aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/build-extra.yml2
-rw-r--r--.github/workflows/build.yml2
-rw-r--r--.github/workflows/check-c.yml12
-rw-r--r--.github/workflows/check-profiles.yml2
-rw-r--r--.github/workflows/check-python.yml6
-rw-r--r--.github/workflows/codespell.yml2
-rw-r--r--.github/workflows/test.yml10
-rw-r--r--RELNOTES5
-rw-r--r--etc/inc/allow-ssh.inc1
-rw-r--r--etc/inc/disable-programs.inc4
-rw-r--r--etc/inc/whitelist-var-common.inc1
-rw-r--r--etc/profile-a-l/alienblaster.profile55
-rw-r--r--etc/profile-a-l/audacity.profile13
-rw-r--r--etc/profile-a-l/d-spy.profile48
-rw-r--r--etc/profile-a-l/fluffychat.profile1
-rw-r--r--etc/profile-a-l/geki2.profile49
-rw-r--r--etc/profile-a-l/geki3.profile49
-rw-r--r--etc/profile-a-l/lbreakouthd.profile58
-rw-r--r--etc/profile-a-l/loupe.profile50
-rw-r--r--etc/profile-m-z/tuxtype.profile54
-rw-r--r--etc/profile-m-z/typespeed.profile49
-rw-r--r--src/fbuilder/build_bin.c2
-rw-r--r--src/fbuilder/build_fs.c2
-rw-r--r--src/fbuilder/build_home.c2
-rw-r--r--src/fbuilder/build_profile.c4
-rw-r--r--src/fbuilder/build_seccomp.c6
-rw-r--r--src/fbuilder/filedb.c2
-rw-r--r--src/fbuilder/main.c8
-rw-r--r--src/firecfg/firecfg.config8
-rw-r--r--src/firejail/chroot.c5
-rw-r--r--src/firejail/firejail.h9
-rw-r--r--src/firejail/landlock.c3
-rw-r--r--src/firejail/main.c44
-rw-r--r--src/firejail/preproc.c96
-rw-r--r--src/firemon/procevent.c57
-rw-r--r--src/fnettrace/static-ip-map.txt7
36 files changed, 641 insertions, 87 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 5b44e7b9f..9c0ee94ad 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -52,7 +52,7 @@ jobs:
52 github.com:443 52 github.com:443
53 packages.microsoft.com:443 53 packages.microsoft.com:443
54 ppa.launchpadcontent.net:443 54 ppa.launchpadcontent.net:443
55 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 55 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
56 - name: update package information 56 - name: update package information
57 run: sudo apt-get update -qy 57 run: sudo apt-get update -qy
58 - name: install dependencies 58 - name: install dependencies
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 60420d441..abc7e06ef 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -68,7 +68,7 @@ jobs:
68 github.com:443 68 github.com:443
69 packages.microsoft.com:443 69 packages.microsoft.com:443
70 ppa.launchpadcontent.net:443 70 ppa.launchpadcontent.net:443
71 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 71 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
72 - name: update package information 72 - name: update package information
73 run: sudo apt-get update -qy 73 run: sudo apt-get update -qy
74 - name: install dependencies 74 - name: install dependencies
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 307b0c37c..9835419b5 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -56,7 +56,7 @@ jobs:
56 packages.microsoft.com:443 56 packages.microsoft.com:443
57 ppa.launchpadcontent.net:443 57 ppa.launchpadcontent.net:443
58 security.ubuntu.com:80 58 security.ubuntu.com:80
59 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 59 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
60 - name: update package information 60 - name: update package information
61 run: sudo apt-get update -qy 61 run: sudo apt-get update -qy
62 - name: install clang-tools-14 and dependencies 62 - name: install clang-tools-14 and dependencies
@@ -89,7 +89,7 @@ jobs:
89 packages.microsoft.com:443 89 packages.microsoft.com:443
90 ppa.launchpadcontent.net:443 90 ppa.launchpadcontent.net:443
91 security.ubuntu.com:80 91 security.ubuntu.com:80
92 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 92 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
93 - name: update package information 93 - name: update package information
94 run: sudo apt-get update -qy 94 run: sudo apt-get update -qy
95 - name: install cppcheck 95 - name: install cppcheck
@@ -120,7 +120,7 @@ jobs:
120 ppa.launchpad.net:80 120 ppa.launchpad.net:80
121 ppa.launchpadcontent.net:443 121 ppa.launchpadcontent.net:443
122 security.ubuntu.com:80 122 security.ubuntu.com:80
123 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 123 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
124 - name: update package information 124 - name: update package information
125 run: sudo apt-get update -qy 125 run: sudo apt-get update -qy
126 - name: install cppcheck 126 - name: install cppcheck
@@ -154,14 +154,14 @@ jobs:
154 uploads.github.com:443 154 uploads.github.com:443
155 155
156 - name: Checkout repository 156 - name: Checkout repository
157 uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 157 uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
158 158
159 - name: print env 159 - name: print env
160 run: ./ci/printenv.sh 160 run: ./ci/printenv.sh
161 161
162 # Initializes the CodeQL tools for scanning. 162 # Initializes the CodeQL tools for scanning.
163 - name: Initialize CodeQL 163 - name: Initialize CodeQL
164 uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a 164 uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14
165 with: 165 with:
166 languages: cpp 166 languages: cpp
167 167
@@ -172,4 +172,4 @@ jobs:
172 run: make -j "$(nproc)" 172 run: make -j "$(nproc)"
173 173
174 - name: Perform CodeQL Analysis 174 - name: Perform CodeQL Analysis
175 uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a 175 uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index 280dd4c71..f7d74cc9d 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -40,7 +40,7 @@ jobs:
40 allowed-endpoints: > 40 allowed-endpoints: >
41 github.com:443 41 github.com:443
42 42
43 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 43 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
44 - name: print env 44 - name: print env
45 run: ./ci/printenv.sh 45 run: ./ci/printenv.sh
46 - run: python3 --version 46 - run: python3 --version
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 43d139c9f..917fa4295 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -44,16 +44,16 @@ jobs:
44 uploads.github.com:443 44 uploads.github.com:443
45 45
46 - name: Checkout repository 46 - name: Checkout repository
47 uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 47 uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
48 48
49 - name: print env 49 - name: print env
50 run: ./ci/printenv.sh 50 run: ./ci/printenv.sh
51 51
52 # Initializes the CodeQL tools for scanning. 52 # Initializes the CodeQL tools for scanning.
