diff options
36 files changed, 641 insertions, 87 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 5b44e7b9f..9c0ee94ad 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -52,7 +52,7 @@ jobs: | |||
52 | github.com:443 | 52 | github.com:443 |
53 | packages.microsoft.com:443 | 53 | packages.microsoft.com:443 |
54 | ppa.launchpadcontent.net:443 | 54 | ppa.launchpadcontent.net:443 |
55 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 55 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
56 | - name: update package information | 56 | - name: update package information |
57 | run: sudo apt-get update -qy | 57 | run: sudo apt-get update -qy |
58 | - name: install dependencies | 58 | - name: install dependencies |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 60420d441..abc7e06ef 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -68,7 +68,7 @@ jobs: | |||
68 | github.com:443 | 68 | github.com:443 |
69 | packages.microsoft.com:443 | 69 | packages.microsoft.com:443 |
70 | ppa.launchpadcontent.net:443 | 70 | ppa.launchpadcontent.net:443 |
71 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 71 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
72 | - name: update package information | 72 | - name: update package information |
73 | run: sudo apt-get update -qy | 73 | run: sudo apt-get update -qy |
74 | - name: install dependencies | 74 | - name: install dependencies |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 307b0c37c..9835419b5 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -56,7 +56,7 @@ jobs: | |||
56 | packages.microsoft.com:443 | 56 | packages.microsoft.com:443 |
57 | ppa.launchpadcontent.net:443 | 57 | ppa.launchpadcontent.net:443 |
58 | security.ubuntu.com:80 | 58 | security.ubuntu.com:80 |
59 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 59 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
60 | - name: update package information | 60 | - name: update package information |
61 | run: sudo apt-get update -qy | 61 | run: sudo apt-get update -qy |
62 | - name: install clang-tools-14 and dependencies | 62 | - name: install clang-tools-14 and dependencies |
@@ -89,7 +89,7 @@ jobs: | |||
89 | packages.microsoft.com:443 | 89 | packages.microsoft.com:443 |
90 | ppa.launchpadcontent.net:443 | 90 | ppa.launchpadcontent.net:443 |
91 | security.ubuntu.com:80 | 91 | security.ubuntu.com:80 |
92 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 92 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
93 | - name: update package information | 93 | - name: update package information |
94 | run: sudo apt-get update -qy | 94 | run: sudo apt-get update -qy |
95 | - name: install cppcheck | 95 | - name: install cppcheck |
@@ -120,7 +120,7 @@ jobs: | |||
120 | ppa.launchpad.net:80 | 120 | ppa.launchpad.net:80 |
121 | ppa.launchpadcontent.net:443 | 121 | ppa.launchpadcontent.net:443 |
122 | security.ubuntu.com:80 | 122 | security.ubuntu.com:80 |
123 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 123 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
124 | - name: update package information | 124 | - name: update package information |
125 | run: sudo apt-get update -qy | 125 | run: sudo apt-get update -qy |
126 | - name: install cppcheck | 126 | - name: install cppcheck |
@@ -154,14 +154,14 @@ jobs: | |||
154 | uploads.github.com:443 | 154 | uploads.github.com:443 |
155 | 155 | ||
156 | - name: Checkout repository | 156 | - name: Checkout repository |
157 | uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 157 | uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
158 | 158 | ||
159 | - name: print env | 159 | - name: print env |
160 | run: ./ci/printenv.sh | 160 | run: ./ci/printenv.sh |
161 | 161 | ||
162 | # Initializes the CodeQL tools for scanning. | 162 | # Initializes the CodeQL tools for scanning. |
163 | - name: Initialize CodeQL | 163 | - name: Initialize CodeQL |
164 | uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a | 164 | uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 |
165 | with: | 165 | with: |
166 | languages: cpp | 166 | languages: cpp |
167 | 167 | ||
@@ -172,4 +172,4 @@ jobs: | |||
