 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -7,10 +7,8 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | whitelist ${HOME}/cherrytree | 9 | whitelist ${HOME}/cherrytree |
10 | mkdir ~/.config | ||
11 | mkdir ~/.config/cherrytree | 10 | mkdir ~/.config/cherrytree |
12 | whitelist ${HOME}/.config/cherrytree/ | 11 | whitelist ${HOME}/.config/cherrytree/ |
13 | mkdir ~/.local | ||
14 | mkdir ~/.local/share | 12 | mkdir ~/.local/share |
15 | whitelist ${HOME}/.local/share/ | 13 | whitelist ${HOME}/.local/share/ |
16 | 14 | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 7cf2853ca..0d383aebf 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/chromium | 14 | mkdir ~/.config/chromium |
16 | whitelist ~/.config/chromium | 15 | whitelist ~/.config/chromium |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/chromium | 16 | mkdir ~/.cache/chromium |
19 | whitelist ~/.cache/chromium | 17 | whitelist ~/.cache/chromium |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index afa77d1d4..ae487fa3c 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -17,7 +17,6 @@ tracelog | |||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | mkdir ~/.8pecxstudios | 18 | mkdir ~/.8pecxstudios |
19 | whitelist ~/.8pecxstudios | 19 | whitelist ~/.8pecxstudios |
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/8pecxstudios | 20 | mkdir ~/.cache/8pecxstudios |
22 | whitelist ~/.cache/8pecxstudios | 21 | whitelist ~/.cache/8pecxstudios |
23 | whitelist ~/dwhelper | 22 | whitelist ~/dwhelper |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 71e019f8c..40efd62b2 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -17,6 +17,5 @@ whitelist ~/.dropbox | |||
17 | mkdir ~/.dropbox-dist | 17 | mkdir ~/.dropbox-dist |
18 | whitelist ~/.dropbox-dist | 18 | whitelist ~/.dropbox-dist |
19 | 19 | ||
20 | mkdir ~/.config/autostart | ||
21 | mkfile ~/.config/autostart/dropbox.desktop | 20 | mkfile ~/.config/autostart/dropbox.desktop |
22 | whitelist ~/.config/autostart/dropbox.desktop | 21 | whitelist ~/.config/autostart/dropbox.desktop |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 57191429a..0e898f02b 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -8,14 +8,10 @@ include /etc/firejail/disable-programs.inc | |||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | 9 | ||
10 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
11 | mkdir ${HOME}/.local | ||
12 | mkdir ${HOME}/.local/share | ||
13 | mkdir ${HOME}/.local/share/epiphany | 11 | mkdir ${HOME}/.local/share/epiphany |
14 | whitelist ${HOME}/.local/share/epiphany | 12 | whitelist ${HOME}/.local/share/epiphany |
15 | mkdir ${HOME}/.config | ||
16 | mkdir ${HOME}/.config/epiphany | 13 | mkdir ${HOME}/.config/epiphany |
17 | whitelist ${HOME}/.config/epiphany | 14 | whitelist ${HOME}/.config/epiphany |
18 | mkdir ${HOME}/.cache | ||
19 | mkdir ${HOME}/.cache/epiphany | 15 | mkdir ${HOME}/.cache/epiphany |
20 | whitelist ${HOME}/.cache/epiphany | 16 | whitelist ${HOME}/.cache/epiphany |
21 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 2cc4d3cd8..170d0fe10 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -17,8 +17,6 @@ tracelog | |||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | mkdir ~/.mozilla | 18 | mkdir ~/.mozilla |
19 | whitelist ~/.mozilla | 19 | whitelist ~/.mozilla |
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/mozilla | ||
22 | mkdir ~/.cache/mozilla/firefox | 20 | mkdir ~/.cache/mozilla/firefox |
23 | whitelist ~/.cache/mozilla/firefox | 21 | whitelist ~/.cache/mozilla/firefox |
24 | whitelist ~/dwhelper | 22 | whitelist ~/dwhelper |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index f248c385a..7e0eb486b 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -22,10 +22,8 @@ protocol unix,inet,inet6,netlink | |||
22 | seccomp | 22 | seccomp |
23 | 23 | ||
24 | whitelist ${DOWNLOADS} | 24 | whitelist ${DOWNLOADS} |
25 | mkdir ~/.config | ||
26 | mkdir ~/.config/slimjet | 25 | mkdir ~/.config/slimjet |
27 | whitelist ~/.config/slimjet | 26 | whitelist ~/.config/slimjet |
28 | mkdir ~/.cache | ||
29 | mkdir ~/.cache/slimjet | 27 | mkdir ~/.cache/slimjet |
30 | whitelist ~/.cache/slimjet | 28 | whitelist ~/.cache/slimjet |
31 | mkdir ~/.pki | 29 | mkdir ~/.pki |
diff --git a/etc/franz.profile b/etc/franz.profile index fc4a665de..3cb7942ab 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -14,10 +14,8 @@ nonewprivs | |||
14 | noroot | 14 | noroot |
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/Franz | 17 | mkdir ~/.config/Franz |
19 | whitelist ~/.config/Franz | 18 | whitelist ~/.config/Franz |