53 - name: Initialize CodeQL 53 - name: Initialize CodeQL
54 uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a 54 uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14
55 with: 55 with:
56 languages: python 56 languages: python
57 57
58 - name: Perform CodeQL Analysis 58 - name: Perform CodeQL Analysis
59 uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a 59 uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index b74d1e9ab..d3b8d3e7d 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -34,7 +34,7 @@ jobs:
34 packages.microsoft.com:443 34 packages.microsoft.com:443
35 ppa.launchpadcontent.net:443 35 ppa.launchpadcontent.net:443
36 security.ubuntu.com:80 36 security.ubuntu.com:80
37 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 37 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
38 - name: update package information 38 - name: update package information
39 run: sudo apt-get update -qy 39 run: sudo apt-get update -qy
40 - name: install dependencies 40 - name: install dependencies
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fb10f2b7f..0b911bb8e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -62,7 +62,7 @@ jobs:
62 github.com:443 62 github.com:443
63 packages.microsoft.com:443 63 packages.microsoft.com:443
64 ppa.launchpadcontent.net:443 64 ppa.launchpadcontent.net:443
65 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 65 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
66 - name: update package information 66 - name: update package information
67 run: sudo apt-get update -qy 67 run: sudo apt-get update -qy
68 - name: install dependencies 68 - name: install dependencies
@@ -111,7 +111,7 @@ jobs:
111 github.com:443 111 github.com:443
112 packages.microsoft.com:443 112 packages.microsoft.com:443
113 ppa.launchpadcontent.net:443 113 ppa.launchpadcontent.net:443
114 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 114 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
115 - name: update package information 115 - name: update package information
116 run: sudo apt-get update -qy 116 run: sudo apt-get update -qy
117 - name: install dependencies 117 - name: install dependencies
@@ -151,7 +151,7 @@ jobs:
151 github.com:443 151 github.com:443
152 packages.microsoft.com:443 152 packages.microsoft.com:443
153 ppa.launchpadcontent.net:443 153 ppa.launchpadcontent.net:443
154 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 154 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
155 - name: update package information 155 - name: update package information
156 run: sudo apt-get update -qy 156 run: sudo apt-get update -qy
157 - name: install dependencies 157 - name: install dependencies
@@ -194,7 +194,7 @@ jobs:
194 ppa.launchpadcontent.net:443 194 ppa.launchpadcontent.net:443
195 www.debian.org:443 195 www.debian.org:443
196 www.debian.org:80 196 www.debian.org:80
197 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 197 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
198 - name: update package information 198 - name: update package information
199 run: sudo apt-get update -qy 199 run: sudo apt-get update -qy
200 - name: install dependencies 200 - name: install dependencies
@@ -240,7 +240,7 @@ jobs:
240 www.debian.org:443 240 www.debian.org:443
241 www.debian.org:80 241 www.debian.org:80
242 yahoo.com:1025 242 yahoo.com:1025
243 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 243 - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
244 - name: update package information 244 - name: update package information
245 run: sudo apt-get update -qy 245 run: sudo apt-get update -qy
246 - name: install dependencies 246 - name: install dependencies
diff --git a/RELNOTES b/RELNOTES
index f9d317865..19f54ebc9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -15,7 +15,8 @@ firejail (0.9.73) baseline; urgency=low
15 * feature: expand simple macros in more commands (--chroot= --netfilter= 15 * feature: expand simple macros in more commands (--chroot= --netfilter=
16 --netfilter6= --trace=) (#6032 #6109) 16 --netfilter6= --trace=) (#6032 #6109)
17 * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 17 * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200
18 #6228 #6260) 18 #6228 #6260 #6302 #6305)
19 * feature: add support for comm, coredump, and prctl procevents in firemon
19 * modif: Stop forwarding own double-dash to the shell (#5599 #5600) 20 * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
20 * modif: Prevent sandbox name (--name=) and host name (--hostname=) 21 * modif: Prevent sandbox name (--name=) and host name (--hostname=)
21 from containing only digits (#5578 #5741) 22 from containing only digits (#5578 #5741)
@@ -30,6 +31,7 @@ firejail (0.9.73) baseline; urgency=low
30 * modif: drop deprecated 'shell' option references (#5894) 31 * modif: drop deprecated 'shell' option references (#5894)
31 * modif: keep pipewire group unless nosound is used (#5992 #5993) 32 * modif: keep pipewire group unless nosound is used (#5992 #5993)
32 * modif: fcopy: Use lstat when copying directory (#5957) 33 * modif: fcopy: Use lstat when copying directory (#5957)
34 * modif: populate /run/firejail while holding flock (#6307)
33 * removal: LTS and FIRETUNNEL support 35 * removal: LTS and FIRETUNNEL support
34 * bugfix: fix --hostname and --hosts-file commands 36 * bugfix: fix --hostname and --hosts-file commands
35 * bugfix: fix examples in firejail-local AppArmor profile (#5717) 37 * bugfix: fix examples in firejail-local AppArmor profile (#5717)
@@ -116,6 +118,7 @@ firejail (0.9.73) baseline; urgency=low
116 * profiles: add allow-nodejs.inc to profile.template (#6298) 118 * profiles: add allow-nodejs.inc to profile.template (#6298)
117 * profiles: add allow-php.inc to profile.template (#6299) 119 * profiles: add allow-php.inc to profile.template (#6299)
118 * profiles: clarify and add opengl-game to profile.template (#6300) 120 * profiles: clarify and add opengl-game to profile.template (#6300)
121 * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
119 * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater 122 * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
120 -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 123 -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500
121 124
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 6b2c5846e..d4895b82e 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -6,6 +6,7 @@ noblacklist ${HOME}/.ssh
6noblacklist /etc/ssh 6noblacklist /etc/ssh