172 | run: make -j "$(nproc)" | 172 | run: make -j "$(nproc)" |
173 | 173 | ||
174 | - name: Perform CodeQL Analysis | 174 | - name: Perform CodeQL Analysis |
175 | uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a | 175 | uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 280dd4c71..f7d74cc9d 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -40,7 +40,7 @@ jobs: | |||
40 | allowed-endpoints: > | 40 | allowed-endpoints: > |
41 | github.com:443 | 41 | github.com:443 |
42 | 42 | ||
43 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 43 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
44 | - name: print env | 44 | - name: print env |
45 | run: ./ci/printenv.sh | 45 | run: ./ci/printenv.sh |
46 | - run: python3 --version | 46 | - run: python3 --version |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 43d139c9f..917fa4295 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -44,16 +44,16 @@ jobs: | |||
44 | uploads.github.com:443 | 44 | uploads.github.com:443 |
45 | 45 | ||
46 | - name: Checkout repository | 46 | - name: Checkout repository |
47 | uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 47 | uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
48 | 48 | ||
49 | - name: print env | 49 | - name: print env |
50 | run: ./ci/printenv.sh | 50 | run: ./ci/printenv.sh |
51 | 51 | ||
52 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
53 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
54 | uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a | 54 | uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 |
55 | with: | 55 | with: |
56 | languages: python | 56 | languages: python |
57 | 57 | ||
58 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
59 | uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a | 59 | uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index b74d1e9ab..d3b8d3e7d 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -34,7 +34,7 @@ jobs: | |||
34 | packages.microsoft.com:443 | 34 | packages.microsoft.com:443 |
35 | ppa.launchpadcontent.net:443 | 35 | ppa.launchpadcontent.net:443 |
36 | security.ubuntu.com:80 | 36 | security.ubuntu.com:80 |
37 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 37 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
38 | - name: update package information | 38 | - name: update package information |
39 | run: sudo apt-get update -qy | 39 | run: sudo apt-get update -qy |
40 | - name: install dependencies | 40 | - name: install dependencies |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fb10f2b7f..0b911bb8e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -62,7 +62,7 @@ jobs: | |||
62 | github.com:443 | 62 | github.com:443 |
63 | packages.microsoft.com:443 | 63 | packages.microsoft.com:443 |
64 | ppa.launchpadcontent.net:443 | 64 | ppa.launchpadcontent.net:443 |
65 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 65 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
66 | - name: update package information | 66 | - name: update package information |
67 | run: sudo apt-get update -qy | 67 | run: sudo apt-get update -qy |
68 | - name: install dependencies | 68 | - name: install dependencies |
@@ -111,7 +111,7 @@ jobs: | |||
111 | github.com:443 | 111 | github.com:443 |
112 | packages.microsoft.com:443 | 112 | packages.microsoft.com:443 |
113 | ppa.launchpadcontent.net:443 | 113 | ppa.launchpadcontent.net:443 |
114 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 114 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
115 | - name: update package information | 115 | - name: update package information |
116 | run: sudo apt-get update -qy | 116 | run: sudo apt-get update -qy |
117 | - name: install dependencies | 117 | - name: install dependencies |
@@ -151,7 +151,7 @@ jobs: | |||
151 | github.com:443 | 151 | github.com:443 |
152 | packages.microsoft.com:443 | 152 | packages.microsoft.com:443 |
153 | ppa.launchpadcontent.net:443 | 153 | ppa.launchpadcontent.net:443 |
154 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 154 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