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/Franz | 19 | mkdir ~/.cache/Franz |
22 | whitelist ~/.cache/Franz | 20 | whitelist ~/.cache/Franz |
23 | mkdir ~/.pki | 21 | mkdir ~/.pki |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 11f9f9e33..fe870274f 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/google-chrome-beta | 14 | mkdir ~/.config/google-chrome-beta |
16 | whitelist ~/.config/google-chrome-beta | 15 | whitelist ~/.config/google-chrome-beta |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/google-chrome-beta | 16 | mkdir ~/.cache/google-chrome-beta |
19 | whitelist ~/.cache/google-chrome-beta | 17 | whitelist ~/.cache/google-chrome-beta |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index f253e5a90..f6680ac2d 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/google-chrome-unstable | 14 | mkdir ~/.config/google-chrome-unstable |
16 | whitelist ~/.config/google-chrome-unstable | 15 | whitelist ~/.config/google-chrome-unstable |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/google-chrome-unstable | 16 | mkdir ~/.cache/google-chrome-unstable |
19 | whitelist ~/.cache/google-chrome-unstable | 17 | whitelist ~/.cache/google-chrome-unstable |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 5e168aae5..a9fcebe73 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/google-chrome | 14 | mkdir ~/.config/google-chrome |
16 | whitelist ~/.config/google-chrome | 15 | whitelist ~/.config/google-chrome |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/google-chrome | 16 | mkdir ~/.cache/google-chrome |
19 | whitelist ~/.cache/google-chrome | 17 | whitelist ~/.cache/google-chrome |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 02bb4d24d..a8378a66e 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | 7 | ||
8 | # Whitelist | 8 | # Whitelist |
9 | mkdir ~/.config | ||
10 | mkdir ~/.config/Gpredict | 9 | mkdir ~/.config/Gpredict |
11 | whitelist ~/.config/Gpredict | 10 | whitelist ~/.config/Gpredict |
12 | 11 | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 4e829c379..0d7ee6594 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -13,7 +13,6 @@ netfilter | |||
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | 14 | seccomp |
15 | 15 | ||
16 | mkdir ~/.config | ||
17 | mkdir ~/.config/hexchat | 16 | mkdir ~/.config/hexchat |
18 | whitelist ~/.config/hexchat | 17 | whitelist ~/.config/hexchat |
19 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/icedove.profile b/etc/icedove.profile index e9a63c8dd..23254751b 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -11,7 +11,6 @@ mkdir ~/.icedove | |||
11 | whitelist ~/.icedove | 11 | whitelist ~/.icedove |
12 | 12 | ||
13 | noblacklist ~/.cache/icedove | 13 | noblacklist ~/.cache/icedove |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/icedove | 14 | mkdir ~/.cache/icedove |
16 | whitelist ~/.cache/icedove | 15 | whitelist ~/.cache/icedove |
17 | 16 | ||
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index d4b442df8..acb13e6b9 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -8,11 +8,8 @@ include /etc/firejail/disable-programs.inc | |||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | mkdir ${HOME}/.local | ||
12 | mkdir ${HOME}/.local/share | ||
13 | mkdir ${HOME}/.local/share/mupen64plus | 11 | mkdir ${HOME}/.local/share/mupen64plus |
14 | whitelist ${HOME}/.local/share/mupen64plus/ | 12 | whitelist ${HOME}/.local/share/mupen64plus/ |
15 | mkdir ${HOME}/.config | ||
16 | mkdir ${HOME}/.config/mupen64plus | 13 | mkdir ${HOME}/.config/mupen64plus |
17 | whitelist ${HOME}/.config/mupen64plus/ | 14 | whitelist ${HOME}/.config/mupen64plus/ |
18 | 15 | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 3de6be238..1ed2163c2 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -15,10 +15,8 @@ seccomp | |||
15 | tracelog | 15 | tracelog |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | mkdir ~/.config | ||
19 | mkdir ~/.config/netsurf | 18 | mkdir ~/.config/netsurf |
20 | whitelist ~/.config/netsurf | 19 | whitelist ~/.config/netsurf |
21 | mkdir ~/.cache | ||
22 | mkdir ~/.cache/netsurf | 20 | mkdir ~/.cache/netsurf |
23 | whitelist ~/.cache/netsurf | 21 | whitelist ~/.cache/netsurf |
24 | 22 | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3d6edb286..12c91c744 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc | |||
8 | netfilter | 8 | netfilter |
9 | 9 | ||
10 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
11 | mkdir ~/.config | ||
12 | mkdir ~/.config/opera-beta | 11 | mkdir ~/.config/opera-beta |