7noblacklist /etc/ssh/ssh_config 7noblacklist /etc/ssh/ssh_config
8noblacklist /etc/ssh/ssh_config.d 8noblacklist /etc/ssh/ssh_config.d
9noblacklist /etc/ssh/ssh_revoked_hosts # RevokedHostKeys on Gentoo
9noblacklist ${PATH}/ssh* 10noblacklist ${PATH}/ssh*
10noblacklist /tmp/ssh-* 11noblacklist /tmp/ssh-*
11# Arch Linux and derivatives 12# Arch Linux and derivatives
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a44ad340b..1f373279c 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -28,6 +28,8 @@ blacklist ${HOME}/.ZAP
28blacklist ${HOME}/.aMule 28blacklist ${HOME}/.aMule
29blacklist ${HOME}/.abook 29blacklist ${HOME}/.abook
30blacklist ${HOME}/.addressbook 30blacklist ${HOME}/.addressbook
31blacklist ${HOME}/.alienblaster
32blacklist ${HOME}/.alienblaster_highscore
31blacklist ${HOME}/.alpine-smime 33blacklist ${HOME}/.alpine-smime
32blacklist ${HOME}/.ammonite 34blacklist ${HOME}/.ammonite
33blacklist ${HOME}/.android 35blacklist ${HOME}/.android
@@ -851,6 +853,7 @@ blacklist ${HOME}/.klatexformula
851blacklist ${HOME}/.klei 853blacklist ${HOME}/.klei
852blacklist ${HOME}/.kodi 854blacklist ${HOME}/.kodi
853blacklist ${HOME}/.lastpass 855blacklist ${HOME}/.lastpass
856blacklist ${HOME}/.lbreakouthd
854blacklist ${HOME}/.lettura 857blacklist ${HOME}/.lettura
855blacklist ${HOME}/.librewolf 858blacklist ${HOME}/.librewolf
856blacklist ${HOME}/.lincity-ng 859blacklist ${HOME}/.lincity-ng
@@ -1187,6 +1190,7 @@ blacklist ${HOME}/.torcs
1187blacklist ${HOME}/.tremulous 1190blacklist ${HOME}/.tremulous
1188blacklist ${HOME}/.ts3client 1191blacklist ${HOME}/.ts3client
1189blacklist ${HOME}/.tuxguitar* 1192blacklist ${HOME}/.tuxguitar*
1193blacklist ${HOME}/.tuxtype
1190blacklist ${HOME}/.tvbrowser 1194blacklist ${HOME}/.tvbrowser
1191blacklist ${HOME}/.unknown-horizons 1195blacklist ${HOME}/.unknown-horizons
1192blacklist ${HOME}/.viking 1196blacklist ${HOME}/.viking
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index d8ba84ad0..080f16b6e 100644
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@@ -13,3 +13,4 @@ whitelist /var/cache/fontconfig
13whitelist /var/tmp 13whitelist /var/tmp
14whitelist /var/run 14whitelist /var/run
15whitelist /var/lock 15whitelist /var/lock
16whitelist /var/games
diff --git a/etc/profile-a-l/alienblaster.profile b/etc/profile-a-l/alienblaster.profile
new file mode 100644
index 000000000..2de296f53
--- /dev/null
+++ b/etc/profile-a-l/alienblaster.profile
@@ -0,0 +1,55 @@
1# Firejail profile for alienblaster
2# Persistent local customizations
3include alienblaster.local
4# Persistent global definitions
5include globals.local
6
7noblacklist ${HOME}/.alienblaster
8noblacklist ${HOME}/.alienblaster_highscore
9
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-programs.inc
15include disable-xdg.inc
16
17mkdir ${HOME}/.alienblaster
18mkfile ${HOME}/.alienblaster_highscore
19whitelist ${HOME}/.alienblaster
20whitelist ${HOME}/.alienblaster_highscore
21whitelist ${RUNUSER}/pulse
22whitelist /usr/share/games/alienblaster
23whitelist /usr/share/timidity
24include whitelist-common.inc
25include whitelist-run-common.inc
26include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-var-common.inc
29
30apparmor
31caps.drop all
32ipc-namespace
33netfilter
34net none
35nodvd
36noinput
37nonewprivs
38noroot
39notv
40nou2f
41novideo
42protocol unix
43seccomp
44tracelog
45
46disable-mnt
47private-dev
48private-etc @games,@sound,@x11
49private-tmp
50
51dbus-user none
52dbus-system none
53
54memory-deny-write-execute
55restrict-namespaces
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index e70215891..2893dda5a 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -6,10 +6,9 @@ include audacity.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Add the below lines to your audacity.local if you need online plugins. 9# To disable networking, add the following lines to audacity.local:
10#ignore net none 10#ignore netfilter
11#netfilter 11#net none
12#protocol inet6
13 12
14noblacklist ${HOME}/.audacity-data 13noblacklist ${HOME}/.audacity-data
15noblacklist ${HOME}/.cache/audacity 14noblacklist ${HOME}/.cache/audacity
@@ -34,7 +33,7 @@ allow-debuggers
34## Enabling App Armor appears to break some Fedora / Arch installs 33## Enabling App Armor appears to break some Fedora / Arch installs
35#apparmor 34#apparmor
36caps.drop all 35caps.drop all
37net none 36netfilter
38no3d 37no3d
39nodvd 38nodvd
40nogroups 39nogroups
@@ -44,13 +43,13 @@ noroot
44notv 43notv
45nou2f 44nou2f
46novideo 45novideo
47protocol unix,inet 46protocol unix,inet,inet6
48seccomp 47seccomp
49tracelog 48tracelog
50 49
51private-bin audacity 50private-bin audacity
52private-dev 51private-dev
53private-etc @x11 52private-etc @network,@sound,@tls-ca,@x11
54private-tmp 53private-tmp
55 54
56# problems on Fedora 27 55# problems on Fedora 27
diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile
new file mode 100644
index 000000000..9ff429ecb
--- /dev/null
+++ b/etc/profile-a-l/d-spy.profile
@@ -0,0 +1,48 @@
1# Firejail profile for d-spy
2# Description: D-Bus debugger for GNOME
3# This file is overwritten after every install/update
4# Persistent local customizations
5include d-spy.local
6# Persistent global definitions
7include globals.local
8
9include disable-common.inc
10include disable-devel.inc
11include disable-exec.inc
12include disable-interpreters.inc
13include disable-proc.inc
14include disable-programs.inc
15include disable-shell.inc
16include disable-xdg.inc
17
18include whitelist-common.inc
19include whitelist-runuser-common.inc
20include whitelist-usr-share-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25ipc-namespace
26net none
27no3d
28nodvd
29nogroups
30noinput
31nonewprivs
32noroot
33nosound
34notv
35nou2f
36novideo
37protocol unix
38seccomp
39
40disable-mnt
41private-bin d-spy
42private-cache
43private-dev
44private-etc dbus-1
45private-tmp
46
47read-only ${HOME}
48restrict-namespaces
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile
index 1c5db09e9..63fe28f2f 100644
--- a/etc/profile-a-l/fluffychat.profile
+++ b/etc/profile-a-l/fluffychat.profile
@@ -25,7 +25,6 @@ include disable-xdg.inc
25# there isn't a Firefox instance running with the default profile; see #5352) 25# there isn't a Firefox instance running with the default profile; see #5352)
26noblacklist ${HOME}/.mozilla 26noblacklist ${HOME}/.mozilla
27whitelist ${HOME}/.mozilla/firefox/profiles.ini 27whitelist ${HOME}/.mozilla/firefox/profiles.ini
28read-only ${HOME}/.mozilla/firefox/profiles.ini
29 28