155 | - name: update package information | 155 | - name: update package information |
156 | run: sudo apt-get update -qy | 156 | run: sudo apt-get update -qy |
157 | - name: install dependencies | 157 | - name: install dependencies |
@@ -194,7 +194,7 @@ jobs: | |||
194 | ppa.launchpadcontent.net:443 | 194 | ppa.launchpadcontent.net:443 |
195 | www.debian.org:443 | 195 | www.debian.org:443 |
196 | www.debian.org:80 | 196 | www.debian.org:80 |
197 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 197 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
198 | - name: update package information | 198 | - name: update package information |
199 | run: sudo apt-get update -qy | 199 | run: sudo apt-get update -qy |
200 | - name: install dependencies | 200 | - name: install dependencies |
@@ -240,7 +240,7 @@ jobs: | |||
240 | www.debian.org:443 | 240 | www.debian.org:443 |
241 | www.debian.org:80 | 241 | www.debian.org:80 |
242 | yahoo.com:1025 | 242 | yahoo.com:1025 |
243 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 | 243 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b |
244 | - name: update package information | 244 | - name: update package information |
245 | run: sudo apt-get update -qy | 245 | run: sudo apt-get update -qy |
246 | - name: install dependencies | 246 | - name: install dependencies |
@@ -15,7 +15,8 @@ firejail (0.9.73) baseline; urgency=low | |||
15 | * feature: expand simple macros in more commands (--chroot= --netfilter= | 15 | * feature: expand simple macros in more commands (--chroot= --netfilter= |
16 | --netfilter6= --trace=) (#6032 #6109) | 16 | --netfilter6= --trace=) (#6032 #6109) |
17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 | 17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 |
18 | #6228 #6260) | 18 | #6228 #6260 #6302 #6305) |
19 | * feature: add support for comm, coredump, and prctl procevents in firemon | ||
19 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 20 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
20 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 21 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
21 | from containing only digits (#5578 #5741) | 22 | from containing only digits (#5578 #5741) |
@@ -30,6 +31,7 @@ firejail (0.9.73) baseline; urgency=low | |||
30 | * modif: drop deprecated 'shell' option references (#5894) | 31 | * modif: drop deprecated 'shell' option references (#5894) |
31 | * modif: keep pipewire group unless nosound is used (#5992 #5993) | 32 | * modif: keep pipewire group unless nosound is used (#5992 #5993) |
32 | * modif: fcopy: Use lstat when copying directory (#5957) | 33 | * modif: fcopy: Use lstat when copying directory (#5957) |
34 | * modif: populate /run/firejail while holding flock (#6307) | ||
33 | * removal: LTS and FIRETUNNEL support | 35 | * removal: LTS and FIRETUNNEL support |
34 | * bugfix: fix --hostname and --hosts-file commands | 36 | * bugfix: fix --hostname and --hosts-file commands |
35 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) | 37 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) |
@@ -116,6 +118,7 @@ firejail (0.9.73) baseline; urgency=low | |||
116 | * profiles: add allow-nodejs.inc to profile.template (#6298) | 118 | * profiles: add allow-nodejs.inc to profile.template (#6298) |
117 | * profiles: add allow-php.inc to profile.template (#6299) | 119 | * profiles: add allow-php.inc to profile.template (#6299) |
118 | * profiles: clarify and add opengl-game to profile.template (#6300) | 120 | * profiles: clarify and add opengl-game to profile.template (#6300) |
121 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) | ||
119 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater | 122 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
120 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 | 123 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
121 | 124 | ||
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 6b2c5846e..d4895b82e 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc | |||
@@ -6,6 +6,7 @@ noblacklist ${HOME}/.ssh | |||
6 | noblacklist /etc/ssh | 6 | noblacklist /etc/ssh |