13 | whitelist ~/.config/opera-beta | 12 | whitelist ~/.config/opera-beta |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/opera-beta | 13 | mkdir ~/.cache/opera-beta |
16 | whitelist ~/.cache/opera-beta | 14 | whitelist ~/.cache/opera-beta |
17 | mkdir ~/.pki | 15 | mkdir ~/.pki |
diff --git a/etc/opera.profile b/etc/opera.profile index ff00eb349..e0c89a195 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc | |||
9 | netfilter | 9 | netfilter |
10 | 10 | ||
11 | whitelist ${DOWNLOADS} | 11 | whitelist ${DOWNLOADS} |
12 | mkdir ~/.config | ||
13 | mkdir ~/.config/opera | 12 | mkdir ~/.config/opera |
14 | whitelist ~/.config/opera | 13 | whitelist ~/.config/opera |
15 | mkdir ~/.cache | ||
16 | mkdir ~/.cache/opera | 14 | mkdir ~/.cache/opera |
17 | whitelist ~/.cache/opera | 15 | whitelist ~/.cache/opera |
18 | mkdir ~/.opera | 16 | mkdir ~/.opera |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 302c20d7d..acedaebb7 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -9,8 +9,6 @@ include /etc/firejail/whitelist-common.inc | |||
9 | whitelist ${DOWNLOADS} | 9 | whitelist ${DOWNLOADS} |
10 | mkdir ~/.moonchild productions | 10 | mkdir ~/.moonchild productions |
11 | whitelist ~/.moonchild productions | 11 | whitelist ~/.moonchild productions |
12 | mkdir ~/.cache | ||
13 | mkdir ~/.cache/moonchild productions | ||
14 | mkdir ~/.cache/moonchild productions/pale moon | 12 | mkdir ~/.cache/moonchild productions/pale moon |
15 | whitelist ~/.cache/moonchild productions/pale moon | 13 | whitelist ~/.cache/moonchild productions/pale moon |
16 | 14 | ||
diff --git a/etc/polari.profile b/etc/polari.profile index 366883c83..ac9530c40 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc | |||
3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
5 | 5 | ||
6 | mkdir ${HOME}/.local | ||
7 | mkdir ${HOME}/.local/share/ | ||
8 | mkdir ${HOME}/.local/share/Empathy | 6 | mkdir ${HOME}/.local/share/Empathy |
9 | whitelist ${HOME}/.local/share/Empathy | 7 | whitelist ${HOME}/.local/share/Empathy |
10 | mkdir ${HOME}/.local/share/telepathy | 8 | mkdir ${HOME}/.local/share/telepathy |
11 | whitelist ${HOME}/.local/share/telepathy | 9 | whitelist ${HOME}/.local/share/telepathy |
12 | mkdir ${HOME}/.local/share/TpLogger | 10 | mkdir ${HOME}/.local/share/TpLogger |
13 | whitelist ${HOME}/.local/share/TpLogger | 11 | whitelist ${HOME}/.local/share/TpLogger |
14 | mkdir ${HOME}/.config | ||
15 | mkdir ${HOME}/.config/telepathy-account-widgets | 12 | mkdir ${HOME}/.config/telepathy-account-widgets |
16 | whitelist ${HOME}/.config/telepathy-account-widgets | 13 | whitelist ${HOME}/.config/telepathy-account-widgets |
17 | mkdir ${HOME}/.cache | ||
18 | mkdir ${HOME}/.cache/telepathy | 14 | mkdir ${HOME}/.cache/telepathy |
19 | whitelist ${HOME}/.cache/telepathy | 15 | whitelist ${HOME}/.cache/telepathy |
20 | mkdir ${HOME}/.purple | 16 | mkdir ${HOME}/.purple |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 9380237be..22c5bafc5 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -7,14 +7,10 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | whitelist ${DOWNLOADS} | 9 | whitelist ${DOWNLOADS} |
10 | mkdir ~/.config | ||
11 | mkdir ~/.config/psi+ | 10 | mkdir ~/.config/psi+ |
12 | whitelist ~/.config/psi+ | 11 | whitelist ~/.config/psi+ |
13 | mkdir ~/.local | ||
14 | mkdir ~/.local/share | ||
15 | mkdir ~/.local/share/psi+ | 12 | mkdir ~/.local/share/psi+ |
16 | whitelist ~/.local/share/psi+ | 13 | whitelist ~/.local/share/psi+ |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/psi+ | 14 | mkdir ~/.cache/psi+ |
19 | whitelist ~/.cache/psi+ | 15 | whitelist ~/.cache/psi+ |
20 | 16 | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index f2b9959f6..2ab5d8a8e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -4,14 +4,11 @@ include /etc/firejail/disable-passwdmgr.inc | |||
4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
5 | 5 | ||
6 | whitelist ${HOME}/quiterssfeeds.opml | 6 | whitelist ${HOME}/quiterssfeeds.opml |
7 | mkdir ~/.config | ||
8 | mkdir ~/.config/QuiteRss | 7 | mkdir ~/.config/QuiteRss |
9 | whitelist ${HOME}/.config/QuiteRss/ | 8 | whitelist ${HOME}/.config/QuiteRss/ |
10 | whitelist ${HOME}/.config/QuiteRssrc | 9 | whitelist ${HOME}/.config/QuiteRssrc |
11 | mkdir ~/.local | ||
12 | mkdir ~/.local/share | 10 | mkdir ~/.local/share |
13 | whitelist ${HOME}/.local/share/ | 11 | whitelist ${HOME}/.local/share/ |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/QuiteRss | 12 | mkdir ~/.cache/QuiteRss |
16 | whitelist ${HOME}/.cache/QuiteRss | 13 | whitelist ${HOME}/.cache/QuiteRss |