30mkdir ${HOME}/.local/share/fluffychat 29mkdir ${HOME}/.local/share/fluffychat
31whitelist ${DOWNLOADS} 30whitelist ${DOWNLOADS}
diff --git a/etc/profile-a-l/geki2.profile b/etc/profile-a-l/geki2.profile
new file mode 100644
index 000000000..5ebd9b427
--- /dev/null
+++ b/etc/profile-a-l/geki2.profile
@@ -0,0 +1,49 @@
1# Firejail profile for geki2
2# Persistent local customizations
3include geki2.local
4# Persistent global definitions
5include globals.local
6
7include disable-common.inc
8include disable-devel.inc
9include disable-exec.inc
10include disable-interpreters.inc
11include disable-programs.inc
12include disable-shell.inc
13include disable-xdg.inc
14
15whitelist /usr/share/games/geki2
16include whitelist-run-common.inc
17include whitelist-runuser-common.inc
18include whitelist-usr-share-common.inc
19include whitelist-var-common.inc
20
21apparmor
22caps.drop all
23ipc-namespace
24net none
25netfilter
26nodvd
27noinput
28nonewprivs
29noroot
30notv
31nou2f
32novideo
33protocol unix
34seccomp
35tracelog
36
37disable-mnt
38private
39private-bin geki2
40private-dev
41private-etc @games,@sound,@x11
42private-tmp
43writable-var # game scores are stored under /var/games
44
45dbus-user none
46dbus-system none
47
48memory-deny-write-execute
49restrict-namespaces
diff --git a/etc/profile-a-l/geki3.profile b/etc/profile-a-l/geki3.profile
new file mode 100644
index 000000000..508c96002
--- /dev/null
+++ b/etc/profile-a-l/geki3.profile
@@ -0,0 +1,49 @@
1# Firejail profile for geki3
2# Persistent local customizations
3include geki3.local
4# Persistent global definitions
5include globals.local
6
7include disable-common.inc
8include disable-devel.inc
9include disable-exec.inc
10include disable-interpreters.inc
11include disable-programs.inc
12include disable-shell.inc
13include disable-xdg.inc
14
15whitelist /usr/share/games/geki3
16include whitelist-run-common.inc
17include whitelist-runuser-common.inc
18include whitelist-usr-share-common.inc
19include whitelist-var-common.inc
20
21apparmor
22caps.drop all
23ipc-namespace
24net none
25netfilter
26nodvd
27noinput
28nonewprivs
29noroot
30notv
31nou2f
32novideo
33protocol unix
34seccomp
35tracelog
36
37disable-mnt
38private
39private-bin geki3
40private-dev
41private-etc @games,@sound,@x11
42private-tmp
43writable-var # game scores are stored under /var/games
44
45dbus-user none
46dbus-system none
47
48memory-deny-write-execute
49restrict-namespaces
diff --git a/etc/profile-a-l/lbreakouthd.profile b/etc/profile-a-l/lbreakouthd.profile
new file mode 100644
index 000000000..e454772fc
--- /dev/null
+++ b/etc/profile-a-l/lbreakouthd.profile
@@ -0,0 +1,58 @@
1# Firejail profile for lbreakouthd
2# Persistent local customizations
3include lbreakouthd.local
4# Persistent global definitions
5include globals.local
6
7# Note: this profile requires the current user to be a member of games group
8
9noblacklist ${HOME}/.lbreakouthd
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-programs.inc
16include disable-shell.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.lbreakouthd
20whitelist ${HOME}/.lbreakouthd
21whitelist ${RUNUSER}/pulse
22whitelist /run/host/container-manager
23whitelist /run/udev/control
24whitelist /usr/share/games/lbreakouthd
25include whitelist-common.inc
26include whitelist-run-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33ipc-namespace
34net none
35netfilter
36nodvd
37noinput
38nonewprivs
39noroot
40notv
41nou2f
42novideo
43protocol unix
44seccomp
45tracelog
46
47disable-mnt
48private-bin lbreakouthd
49private-dev
50private-etc @games,@sound,@x11
51private-tmp
52writable-var # game scores are stored under /var/games
53
54dbus-user none
55dbus-system none
56
57memory-deny-write-execute
58restrict-namespaces
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile
new file mode 100644
index 000000000..5d39341f5
--- /dev/null
+++ b/etc/profile-a-l/loupe.profile
@@ -0,0 +1,50 @@
1# Firejail profile for loupe
2# Description: GNOME's modern Image Viewer program
3# This file is overwritten after every install/update
4# Persistent local customizations
5include loupe.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.local/share/Trash
10noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.steam
12
13#include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-programs.inc
18include disable-write-mnt.inc
19
20#whitelist /usr/share/glycin-loaders
21include whitelist-runuser-common.inc
22#include whitelist-usr-share-common.inc
23include whitelist-var-common.inc
24
25apparmor
26caps.drop all
27ipc-namespace
28machine-id
29net none
30nodvd
31nogroups
32noinput
33nonewprivs
34noprinters
35noroot
36nosound
37notv
38nou2f
39novideo
40protocol unix,netlink
41#loupe decodes all images in their own sandbox via glycin
42#https://gitlab.gnome.org/sophie-h/glycin#sandboxing-and-inner-workings
43#seccomp
44seccomp.block-secondary
45tracelog
46
47private-cache
48private-dev
49private-etc @x11
50private-tmp
diff --git a/etc/profile-m-z/tuxtype.profile b/etc/profile-m-z/tuxtype.profile
new file mode 100644
index 000000000..12b58850a
--- /dev/null
+++ b/etc/profile-m-z/tuxtype.profile
@@ -0,0 +1,54 @@
1# Firejail profile for tuxtype
2# Persistent local customizations
3include tuxtype.local
4# Persistent global definitions
5include globals.local
6
7noblacklist ${HOME}/.tuxtype
8
9include disable-common.inc
10include disable-devel.inc
11include disable-exec.inc
12include disable-interpreters.inc
13include disable-programs.inc
14include disable-shell.inc
15include disable-xdg.inc
16
17mkdir ${HOME}/.tuxtype
18whitelist ${HOME}/.tuxtype
19whitelist ${RUNUSER}/pulse
20whitelist /usr/share/tuxtype
21include whitelist-common.inc
22include whitelist-run-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30net none
31netfilter
32nodvd
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41tracelog
42
43disable-mnt
44private-bin tuxtype
45private-dev
46private-etc @games,@sound,@x11,tuxtype
47private-tmp
48writable-var # game scores are stored under /var/games
49
50dbus-user none
51dbus-system none
52
53memory-deny-write-execute
54restrict-namespaces
diff --git a/etc/profile-m-z/typespeed.profile b/etc/profile-m-z/typespeed.profile
new file mode 100644
index 000000000..b98777665
--- /dev/null
+++ b/etc/profile-m-z/typespeed.profile
@@ -0,0 +1,49 @@
1# Firejail profile for typespeed
2# Persistent local customizations
3include typespeed.local
4# Persistent global definitions
5include globals.local
6
7# Note: This profile requires the current user to be a member of the games
8# group.