7 | noblacklist /etc/ssh/ssh_config | 7 | noblacklist /etc/ssh/ssh_config |
8 | noblacklist /etc/ssh/ssh_config.d | 8 | noblacklist /etc/ssh/ssh_config.d |
9 | noblacklist /etc/ssh/ssh_revoked_hosts # RevokedHostKeys on Gentoo | ||
9 | noblacklist ${PATH}/ssh* | 10 | noblacklist ${PATH}/ssh* |
10 | noblacklist /tmp/ssh-* | 11 | noblacklist /tmp/ssh-* |
11 | # Arch Linux and derivatives | 12 | # Arch Linux and derivatives |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index a44ad340b..1f373279c 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -28,6 +28,8 @@ blacklist ${HOME}/.ZAP | |||
28 | blacklist ${HOME}/.aMule | 28 | blacklist ${HOME}/.aMule |
29 | blacklist ${HOME}/.abook | 29 | blacklist ${HOME}/.abook |
30 | blacklist ${HOME}/.addressbook | 30 | blacklist ${HOME}/.addressbook |
31 | blacklist ${HOME}/.alienblaster | ||
32 | blacklist ${HOME}/.alienblaster_highscore | ||
31 | blacklist ${HOME}/.alpine-smime | 33 | blacklist ${HOME}/.alpine-smime |
32 | blacklist ${HOME}/.ammonite | 34 | blacklist ${HOME}/.ammonite |
33 | blacklist ${HOME}/.android | 35 | blacklist ${HOME}/.android |
@@ -851,6 +853,7 @@ blacklist ${HOME}/.klatexformula | |||
851 | blacklist ${HOME}/.klei | 853 | blacklist ${HOME}/.klei |
852 | blacklist ${HOME}/.kodi | 854 | blacklist ${HOME}/.kodi |
853 | blacklist ${HOME}/.lastpass | 855 | blacklist ${HOME}/.lastpass |
856 | blacklist ${HOME}/.lbreakouthd | ||
854 | blacklist ${HOME}/.lettura | 857 | blacklist ${HOME}/.lettura |
855 | blacklist ${HOME}/.librewolf | 858 | blacklist ${HOME}/.librewolf |
856 | blacklist ${HOME}/.lincity-ng | 859 | blacklist ${HOME}/.lincity-ng |
@@ -1187,6 +1190,7 @@ blacklist ${HOME}/.torcs | |||
1187 | blacklist ${HOME}/.tremulous | 1190 | blacklist ${HOME}/.tremulous |
1188 | blacklist ${HOME}/.ts3client | 1191 | blacklist ${HOME}/.ts3client |
1189 | blacklist ${HOME}/.tuxguitar* | 1192 | blacklist ${HOME}/.tuxguitar* |
1193 | blacklist ${HOME}/.tuxtype | ||
1190 | blacklist ${HOME}/.tvbrowser | 1194 | blacklist ${HOME}/.tvbrowser |
1191 | blacklist ${HOME}/.unknown-horizons | 1195 | blacklist ${HOME}/.unknown-horizons |
1192 | blacklist ${HOME}/.viking | 1196 | blacklist ${HOME}/.viking |
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc index d8ba84ad0..080f16b6e 100644 --- a/etc/inc/whitelist-var-common.inc +++ b/etc/inc/whitelist-var-common.inc | |||
@@ -13,3 +13,4 @@ whitelist /var/cache/fontconfig | |||
13 | whitelist /var/tmp | 13 | whitelist /var/tmp |
14 | whitelist /var/run | 14 | whitelist /var/run |
15 | whitelist /var/lock | 15 | whitelist /var/lock |
16 | whitelist /var/games | ||
diff --git a/etc/profile-a-l/alienblaster.profile b/etc/profile-a-l/alienblaster.profile new file mode 100644 index 000000000..2de296f53 --- /dev/null +++ b/etc/profile-a-l/alienblaster.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for alienblaster | ||
2 | # Persistent local customizations | ||
3 | include alienblaster.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | noblacklist ${HOME}/.alienblaster | ||
8 | noblacklist ${HOME}/.alienblaster_highscore | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.alienblaster | ||
18 | mkfile ${HOME}/.alienblaster_highscore | ||
19 | whitelist ${HOME}/.alienblaster | ||
20 | whitelist ${HOME}/.alienblaster_highscore | ||
21 | whitelist ${RUNUSER}/pulse | ||
22 | whitelist /usr/share/games/alienblaster | ||
23 | whitelist /usr/share/timidity | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | net none | ||
35 | nodvd | ||
36 | noinput | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-dev | ||
48 | private-etc @games,@sound,@x11 | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index e70215891..2893dda5a 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -6,10 +6,9 @@ include audacity.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Add the below lines to your audacity.local if you need online plugins. | 9 | # To disable networking, add the following lines to audacity.local: |
10 | #ignore net none | 10 | #ignore netfilter |
11 | #netfilter | 11 | #net none |
12 | #protocol inet6 | ||
13 | 12 | ||
14 | noblacklist ${HOME}/.audacity-data | 13 | noblacklist ${HOME}/.audacity-data |