17 | 14 | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index b590f0ef1..0efb7b629 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -17,7 +17,6 @@ tracelog | |||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | mkdir ~/.config/qutebrowser | 18 | mkdir ~/.config/qutebrowser |
19 | whitelist ~/.config/qutebrowser | 19 | whitelist ~/.config/qutebrowser |
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/qutebrowser | 20 | mkdir ~/.cache/qutebrowser |
22 | whitelist ~/.cache/qutebrowser | 21 | whitelist ~/.cache/qutebrowser |
23 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 9ce4164c1..b981d9516 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -14,11 +14,8 @@ seccomp | |||
14 | tracelog | 14 | tracelog |
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.mozilla | ||
18 | mkdir ~/.mozilla/seamonkey | 17 | mkdir ~/.mozilla/seamonkey |
19 | whitelist ~/.mozilla/seamonkey | 18 | whitelist ~/.mozilla/seamonkey |
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/mozilla | ||
22 | mkdir ~/.cache/mozilla/seamonkey | 19 | mkdir ~/.cache/mozilla/seamonkey |
23 | whitelist ~/.cache/mozilla/seamonkey | 20 | whitelist ~/.cache/mozilla/seamonkey |
24 | whitelist ~/dwhelper | 21 | whitelist ~/dwhelper |
diff --git a/etc/spotify.profile b/etc/spotify.profile index ca575970b..6bcb99e0f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -10,14 +10,10 @@ include /etc/firejail/disable-passwdmgr.inc | |||
10 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify - This is more restrictive |
11 | # than a blacklist though, but this is all spotify requires for | 11 | # than a blacklist though, but this is all spotify requires for |
12 | # streaming audio | 12 | # streaming audio |
13 | mkdir ${HOME}/.config | ||
14 | mkdir ${HOME}/.config/spotify | 13 | mkdir ${HOME}/.config/spotify |
15 | whitelist ${HOME}/.config/spotify | 14 | whitelist ${HOME}/.config/spotify |
16 | mkdir ${HOME}/.local | ||
17 | mkdir ${HOME}/.local/share | ||
18 | mkdir ${HOME}/.local/share/spotify | 15 | mkdir ${HOME}/.local/share/spotify |
19 | whitelist ${HOME}/.local/share/spotify | 16 | whitelist ${HOME}/.local/share/spotify |
20 | mkdir ${HOME}/.cache | ||
21 | mkdir ${HOME}/.cache/spotify | 17 | mkdir ${HOME}/.cache/spotify |
22 | whitelist ${HOME}/.cache/spotify | 18 | whitelist ${HOME}/.cache/spotify |
23 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index d0c1326b3..adefa75ff 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -9,7 +9,6 @@ include /etc/firejail/disable-programs.inc | |||
9 | # Whitelist | 9 | # Whitelist |
10 | mkdir ~/.stellarium | 10 | mkdir ~/.stellarium |
11 | whitelist ~/.stellarium | 11 | whitelist ~/.stellarium |
12 | mkdir ~/.config | ||
13 | mkdir ~/.config/stellarium | 12 | mkdir ~/.config/stellarium |
14 | whitelist ~/.config/stellarium | 13 | whitelist ~/.config/stellarium |
15 | 14 | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 7882367b9..5db50da4d 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -11,7 +11,6 @@ mkdir ~/.thunderbird | |||
11 | whitelist ~/.thunderbird | 11 | whitelist ~/.thunderbird |
12 | 12 | ||
13 | noblacklist ~/.cache/thunderbird | 13 | noblacklist ~/.cache/thunderbird |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/thunderbird | 14 | mkdir ~/.cache/thunderbird |
16 | whitelist ~/.cache/thunderbird | 15 | whitelist ~/.cache/thunderbird |
17 | 16 | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 269f8f0fd..522b4bd1e 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -13,7 +13,6 @@ protocol unix,inet,inet6 | |||
13 | seccomp | 13 | seccomp |
14 | 14 | ||
15 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | mkdir ~/.config | ||
17 | mkdir ~/.config/uGet | 16 | mkdir ~/.config/uGet |
18 | whitelist ~/.config/uGet | 17 | whitelist ~/.config/uGet |
19 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 2049d2bd9..3c608dccb 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -9,10 +9,8 @@ netfilter | |||
9 | nonewprivs | 9 | nonewprivs |
10 | 10 | ||
11 | whitelist ${DOWNLOADS} | 11 | whitelist ${DOWNLOADS} |
12 | mkdir ~/.config | ||
13 | mkdir ~/.config/vivaldi | 12 | mkdir ~/.config/vivaldi |
14 | whitelist ~/.config/vivaldi | 13 | whitelist ~/.config/vivaldi |
15 | mkdir ~/.cache | ||
16 | mkdir ~/.cache/vivaldi | 14 | mkdir ~/.cache/vivaldi |
17 | whitelist ~/.cache/vivaldi | 15 | whitelist ~/.cache/vivaldi |
18 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index cd0c6406f..2ddb59d11 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -18,12 +18,8 @@ private-dev | |||