9
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-programs.inc
15include disable-xdg.inc
16
17whitelist /usr/share/typespeed
18include whitelist-run-common.inc
19include whitelist-runuser-common.inc
20include whitelist-usr-share-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25ipc-namespace
26netfilter
27nodvd
28noinput
29nonewprivs
30noroot
31notv
32nou2f
33novideo
34protocol unix,inet,inet6,netlink
35seccomp
36tracelog
37
38disable-mnt
39private
40private-dev
41private-etc @games,@sound,@x11
42private-tmp
43writable-var # game scores are stored under /var/games
44
45dbus-user none
46dbus-system none
47
48memory-deny-write-execute
49restrict-namespaces
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 285f9df37..f91a543eb 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -27,7 +27,7 @@ static void process_bin(const char *fname) {
27 // process trace file 27 // process trace file
28 FILE *fp = fopen(fname, "r"); 28 FILE *fp = fopen(fname, "r");
29 if (!fp) { 29 if (!fp) {
30 fprintf(stderr, "Error: cannot open %s\n", fname); 30 fprintf(stderr, "Error fbuilder: cannot open %s\n", fname);
31 exit(1); 31 exit(1);
32 } 32 }
33 33
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 4e71cdbea..3147fac82 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -31,7 +31,7 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch
31 // process trace file 31 // process trace file
32 FILE *fp = fopen(fname, "r"); 32 FILE *fp = fopen(fname, "r");
33 if (!fp) { 33 if (!fp) {
34 fprintf(stderr, "Error: cannot open %s\n", fname); 34 fprintf(stderr, "Error fbuilder: cannot open %s\n", fname);
35 exit(1); 35 exit(1);
36 } 36 }
37 37
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index cb87bf5d0..8afe257ce 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -31,7 +31,7 @@ void process_home(const char *fname, char *home, int home_len) {
31 // process trace file 31 // process trace file
32 FILE *fp = fopen(fname, "r"); 32 FILE *fp = fopen(fname, "r");
33 if (!fp) { 33 if (!fp) {
34 fprintf(stderr, "Error: cannot open %s\n", fname); 34 fprintf(stderr, "Error fbuilder: cannot open %s\n", fname);
35 exit(1); 35 exit(1);
36 } 36 }
37 37
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 41c85e9ab..ab6eaf1dd 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -26,7 +26,7 @@
26void build_profile(int argc, char **argv, int index, FILE *fp) { 26void build_profile(int argc, char **argv, int index, FILE *fp) {
27 // next index is the application name 27 // next index is the application name
28 if (index >= argc) { 28 if (index >= argc) {
29 fprintf(stderr, "Error: application name missing\n"); 29 fprintf(stderr, "Error fbuilder: application name missing\n");
30 exit(1); 30 exit(1);
31 } 31 }
32 32
@@ -165,7 +165,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
165 unlink(trace_output); 165 unlink(trace_output);
166 } 166 }
167 else { 167 else {
168 fprintf(stderr, "Error: cannot run the sandbox\n"); 168 fprintf(stderr, "Error fbuilder: cannot run the sandbox\n");
169 exit(1); 169 exit(1);
170 } 170 }
171} 171}
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index 791013a81..14a249b77 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -27,7 +27,7 @@ void build_seccomp(const char *fname, FILE *fp) {
27 27
28 FILE *fp2 = fopen(fname, "r"); 28 FILE *fp2 = fopen(fname, "r");
29 if (!fp2) { 29 if (!fp2) {
30 fprintf(stderr, "Error: cannot open %s\n", fname); 30 fprintf(stderr, "Error fbuilder: cannot open %s\n", fname);
31 exit(1); 31 exit(1);
32 } 32 }
33 33
@@ -54,7 +54,7 @@ void build_seccomp(const char *fname, FILE *fp) {
54 } 54 }
55 else if (line == 2) { 55 else if (line == 2) {
56 if (*buf != '-') { 56 if (*buf != '-') {
57 fprintf(stderr, "Error: invalid strace output\n%s\n", buf); 57 fprintf(stderr, "Error fbuilder: invalid strace output\n%s\n", buf);
58 exit(1); 58 exit(1);
59 } 59 }
60 } 60 }
@@ -96,7 +96,7 @@ static void process_protocol(const char *fname) {
96 // process trace file 96 // process trace file
97 FILE *fp = fopen(fname, "r"); 97 FILE *fp = fopen(fname, "r");
98 if (!fp) { 98 if (!fp) {
99 fprintf(stderr, "Error: cannot open %s\n", fname); 99 fprintf(stderr, "Error fbuilder: cannot open %s\n", fname);
100 exit(1); 100 exit(1);
101 } 101 }
102 102
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index 994618b34..d9a8a99b3 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -94,7 +94,7 @@ FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefi
94 errExit("asprintf"); 94 errExit("asprintf");
95 FILE *fp = fopen(f, "r"); 95 FILE *fp = fopen(f, "r");
96 if (!fp) { 96 if (!fp) {
97 fprintf(stderr, "Error: cannot open %s\n", f); 97 fprintf(stderr, "Error fbuilder: cannot open %s\n", f);
98 free(f); 98 free(f);
99 exit(1); 99 exit(1);
100 } 100 }
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index b03d2f3dd..884971d42 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -66,21 +66,21 @@ printf("\n");
66 66
67 // don't run if the file exists 67 // don't run if the file exists
68 if (access(argv[i] + 8, F_OK) == 0) { 68 if (access(argv[i] + 8, F_OK) == 0) {
69 fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); 69 fprintf(stderr, "Error fbuilder: the profile file already exists. Please use a different file name.\n");
70 exit(1); 70 exit(1);
71 } 71 }
72 72
73 // check file access 73 // check file access
74 fp = fopen(argv[i] + 8, "w"); 74 fp = fopen(argv[i] + 8, "w");
75 if (!fp) { 75 if (!fp) {
76 fprintf(stderr, "Error: cannot open profile file.\n"); 76 fprintf(stderr, "Error fbuilder: cannot open profile file.\n");
77 exit(1); 77 exit(1);
78 } 78 }
79 prof_file = argv[i] + 8; 79 prof_file = argv[i] + 8;
80 } 80 }
81 else { 81 else {
82 if (*argv[i] == '-') { 82 if (*argv[i] == '-') {
83 fprintf(stderr, "Error: invalid program\n"); 83 fprintf(stderr, "Error fbuilder: invalid program\n");
84 usage(); 84 usage();
85 exit(1); 85 exit(1);
86 } 86 }
@@ -90,7 +90,7 @@ printf("\n");
90 } 90 }
91 91
92 if (prog_index == 0) { 92 if (prog_index == 0) {
93 fprintf(stderr, "Error : program and arguments required\n"); 93 fprintf(stderr, "Error fbuilder: program and arguments required\n");
94 usage(); 94 usage();
95 if (prof_file) { 95 if (prof_file) {
96 fclose(fp); 96 fclose(fp);
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c97db228d..8a20d939f 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -43,6 +43,7 @@ abrowser
43akonadi_control 43akonadi_control
44akregator 44akregator
45alacarte 45alacarte
46alienblaster
46alpine 47alpine
47alpinef 48alpinef
48amarok 49amarok
@@ -190,6 +191,7 @@ cryptocat
190cvlc 191cvlc
191cyberfox 192cyberfox