15 | noblacklist ${HOME}/.cache/audacity | 14 | noblacklist ${HOME}/.cache/audacity |
@@ -34,7 +33,7 @@ allow-debuggers | |||
34 | ## Enabling App Armor appears to break some Fedora / Arch installs | 33 | ## Enabling App Armor appears to break some Fedora / Arch installs |
35 | #apparmor | 34 | #apparmor |
36 | caps.drop all | 35 | caps.drop all |
37 | net none | 36 | netfilter |
38 | no3d | 37 | no3d |
39 | nodvd | 38 | nodvd |
40 | nogroups | 39 | nogroups |
@@ -44,13 +43,13 @@ noroot | |||
44 | notv | 43 | notv |
45 | nou2f | 44 | nou2f |
46 | novideo | 45 | novideo |
47 | protocol unix,inet | 46 | protocol unix,inet,inet6 |
48 | seccomp | 47 | seccomp |
49 | tracelog | 48 | tracelog |
50 | 49 | ||
51 | private-bin audacity | 50 | private-bin audacity |
52 | private-dev | 51 | private-dev |
53 | private-etc @x11 | 52 | private-etc @network,@sound,@tls-ca,@x11 |
54 | private-tmp | 53 | private-tmp |
55 | 54 | ||
56 | # problems on Fedora 27 | 55 | # problems on Fedora 27 |
diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile new file mode 100644 index 000000000..9ff429ecb --- /dev/null +++ b/etc/profile-a-l/d-spy.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for d-spy | ||
2 | # Description: D-Bus debugger for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include d-spy.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-proc.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | noinput | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin d-spy | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc dbus-1 | ||
45 | private-tmp | ||
46 | |||
47 | read-only ${HOME} | ||
48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile index 1c5db09e9..63fe28f2f 100644 --- a/etc/profile-a-l/fluffychat.profile +++ b/etc/profile-a-l/fluffychat.profile | |||
@@ -25,7 +25,6 @@ include disable-xdg.inc | |||
25 | # there isn't a Firefox instance running with the default profile; see #5352) | 25 | # there isn't a Firefox instance running with the default profile; see #5352) |
26 | noblacklist ${HOME}/.mozilla | 26 | noblacklist ${HOME}/.mozilla |
27 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 27 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
28 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
29 | 28 | ||
30 | mkdir ${HOME}/.local/share/fluffychat | 29 | mkdir ${HOME}/.local/share/fluffychat |
31 | whitelist ${DOWNLOADS} | 30 | whitelist ${DOWNLOADS} |
diff --git a/etc/profile-a-l/geki2.profile b/etc/profile-a-l/geki2.profile new file mode 100644 index 000000000..5ebd9b427 --- /dev/null +++ b/etc/profile-a-l/geki2.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for geki2 | ||
2 | # Persistent local customizations | ||
3 | include geki2.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | include disable-common.inc | ||
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
11 | include disable-programs.inc | ||
12 | include disable-shell.inc | ||
13 | include disable-xdg.inc | ||
14 | |||
15 | whitelist /usr/share/games/geki2 | ||
16 | include whitelist-run-common.inc | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | netfilter | ||
26 | nodvd | ||
27 | noinput | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | tracelog | ||
36 | |||
37 | disable-mnt | ||
38 | private | ||
39 | private-bin geki2 | ||
40 | private-dev | ||
41 | private-etc @games,@sound,@x11 | ||
42 | private-tmp | ||
43 | writable-var # game scores are stored under /var/games | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/geki3.profile b/etc/profile-a-l/geki3.profile new file mode 100644 index 000000000..508c96002 --- /dev/null +++ b/etc/profile-a-l/geki3.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for geki3 | ||
2 | # Persistent local customizations | ||
3 | include geki3.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | include disable-common.inc | ||
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
11 | include disable-programs.inc | ||
12 | include disable-shell.inc | ||
13 | include disable-xdg.inc | ||
14 | |||
15 | whitelist /usr/share/games/geki3 | ||