18 | 18 | ||
19 | whitelist /tmp/.X11-unix | 19 | whitelist /tmp/.X11-unix |
20 | 20 | ||
21 | mkdir ${HOME}/.local | ||
22 | mkdir ${HOME}/.local/share | ||
23 | mkdir ${HOME}/.local/share/wesnoth | 21 | mkdir ${HOME}/.local/share/wesnoth |
24 | mkdir ${HOME}/.config | ||
25 | mkdir ${HOME}/.config/wesnoth | 22 | mkdir ${HOME}/.config/wesnoth |
26 | mkdir ${HOME}/.cache | ||
27 | mkdir ${HOME}/.cache/wesnoth | 23 | mkdir ${HOME}/.cache/wesnoth |
28 | whitelist ${HOME}/.local/share/wesnoth | 24 | whitelist ${HOME}/.local/share/wesnoth |
29 | whitelist ${HOME}/.config/wesnoth | 25 | whitelist ${HOME}/.config/wesnoth |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index b3a1a1d30..2317133c5 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -24,6 +24,5 @@ whitelist ~/.config/gtk-3.0 | |||
24 | whitelist ~/.themes | 24 | whitelist ~/.themes |
25 | 25 | ||
26 | # dconf | 26 | # dconf |
27 | mkdir ~/.config | ||
28 | mkdir ~/.config/dconf | 27 | mkdir ~/.config/dconf |
29 | whitelist ~/.config/dconf | 28 | whitelist ~/.config/dconf |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c new file mode 100644 index 000000000..517124d9e --- /dev/null +++ b/src/firejail/cmdline.c | |||
@@ -0,0 +1,151 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "firejail.h" | ||
22 | #include <string.h> | ||
23 | #include <stdbool.h> | ||
24 | #include <stdio.h> | ||
25 | #include <linux/limits.h> | ||
26 | #include <assert.h> | ||
27 | #include <errno.h> | ||
28 | |||
29 | int cmdline_length(int argc, char **argv, int index) { | ||
30 | int i,j; | ||
31 | int len = 0; | ||
32 | int argcnt = argc - index; | ||
33 | bool in_quotes = false; | ||
34 | |||
35 | for (i = 0; i < argcnt; i++) { | ||
36 | in_quotes = false; | ||
37 | for (j = 0; j < strlen(argv[i + index]); j++) { | ||
38 | if (argv[i + index][j] == '\'') { | ||
39 | if (in_quotes) | ||
40 | len++; | ||
41 | if (j > 0 && argv[i + index][j-1] == '\'') | ||
42 | len++; | ||
43 | else | ||
44 | len += 3; | ||
45 | in_quotes = false; | ||
46 | } else { | ||
47 | if (!in_quotes) | ||
48 | len++; | ||
49 | len++; | ||
50 | in_quotes = true; | ||
51 | } | ||
52 | } | ||
53 | if (in_quotes) { | ||
54 | len++; | ||
55 | } | ||
56 | if (strlen(argv[i + index]) == 0) { | ||
57 | len += 2; | ||
58 | } | ||
59 | len++; | ||
60 | } | ||
61 | |||
62 | return len; | ||
63 | } | ||
64 | |||
65 | void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { | ||
66 | int i,j; | ||
67 | int argcnt = argc - index; | ||
68 | bool in_quotes = false; | ||
69 | char *ptr1 = command_line; | ||
70 | char *ptr2 = window_title; | ||
71 | |||
72 | for (i = 0; i < argcnt; i++) { | ||
73 | |||
74 | // enclose args by single quotes, | ||
75 | // and since single quote can't be represented in single quoted text | ||
76 | // each occurence of it should be enclosed by double quotes | ||
77 | in_quotes = false; | ||
78 | for (j = 0; j < strlen(argv[i + index]); j++) { | ||
79 | // single quote | ||
80 | if (argv[i + index][j] == '\'') { | ||
81 | if (in_quotes) { | ||
82 | // close quotes | ||
83 | ptr1[0] = '\''; | ||
84 | ptr1++; | ||
85 | } | ||
86 | // previous char was single quote too | ||
87 | if (j > 0 && argv[i + index][j-1] == '\'') { | ||
88 | ptr1--; | ||
89 | sprintf(ptr1, "\'\""); | ||
90 | } | ||
91 | // this first in series | ||
92 | else | ||
93 | { | ||
94 | sprintf(ptr1, "\"\'\""); | ||
95 | } | ||
96 | ptr1 += strlen(ptr1); | ||
97 | in_quotes = false; | ||
98 | } | ||
99 | // anything other | ||
100 | else | ||
101 | { | ||
102 | if (!in_quotes) { | ||
103 | // open quotes | ||
104 | ptr1[0] = '\''; | ||
105 | ptr1++; | ||
106 | } | ||
107 | ptr1[0] = argv[i + index][j]; | ||
108 | ptr1++; | ||
109 | in_quotes = true; | ||
110 | } | ||
111 | } | ||
112 | // close quotes | ||
113 | if (in_quotes) { | ||
114 | ptr1[0] = '\''; | ||
115 | ptr1++; | ||
116 | } | ||
117 | // handle empty argument case | ||
118 | if (strlen(argv[i + index]) == 0) { | ||
119 | sprintf(ptr1, "\'\'"); | ||
120 | ptr1 += strlen(ptr1); | ||
121 | } | ||
122 | // add space | ||
123 | sprintf(ptr1, " "); | ||
124 | ptr1 += strlen(ptr1); | ||
125 | |||
126 | sprintf(ptr2, "%s ", argv[i + index]); | ||
127 | ptr2 += strlen(ptr2); | ||
128 | } | ||
129 | |||
130 | assert(len == strlen(command_line)); | ||
131 | } | ||
132 | |||
133 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { | ||
134 | int len = cmdline_length(argc, argv, index); | ||
135 | if (len > ARG_MAX) { | ||
136 | errno = E2BIG; | ||
137 | errExit("cmdline_length"); | ||
138 | } | ||
139 | |||