192d-feet 193d-feet
194d-spy
193daisy 195daisy
194darktable 196darktable
195dconf-editor 197dconf-editor
@@ -320,6 +322,8 @@ geany
320gedit 322gedit
321geekbench 323geekbench
322geeqie 324geeqie
325geki2
326geki3
323gfeeds 327gfeeds
324gh 328gh
325ghb 329ghb
@@ -493,6 +497,7 @@ ktouch
493kube 497kube
494#kwin_x11 498#kwin_x11
495kwrite 499kwrite
500lbreakouthd
496lbry-viewer 501lbry-viewer
497lbry-viewer-gtk 502lbry-viewer-gtk
498leafpad 503leafpad
@@ -521,6 +526,7 @@ lofromtemplate
521loimpress 526loimpress
522lollypop 527lollypop
523lomath 528lomath
529loupe
524loweb 530loweb
525lowriter 531lowriter
526#lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) 532#lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
@@ -920,9 +926,11 @@ tshark
920tuir 926tuir
921tutanota-desktop 927tutanota-desktop
922tuxguitar 928tuxguitar
929tuxtype
923tvbrowser 930tvbrowser
924tvnamer 931tvnamer
925twitch 932twitch
933typespeed
926udiskie 934udiskie
927uefitool 935uefitool
928uget-gtk 936uget-gtk
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index ffa6c8b51..67097852e 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -273,7 +273,10 @@ void fs_chroot(const char *rootdir) {
273 errExit("mounting /proc"); 273 errExit("mounting /proc");
274 274
275 // create all other /run/firejail files and directories 275 // create all other /run/firejail files and directories
276 preproc_build_firejail_dir(); 276 preproc_build_firejail_dir_unlocked();
277 preproc_lock_firejail_dir();
278 preproc_build_firejail_dir_locked();
279 preproc_unlock_firejail_dir();
277 280
278 // update /var directory in order to support multiple sandboxes running on the same root directory 281 // update /var directory in order to support multiple sandboxes running on the same root directory
279 // if (!arg_private_dev) 282 // if (!arg_private_dev)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b8ec4d474..736af018d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -282,6 +282,8 @@ static inline int any_dhcp(void) {
282 return any_ip_dhcp() || any_ip6_dhcp(); 282 return any_ip_dhcp() || any_ip6_dhcp();
283} 283}
284 284
285extern int lockfd_directory;
286extern int lockfd_network;
285extern int arg_private; // mount private /home 287extern int arg_private; // mount private /home
286extern int arg_private_cache; // private home/.cache 288extern int arg_private_cache; // private home/.cache
287extern int arg_debug; // print debug messages 289extern int arg_debug; // print debug messages
@@ -429,7 +431,12 @@ int net_get_mac(const char *ifname, unsigned char mac[6]);
429void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); 431void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
430 432
431// preproc.c 433// preproc.c
432void preproc_build_firejail_dir(void); 434void preproc_lock_firejail_dir(void);
435void preproc_unlock_firejail_dir(void);
436void preproc_lock_firejail_network_dir(void);
437void preproc_unlock_firejail_network_dir(void);
438void preproc_build_firejail_dir_unlocked(void);
439void preproc_build_firejail_dir_locked(void);
433void preproc_mount_mnt_dir(void); 440void preproc_mount_mnt_dir(void);
434void preproc_clean_run(void); 441void preproc_clean_run(void);
435 442
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index a360f155b..3ac1bddae 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -19,7 +19,6 @@
19*/ 19*/
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include <linux/landlock.h>
23#include <sys/prctl.h> 22#include <sys/prctl.h>
24#include <sys/syscall.h> 23#include <sys/syscall.h>
25#include <sys/types.h> 24#include <sys/types.h>
@@ -28,6 +27,8 @@
28 27
29#ifdef HAVE_LANDLOCK 28#ifdef HAVE_LANDLOCK
30 29
30#include <linux/landlock.h>
31
31static int ll_ruleset_fd = -1; 32static int ll_ruleset_fd = -1;
32static int ll_abi = -1; 33static int ll_abi = -1;
33 34
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0ce18ab01..acbb4bf38 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -63,6 +63,8 @@ gid_t firejail_gid = 0;
63static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack 63static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack
64 64
65Config cfg; // configuration 65Config cfg; // configuration
66int lockfd_directory = -1;
67int lockfd_network = -1;
66int arg_private = 0; // mount private /home and /tmp directoryu 68int arg_private = 0; // mount private /home and /tmp directoryu
67int arg_private_cache = 0; // mount private home/.cache 69int arg_private_cache = 0; // mount private home/.cache
68int arg_debug = 0; // print debug messages 70int arg_debug = 0; // print debug messages
@@ -1056,8 +1058,6 @@ static int check_postexec(const char *list) {
1056int main(int argc, char **argv, char **envp) { 1058int main(int argc, char **argv, char **envp) {
1057 int i; 1059 int i;
1058 int prog_index = -1; // index in argv where the program command starts 1060 int prog_index = -1; // index in argv where the program command starts
1059 int lockfd_network = -1;
1060 int lockfd_directory = -1;
1061 int custom_profile = 0; // custom profile loaded 1061 int custom_profile = 0; // custom profile loaded
1062 int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) 1062 int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot)
1063 char **ptr; 1063 char **ptr;
@@ -1166,19 +1166,13 @@ int main(int argc, char **argv, char **envp) {
1166#endif 1166#endif
1167 1167
1168 // build /run/firejail directory structure 1168 // build /run/firejail directory structure
1169 preproc_build_firejail_dir(); 1169 preproc_build_firejail_dir_unlocked();
1170 preproc_lock_firejail_dir();
1171 preproc_build_firejail_dir_locked();
1170 const char *container_name = env_get("container"); 1172 const char *container_name = env_get("container");
1171 if (!container_name || strcmp(container_name, "firejail")) { 1173 if (!container_name || strcmp(container_name, "firejail"))
1172 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
1173 if (lockfd_directory != -1) {
1174 int rv = fchown(lockfd_directory, 0, 0);
1175 (void) rv;
1176 flock(lockfd_directory, LOCK_EX);
1177 }
1178 preproc_clean_run(); 1174 preproc_clean_run();
1179 flock(lockfd_directory, LOCK_UN); 1175 preproc_unlock_firejail_dir();
1180 close(lockfd_directory);
1181 }
1182 1176
1183 delete_run_files(getpid()); 1177 delete_run_files(getpid());
1184 atexit(clear_atexit); 1178 atexit(clear_atexit);
@@ -2990,12 +2984,7 @@ int main(int argc, char **argv, char **envp) {
2990 // check and assign an IP address - for macvlan it will be done again in the sandbox! 2984 // check and assign an IP address - for macvlan it will be done again in the sandbox!