16 | include whitelist-run-common.inc | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | netfilter | ||
26 | nodvd | ||
27 | noinput | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | tracelog | ||
36 | |||
37 | disable-mnt | ||
38 | private | ||
39 | private-bin geki3 | ||
40 | private-dev | ||
41 | private-etc @games,@sound,@x11 | ||
42 | private-tmp | ||
43 | writable-var # game scores are stored under /var/games | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lbreakouthd.profile b/etc/profile-a-l/lbreakouthd.profile new file mode 100644 index 000000000..e454772fc --- /dev/null +++ b/etc/profile-a-l/lbreakouthd.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for lbreakouthd | ||
2 | # Persistent local customizations | ||
3 | include lbreakouthd.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | # Note: this profile requires the current user to be a member of games group | ||
8 | |||
9 | noblacklist ${HOME}/.lbreakouthd | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.lbreakouthd | ||
20 | whitelist ${HOME}/.lbreakouthd | ||
21 | whitelist ${RUNUSER}/pulse | ||
22 | whitelist /run/host/container-manager | ||
23 | whitelist /run/udev/control | ||
24 | whitelist /usr/share/games/lbreakouthd | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | net none | ||
35 | netfilter | ||
36 | nodvd | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin lbreakouthd | ||
49 | private-dev | ||
50 | private-etc @games,@sound,@x11 | ||
51 | private-tmp | ||
52 | writable-var # game scores are stored under /var/games | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | memory-deny-write-execute | ||
58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile new file mode 100644 index 000000000..5d39341f5 --- /dev/null +++ b/etc/profile-a-l/loupe.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for loupe | ||
2 | # Description: GNOME's modern Image Viewer program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include loupe.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Trash | ||
10 | noblacklist ${HOME}/.Steam | ||
11 | noblacklist ${HOME}/.steam | ||
12 | |||
13 | #include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-write-mnt.inc | ||
19 | |||
20 | #whitelist /usr/share/glycin-loaders | ||
21 | include whitelist-runuser-common.inc | ||
22 | #include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | machine-id | ||
29 | net none | ||
30 | nodvd | ||
31 | nogroups | ||
32 | noinput | ||
33 | nonewprivs | ||
34 | noprinters | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,netlink | ||
41 | #loupe decodes all images in their own sandbox via glycin | ||
42 | #https://gitlab.gnome.org/sophie-h/glycin#sandboxing-and-inner-workings | ||
43 | #seccomp | ||
44 | seccomp.block-secondary | ||
45 | tracelog | ||
46 | |||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc @x11 | ||
50 | private-tmp | ||
diff --git a/etc/profile-m-z/tuxtype.profile b/etc/profile-m-z/tuxtype.profile new file mode 100644 index 000000000..12b58850a --- /dev/null +++ b/etc/profile-m-z/tuxtype.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for tuxtype | ||
2 | # Persistent local customizations | ||
3 | include tuxtype.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | noblacklist ${HOME}/.tuxtype | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-programs.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.tuxtype | ||
18 | whitelist ${HOME}/.tuxtype | ||
19 | whitelist ${RUNUSER}/pulse | ||
20 | whitelist /usr/share/tuxtype | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | netfilter | ||
32 | nodvd | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin tuxtype | ||
45 | private-dev | ||
46 | private-etc @games,@sound,@x11,tuxtype | ||
47 | private-tmp | ||
48 | writable-var # game scores are stored under /var/games | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/typespeed.profile b/etc/profile-m-z/typespeed.profile new file mode 100644 index 000000000..b98777665 --- /dev/null +++ b/etc/profile-m-z/typespeed.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for typespeed | ||
2 | # Persistent local customizations | ||