140 | *command_line = malloc(len + 1); | ||
141 | if (!*command_line) | ||
142 | errExit("malloc"); | ||
143 | *window_title = malloc(len + 1); | ||
144 | if (!*window_title) | ||
145 | errExit("malloc"); | ||
146 | |||
147 | quote_cmdline(*command_line, *window_title, len, argc, argv, index); | ||
148 | |||
149 | assert(*command_line); | ||
150 | assert(*window_title); | ||
151 | } | ||
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 50bcc613b..5bc2df2cc 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -22,8 +22,38 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <grp.h> | 24 | #include <grp.h> |
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | 26 | #include <string.h> | |
27 | |||
28 | static void mkdir_recursive(char *path) { | ||
29 | char *subdir = NULL; | ||
30 | struct stat s; | ||
31 | |||
32 | if (chdir("/")) { | ||
33 | fprintf(stderr, "Error: can't chdir to /"); | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | subdir = strtok(path, "/"); | ||
38 | while(subdir) { | ||
39 | if (stat(subdir, &s) == -1) { | ||
40 | if (mkdir(subdir, 0700) == -1) { | ||
41 | fprintf(stderr, "Warning: cannot create %s directory\n", subdir); | ||
42 | return; | ||
43 | } | ||
44 | } else if (!S_ISDIR(s.st_mode)) { | ||
45 | fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir); | ||
46 | return; | ||
47 | } | ||
48 | if (chdir(subdir)) { | ||
49 | fprintf(stderr, "Error: can't chdir to %s", subdir); | ||
50 | return; | ||
51 | } | ||
52 | |||
53 | subdir = strtok(NULL, "/"); | ||
54 | } | ||
55 | } | ||
56 | |||
27 | void fs_mkdir(const char *name) { | 57 | void fs_mkdir(const char *name) { |
28 | EUID_ASSERT(); | 58 | EUID_ASSERT(); |
29 | 59 | ||
@@ -50,8 +80,7 @@ void fs_mkdir(const char *name) { | |||
50 | drop_privs(0); | 80 | drop_privs(0); |
51 | 81 | ||
52 | // create directory | 82 | // create directory |
53 | if (mkdir(expanded, 0700) == -1) | 83 | mkdir_recursive(expanded); |
54 | fprintf(stderr, "Warning: cannot create %s directory\n", expanded); | ||
55 | exit(0); | 84 | exit(0); |
56 | } | 85 | } |
57 | // wait for the child to finish | 86 | // wait for the child to finish |
@@ -101,4 +130,4 @@ void fs_mkfile(const char *name) { | |||
101 | 130 | ||
102 | doexit: | 131 | doexit: |
103 | free(expanded); | 132 | free(expanded); |
104 | } \ No newline at end of file | 133 | } |
diff --git a/src/firejail/join.c b/src/firejail/join.c index c14108986..0b5b6a34a 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -49,29 +49,9 @@ static void extract_command(int argc, char **argv, int index) { | |||
49 | exit(1); | 49 | exit(1); |
50 | } | 50 | } |
51 | 51 | ||
52 | |||
53 | int len = 0; | ||
54 | int i; | ||
55 | // calculate command length | ||
56 | for (i = index; i < argc; i++) { | ||
57 | len += strlen(argv[i]) + 3; | ||
58 | } | ||
59 | assert(len > 0); | ||
60 | |||
61 | // build command | 52 | // build command |
62 | cfg.command_line = malloc(len + 1); | 53 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); |
63 | *cfg.command_line = '\0'; | 54 | |
64 | for (i = index; i < argc; i++) { | ||
65 | if (strchr(argv[i], '&')) { | ||
66 | strcat(cfg.command_line, "\'"); | ||
67 | strcat(cfg.command_line, argv[i]); | ||
68 | strcat(cfg.command_line, "\' "); | ||
69 | } | ||
70 | else { | ||
71 | strcat(cfg.command_line, argv[i]); | ||
72 | strcat(cfg.command_line, " "); | ||
73 | } | ||
74 | } | ||
75 | if (arg_debug) | 55 | if (arg_debug) |
76 | printf("Extracted command #%s#\n", cfg.command_line); | 56 | printf("Extracted command #%s#\n", cfg.command_line); |
77 | } | 57 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index cbc3d57cf..e86d78ff1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2004,109 +2004,7 @@ int main(int argc, char **argv) { | |||
2004 | cfg.window_title = "appimage"; | 2004 | cfg.window_title = "appimage"; |
2005 | } | 2005 | } |
2006 | else { | 2006 | else { |
2007 | // calculate the length of the command | 2007 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
2008 | int i; | ||
2009 | int len = 0; | ||
2010 | int argcnt = argc - prog_index; | ||
2011 | int j; | ||
2012 | bool in_quotes = false; | ||
2013 | |||
2014 | for (i = 0; i < argcnt; i++) { | ||
2015 | in_quotes = false; | ||
2016 | for (j = 0; j < strlen(argv[i + prog_index]); j++) { | ||
2017 | if (argv[i + prog_index][j] == '\'') { | ||
2018 | if (in_quotes) | ||
2019 | len++; | ||
2020 | if (j > 0 && argv[i + prog_index][j-1] == '\'') | ||
2021 | len++; | ||
2022 | else | ||
2023 | len += 3; | ||
2024 | in_quotes = false; | ||
2025 | } else { | ||
2026 | if (!in_quotes) | ||