2991 if (any_bridge_configured()) { 2985 if (any_bridge_configured()) {
2992 EUID_ROOT(); 2986 EUID_ROOT();
2993 lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); 2987 preproc_lock_firejail_network_dir();
2994 if (lockfd_network != -1) {
2995 int rv = fchown(lockfd_network, 0, 0);
2996 (void) rv;
2997 flock(lockfd_network, LOCK_EX);
2998 }
2999 2988
3000 if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) 2989 if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0)
3001 check_network(&cfg.bridge0); 2990 check_network(&cfg.bridge0);
@@ -3024,21 +3013,13 @@ int main(int argc, char **argv, char **envp) {
3024 3013
3025 // set name and x11 run files 3014 // set name and x11 run files
3026 EUID_ROOT(); 3015 EUID_ROOT();
3027 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); 3016 preproc_lock_firejail_dir();
3028 if (lockfd_directory != -1) {
3029 int rv = fchown(lockfd_directory, 0, 0);
3030 (void) rv;
3031 flock(lockfd_directory, LOCK_EX);
3032 }
3033 if (cfg.name) 3017 if (cfg.name)
3034 set_name_run_file(sandbox_pid); 3018 set_name_run_file(sandbox_pid);
3035 int display = x11_display(); 3019 int display = x11_display();
3036 if (display > 0) 3020 if (display > 0)
3037 set_x11_run_file(sandbox_pid, display); 3021 set_x11_run_file(sandbox_pid, display);
3038 if (lockfd_directory != -1) { 3022 preproc_unlock_firejail_dir();
3039 flock(lockfd_directory, LOCK_UN);
3040 close(lockfd_directory);
3041 }
3042 EUID_USER(); 3023 EUID_USER();
3043 3024
3044#ifdef HAVE_DBUSPROXY 3025#ifdef HAVE_DBUSPROXY
@@ -3276,10 +3257,7 @@ int main(int argc, char **argv, char **envp) {
3276 close(parent_to_child_fds[1]); 3257 close(parent_to_child_fds[1]);
3277 3258
3278 EUID_ROOT(); 3259 EUID_ROOT();
3279 if (lockfd_network != -1) { 3260 preproc_unlock_firejail_network_dir();
3280 flock(lockfd_network, LOCK_UN);
3281 close(lockfd_network);
3282 }
3283 EUID_USER(); 3261 EUID_USER();
3284 3262
3285 // lock netfilter firewall 3263 // lock netfilter firewall
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2c7d4264d..e0ca2141f 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -18,15 +18,101 @@
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/file.h>
21#include <sys/mount.h> 22#include <sys/mount.h>
22#include <sys/stat.h> 23#include <sys/stat.h>
23#include <sys/types.h> 24#include <sys/types.h>
24#include <dirent.h> 25#include <dirent.h>
26#include <fcntl.h>
25 27
26static int tmpfs_mounted = 0; 28static int tmpfs_mounted = 0;
27 29
30static void preproc_lock_file(const char *path, int *lockfd_ptr) {
31 assert(path != NULL);
32 assert(lockfd_ptr != NULL);
33
34 long pid = (long)getpid();
35 if (arg_debug)
36 fprintf(stderr, "pid=%ld: locking %s ...\n", pid, path);
37
38 if (*lockfd_ptr != -1) {
39 if (arg_debug)
40 fprintf(stderr, "pid=%ld: already locked %s\n", pid, path);
41 return;
42 }
43
44 int lockfd = open(path, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
45 if (lockfd == -1) {
46 fprintf(stderr, "Error: cannot create a lockfile at %s\n", path);
47 errExit("open");
48 }
49
50 if (fchown(lockfd, 0, 0) == -1) {
51 fprintf(stderr, "Error: cannot chown root:root %s\n", path);
52 errExit("fchown");
53 }
54
55 if (flock(lockfd, LOCK_EX) == -1) {
56 fprintf(stderr, "Error: cannot lock %s\n", path);
57 errExit("flock");
58 }
59
60 *lockfd_ptr = lockfd;
61 if (arg_debug)
62 fprintf(stderr, "pid=%ld: locked %s\n", pid, path);
63}
64
65static void preproc_unlock_file(const char *path, int *lockfd_ptr) {
66 assert(path != NULL);
67 assert(lockfd_ptr != NULL);
68
69 long pid = (long)getpid();
70 if (arg_debug)
71 fprintf(stderr, "pid=%ld: unlocking %s ...\n", pid, path);
72
73 int lockfd = *lockfd_ptr;
74 if (lockfd == -1) {
75 if (arg_debug)
76 fprintf(stderr, "pid=%ld: already unlocked %s\n", pid, path);
77 return;
78 }
79
80 if (flock(lockfd, LOCK_UN) == -1) {
81 fprintf(stderr, "Error: cannot unlock %s\n", path);
82 errExit("flock");
83 }
84
85 if (close(lockfd) == -1) {
86 fprintf(stderr, "Error: cannot close %s\n", path);
87 errExit("close");
88 }
89
90 *lockfd_ptr = -1;
91 if (arg_debug)
92 fprintf(stderr, "pid=%ld: unlocked %s\n", pid, path);
93}
94
95void preproc_lock_firejail_dir(void) {
96 preproc_lock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory);
97}
98
99void preproc_unlock_firejail_dir(void) {
100 preproc_unlock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory);
101}
102
103void preproc_lock_firejail_network_dir(void) {
104 preproc_lock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network);
105}
106
107void preproc_unlock_firejail_network_dir(void) {
108 preproc_unlock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network);
109}
110
28// build /run/firejail directory 111// build /run/firejail directory
29void preproc_build_firejail_dir(void) { 112//
113// Note: This creates the base directory of the rundir lockfile;
114// it should be called before preproc_lock_firejail_dir().
115void preproc_build_firejail_dir_unlocked(void) {
30 struct stat s; 116 struct stat s;
31 117
32 // CentOS 6 doesn't have /run directory 118 // CentOS 6 doesn't have /run directory
@@ -35,6 +121,14 @@ void preproc_build_firejail_dir(void) {
35 } 121 }
36 122
37 create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); 123 create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
124}
125
126// build directory hierarchy under /run/firejail
127//
128// Note: Remounts have timing hazards. This function should
129// only be called after acquiring the directory lock via
130// preproc_lock_firejail_dir().
131void preproc_build_firejail_dir_locked(void) {
38 create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); 132 create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
39 create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); 133 create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
40 create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); 134 create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index e17ed659b..430730374 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -301,7 +301,9 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
301 proc_ev = (struct proc_event *)cn_msg->data; 301 proc_ev = (struct proc_event *)cn_msg->data;
302 pid_t pid = 0; 302 pid_t pid = 0;
303 pid_t child = 0; 303 pid_t child = 0;
304 char *new_comm = NULL;
304 int remove_pid = 0; 305 int remove_pid = 0;
306 int nodisplay = 0;
305 switch (proc_ev->what) { 307 switch (proc_ev->what) {
306 case PROC_EVENT_FORK: 308 case PROC_EVENT_FORK:
307#ifdef DEBUG_PRCTL 309#ifdef DEBUG_PRCTL
@@ -322,6 +324,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
322 pids[child].parent = pid; 324 pids[child].parent = pid;
323 } 325 }
324 sprintf(lineptr, " fork"); 326 sprintf(lineptr, " fork");
327 nodisplay = 1;
325 break; 328 break;
326 case PROC_EVENT_EXEC: 329 case PROC_EVENT_EXEC:
327 pid = proc_ev->event_data.exec.process_tgid; 330 pid = proc_ev->event_data.exec.process_tgid;
@@ -363,6 +366,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
363 sprintf(lineptr, " uid (%d:%d)", 366 sprintf(lineptr, " uid (%d:%d)",
364 proc_ev->event_data.id.r.ruid, 367 proc_ev->event_data.id.r.ruid,
365 proc_ev->event_data.id.e.euid); 368 proc_ev->event_data.id.e.euid);
369 nodisplay = 1;
366 break; 370 break;
367 371
368 case PROC_EVENT_GID: 372 case PROC_EVENT_GID:
@@ -379,6 +383,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
379 sprintf(lineptr, " gid (%d:%d)", 383 sprintf(lineptr, " gid (%d:%d)",
380 proc_ev->event_data.id.r.rgid, 384 proc_ev->event_data.id.r.rgid,
381 proc_ev->event_data.id.e.egid); 385 proc_ev->event_data.id.e.egid);
386 nodisplay = 1;
382 break; 387 break;
383 388
384 389
@@ -391,6 +396,41 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
391 sprintf(lineptr, " sid "); 396 sprintf(lineptr, " sid ");
392 break; 397 break;
393 398
399 case PROC_EVENT_COREDUMP:
400 pid = proc_ev->event_data.coredump.process_tgid;
401#ifdef DEBUG_PRCTL
402 printf("%s: %d, event coredump, pid %d\n", __FUNCTION__, __LINE__, pid);
403#endif
404 sprintf(lineptr, " coredump ");
405 break;
406
407 case PROC_EVENT_COMM:
408 pid = proc_ev->event_data.comm.process_tgid;
409#ifdef DEBUG_PRCTL
410 printf("%s: %d, event comm, pid %d\n", __FUNCTION__, __LINE__, pid);
411#endif
412 if (proc_ev->event_data.comm.process_pid !=
413 proc_ev->event_data.comm.process_tgid)
414 continue; // this is a thread, not a process
415
416 if (pids[pid].level == 1 ||
417 pids[pids[pid].parent].level == 1) {
418 sprintf(lineptr, "\n");
419 continue;
420 }
421 else
422 sprintf(lineptr, " comm %s", proc_ev->event_data.comm.comm);
423 nodisplay = 1;
424 break;
425
426 case PROC_EVENT_PTRACE:
427 pid = proc_ev->event_data.ptrace.process_tgid;
428#ifdef DEBUG_PRCTL
429 printf("%s: %d, event ptrace, pid %d\n", __FUNCTION__, __LINE__, pid);
430#endif
431 sprintf(lineptr, " ptrace ");
432 break;
433
394 default: 434 default:
395#ifdef DEBUG_PRCTL 435#ifdef DEBUG_PRCTL
396 printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__); 436 printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__);
@@ -449,7 +489,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
449 if (!cmd) { 489 if (!cmd) {
450 cmd = pid_proc_cmdline(pid); 490 cmd = pid_proc_cmdline(pid);
451 } 491 }
452 if (cmd == NULL) 492 if (cmd == NULL || nodisplay)
453 sprintf(lineptr, "\n"); 493 sprintf(lineptr, "\n");
454 else { 494 else {
455 sprintf(lineptr, " %s\n", cmd); 495 sprintf(lineptr, " %s\n", cmd);
@@ -473,15 +513,12 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
473 } 513 }
474 514
475 // print forked child 515 // print forked child
476 if (child) { 516 if (child)
477 cmd = pid_proc_cmdline(child); 517 printf("\tchild %u\n", child);
478 if (cmd) { 518
479 printf("\tchild %u %s\n", child, cmd); 519 // print new comm
480 free(cmd); 520 if (new_comm)
481 } 521 printf("\tnew comm %s\n", new_comm);
482 else
483 printf("\tchild %u\n", child);
484 }
485 522
486 // on uid events the uid is changing 523 // on uid events the uid is changing
487 if (proc_ev->what == PROC_EVENT_UID) { 524 if (proc_ev->what == PROC_EVENT_UID) {
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index 03163b4fc..2faf5a49c 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -44,10 +44,15 @@
44127.0.0.0/8 Local host 44127.0.0.0/8 Local host
45169.254.0.0/16 Local link 45169.254.0.0/16 Local link
46172.16.0.0/12 Local network 46172.16.0.0/12 Local network
47192.0.0.0/24 DS-Lite
47192.0.2.0/24 Documentation 48192.0.2.0/24 Documentation
48192.168.0.0/16 Local network 49192.168.0.0/16 Local network
50198.18.0.0/15 Testing
49198.51.100.0/24 Documentation 51198.51.100.0/24 Documentation
52192.88.99.0/24 Reserved
50203.0.113.0/24 Documentation 53203.0.113.0/24 Documentation
54233.252.0.0/24 Documentation
55240.0.0.0/4 Reserved
51 56
52# multicast 57# multicast
53224.0.0.0/4 Multicast 58224.0.0.0/4 Multicast
@@ -252,8 +257,10 @@
25263.141.247.240/29 BitChute 25763.141.247.240/29 BitChute
25369.30.200.200/29 BitChute 25869.30.200.200/29 BitChute
25469.30.230.64/29 BitChute 25969.30.230.64/29 BitChute
26069.30.230.96/29 BitChute
25569.30.241.40/29 BitChute 26169.30.241.40/29 BitChute
25669.30.241.48/29 BitChute 26269.30.241.48/29 BitChute
26369.30.243.152/29 BitChute
25769.30.243.168/29 BitChute 26469.30.243.168/29 BitChute
25869.30.245.232/29 BitChute 26569.30.245.232/29 BitChute
25969.30.253.16/29 BitChute 26669.30.253.16/29 BitChute
generated by cgit v1.2.3-54-g00ecf (git 2.44.0) at 2024-05-04 06:02:24 +0000