2027 | len++; | ||
2028 | len++; | ||
2029 | in_quotes = true; | ||
2030 | } | ||
2031 | } | ||
2032 | if (in_quotes) { | ||
2033 | len++; | ||
2034 | } | ||
2035 | if (strlen(argv[i + prog_index]) == 0) { | ||
2036 | len += 2; | ||
2037 | } | ||
2038 | len++; | ||
2039 | } | ||
2040 | |||
2041 | // build the string | ||
2042 | cfg.command_line = malloc(len + 1); // + '\0' | ||
2043 | if (!cfg.command_line) | ||
2044 | errExit("malloc"); | ||
2045 | cfg.window_title = malloc(len + 1); // + '\0' | ||
2046 | if (!cfg.window_title) | ||
2047 | errExit("malloc"); | ||
2048 | |||
2049 | char *ptr1 = cfg.command_line; | ||
2050 | char *ptr2 = cfg.window_title; | ||
2051 | for (i = 0; i < argcnt; i++) { | ||
2052 | |||
2053 | // enclose args by single quotes, | ||
2054 | // and since single quote can't be represented in single quoted text | ||
2055 | // each occurence of it should be enclosed by double quotes | ||
2056 | in_quotes = false; | ||
2057 | for (j = 0; j < strlen(argv[i + prog_index]); j++) { | ||
2058 | // single quote | ||
2059 | if (argv[i + prog_index][j] == '\'') { | ||
2060 | if (in_quotes) { | ||
2061 | // close quotes | ||
2062 | ptr1[0] = '\''; | ||
2063 | ptr1++; | ||
2064 | } | ||
2065 | // previous char was single quote too | ||
2066 | if (j > 0 && argv[i + prog_index][j-1] == '\'') { | ||
2067 | ptr1--; | ||
2068 | sprintf(ptr1, "\'\""); | ||
2069 | } | ||
2070 | // this first in series | ||
2071 | else | ||
2072 | { | ||
2073 | sprintf(ptr1, "\"\'\""); | ||
2074 | } | ||
2075 | ptr1 += strlen(ptr1); | ||
2076 | in_quotes = false; | ||
2077 | } | ||
2078 | // anything other | ||
2079 | else | ||
2080 | { | ||
2081 | if (!in_quotes) { | ||
2082 | // open quotes | ||
2083 | ptr1[0] = '\''; | ||
2084 | ptr1++; | ||
2085 | } | ||
2086 | ptr1[0] = argv[i + prog_index][j]; | ||
2087 | ptr1++; | ||
2088 | in_quotes = true; | ||
2089 | } | ||
2090 | } | ||
2091 | // close quotes | ||
2092 | if (in_quotes) { | ||
2093 | ptr1[0] = '\''; | ||
2094 | ptr1++; | ||
2095 | } | ||
2096 | // handle empty argument case | ||
2097 | if (strlen(argv[i + prog_index]) == 0) { | ||
2098 | sprintf(ptr1, "\'\'"); | ||
2099 | ptr1 += strlen(ptr1); | ||
2100 | } | ||
2101 | // add space | ||
2102 | sprintf(ptr1, " "); | ||
2103 | ptr1 += strlen(ptr1); | ||
2104 | |||
2105 | sprintf(ptr2, "%s ", argv[i + prog_index]); | ||
2106 | ptr2 += strlen(ptr2); | ||
2107 | } | ||
2108 | |||
2109 | assert(len == strlen(cfg.command_line)); | ||
2110 | } | 2008 | } |
2111 | 2009 | ||
2112 | assert(cfg.command_name); | 2010 | assert(cfg.command_name); |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index a3d1571f7..dde3df2ea 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -423,11 +423,36 @@ int stat(const char *pathname, struct stat *buf) { | |||
423 | typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf); | 423 | typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf); |
424 | static orig_stat64_t orig_stat64 = NULL; | 424 | static orig_stat64_t orig_stat64 = NULL; |
425 | int stat64(const char *pathname, struct stat64 *buf) { | 425 | int stat64(const char *pathname, struct stat64 *buf) { |
426 | if (!orig_stat) | 426 | if (!orig_stat64) |
427 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); | 427 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); |
428 | 428 | ||
429 | int rv = orig_stat64(pathname, buf); | 429 | int rv = orig_stat64(pathname, buf); |
430 | printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv); | 430 | printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv); |
431 | return rv; | ||
432 | } | ||
433 | #endif /* __GLIBC__ */ | ||
434 | |||
435 | // lstat | ||
436 | typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf); | ||
437 | static orig_lstat_t orig_lstat = NULL; | ||
438 | int lstat(const char *pathname, struct stat *buf) { | ||
439 | if (!orig_lstat) | ||
440 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); | ||
441 | |||
442 | int rv = orig_lstat(pathname, buf); | ||
443 | printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv); | ||
444 | return rv; | ||
445 | } | ||
446 | |||
447 | #ifdef __GLIBC__ | ||
448 | typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf); | ||
449 | static orig_lstat64_t orig_lstat64 = NULL; | ||
450 | int lstat64(const char *pathname, struct stat64 *buf) { | ||
451 | if (!orig_lstat64) | ||
452 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); | ||
453 | |||
454 | int rv = orig_lstat64(pathname, buf); | ||
455 | printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv); | ||
431 | return rv; | 456 | return rv; |
432 | } | 457 | } |
433 | #endif /* __GLIBC__ */ | 458 | #endif /* __GLIBC__ */ |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 3e65587c4..dedba5513 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -562,7 +562,7 @@ int stat64(const char *pathname, struct stat64 *buf) { | |||
562 | #ifdef DEBUG | 562 | #ifdef DEBUG |
563 | printf("%s %s\n", __FUNCTION__, pathname); | 563 | printf("%s %s\n", __FUNCTION__, pathname); |
564 | #endif | 564 | #endif |
565 | if (!orig_stat) | 565 | if (!orig_stat64) |
566 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); | 566 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); |
567 | if (!blacklist_loaded) | 567 | if (!blacklist_loaded) |
568 | load_blacklist(); | 568 | load_blacklist(); |
@@ -598,7 +598,7 @@ int lstat64(const char *pathname, struct stat64 *buf) { | |||
598 | #ifdef DEBUG | 598 | #ifdef DEBUG |
599 | printf("%s %s\n", __FUNCTION__, pathname); | 599 | printf("%s %s\n", __FUNCTION__, pathname); |
600 | #endif | 600 | #endif |
601 | if (!orig_lstat) | 601 | if (!orig_lstat64) |
602 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); | 602 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); |
603 | if (!blacklist_loaded) | 603 | if (!blacklist_loaded) |
604 | load_blacklist(); | 604 | load_blacklist(); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 504842a9e..7e33a6b45 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -136,7 +136,7 @@ The directory is created if it doesn't already exist. | |||
136 | .br | 136 | .br |
137 | Use this command for whitelisted directories you need to preserve | 137 | Use this command for whitelisted directories you need to preserve |
138 | when the sandbox is closed. Without it, the application will create the directory, and the directory | 138 | when the sandbox is closed. Without it, the application will create the directory, and the directory |
139 | will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | 139 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from |
140 | firefox profile: | 140 | firefox profile: |
141 | .br | 141 | .br |
142 | 142 | ||
@@ -145,17 +145,13 @@ mkdir ~/.mozilla | |||
145 | .br | 145 | .br |
146 | whitelist ~/.mozilla | 146 | whitelist ~/.mozilla |
147 | .br | 147 | .br |
148 | mkdir ~/.cache | ||
149 | .br | ||
150 | mkdir ~/.cache/mozilla | ||
151 | .br | ||
152 | mkdir ~/.cache/mozilla/firefox | 148 | mkdir ~/.cache/mozilla/firefox |
153 | .br | 149 | .br |
154 | whitelist ~/.cache/mozilla/firefox | 150 | whitelist ~/.cache/mozilla/firefox |
155 | .TP | 151 | .TP |
156 | \fBmkfile file | 152 | \fBmkfile file |
157 | Similar to mkdir, this command creates a file in user home before the sandbox is started. | 153 | Similar to mkdir, this command creates a file in user home before the sandbox is started. |
158 | The file is created if it doesn't already exist. | 154 | The file is created if it doesn't already exist, but it's target directory has to exist. |
159 | .TP | 155 | .TP |
160 | \fBnoexec file_or_directory | 156 | \fBnoexec file_or_directory |
161 | Remount the file or the directory noexec, nodev and nosuid. | 157 | Remount the file or the directory noexec, nodev and nosuid. |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 08888020c..00e6e29c2 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -51,5 +51,6 @@ echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" | |||
51 | echo "TESTING: bind as user (test/fs/option_bind_user.exp)" | 51 | echo "TESTING: bind as user (test/fs/option_bind_user.exp)" |
52 | ./option_bind_user.exp | 52 | ./option_bind_user.exp |
53 | 53 | ||
54 | 54 | echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" | |
55 | ./mkdir.exp | ||
55 | 56 | ||
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp new file mode 100755 index 000000000..111db06db --- /dev/null +++ b/test/fs/mkdir.exp | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 3 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
13 | "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit} | ||
14 | "No such file or directory" { puts "TESTING ERROR 1.3\n";exit} | ||
15 | ".firejail_test/a/b/c/d.txt" | ||
16 | } | ||
17 | send -- "rm -rf ~/.firejail_test\r" | ||
18 | after 100 | ||
19 | |||
20 | puts "\nall done\n" | ||
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile new file mode 100644 index 000000000..61b44c9ac --- /dev/null +++ b/test/fs/mkdir.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | mkdir ~/.firejail_test/a/b/c | ||
2 | mkfile ~/.firejail_test/a/b/c/d.txt | ||