3 | include typespeed.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | # Note: This profile requires the current user to be a member of the games | ||
8 | # group. | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/typespeed | ||
18 | include whitelist-run-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | noinput | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private | ||
40 | private-dev | ||
41 | private-etc @games,@sound,@x11 | ||
42 | private-tmp | ||
43 | writable-var # game scores are stored under /var/games | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
49 | restrict-namespaces | ||
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 285f9df37..f91a543eb 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -27,7 +27,7 @@ static void process_bin(const char *fname) { | |||
27 | // process trace file | 27 | // process trace file |
28 | FILE *fp = fopen(fname, "r"); | 28 | FILE *fp = fopen(fname, "r"); |
29 | if (!fp) { | 29 | if (!fp) { |
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 30 | fprintf(stderr, "Error fbuilder: cannot open %s\n", fname); |
31 | exit(1); | 31 | exit(1); |
32 | } | 32 | } |
33 | 33 | ||
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 4e71cdbea..3147fac82 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -31,7 +31,7 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch | |||
31 | // process trace file | 31 | // process trace file |
32 | FILE *fp = fopen(fname, "r"); | 32 | FILE *fp = fopen(fname, "r"); |
33 | if (!fp) { | 33 | if (!fp) { |
34 | fprintf(stderr, "Error: cannot open %s\n", fname); | 34 | fprintf(stderr, "Error fbuilder: cannot open %s\n", fname); |
35 | exit(1); | 35 | exit(1); |
36 | } | 36 | } |
37 | 37 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index cb87bf5d0..8afe257ce 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -31,7 +31,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
31 | // process trace file | 31 | // process trace file |
32 | FILE *fp = fopen(fname, "r"); | 32 | FILE *fp = fopen(fname, "r"); |
33 | if (!fp) { | 33 | if (!fp) { |
34 | fprintf(stderr, "Error: cannot open %s\n", fname); | 34 | fprintf(stderr, "Error fbuilder: cannot open %s\n", fname); |
35 | exit(1); | 35 | exit(1); |
36 | } | 36 | } |
37 | 37 | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 41c85e9ab..ab6eaf1dd 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -26,7 +26,7 @@ | |||
26 | void build_profile(int argc, char **argv, int index, FILE *fp) { | 26 | void build_profile(int argc, char **argv, int index, FILE *fp) { |
27 | // next index is the application name | 27 | // next index is the application name |
28 | if (index >= argc) { | 28 | if (index >= argc) { |
29 | fprintf(stderr, "Error: application name missing\n"); | 29 | fprintf(stderr, "Error fbuilder: application name missing\n"); |
30 | exit(1); | 30 | exit(1); |
31 | } | 31 | } |
32 | 32 | ||
@@ -165,7 +165,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
165 | unlink(trace_output); | 165 | unlink(trace_output); |
166 | } | 166 | } |
167 | else { | 167 | else { |
168 | fprintf(stderr, "Error: cannot run the sandbox\n"); | 168 | fprintf(stderr, "Error fbuilder: cannot run the sandbox\n"); |
169 | exit(1); | 169 | exit(1); |
170 | } | 170 | } |
171 | } | 171 | } |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 791013a81..14a249b77 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -27,7 +27,7 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
27 | 27 | ||
28 | FILE *fp2 = fopen(fname, "r"); | 28 | FILE *fp2 = fopen(fname, "r"); |
29 | if (!fp2) { | 29 | if (!fp2) { |
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 30 | fprintf(stderr, "Error fbuilder: cannot open %s\n", fname); |
31 | exit(1); | 31 | exit(1); |
32 | } | 32 | } |
33 | 33 | ||
@@ -54,7 +54,7 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
54 | } | 54 | } |
55 | else if (line == 2) { | 55 | else if (line == 2) { |
56 | if (*buf != '-') { | 56 | if (*buf != '-') { |
57 | fprintf(stderr, "Error: invalid strace output\n%s\n", buf); | 57 | fprintf(stderr, "Error fbuilder: invalid strace output\n%s\n", buf); |
58 | exit(1); | 58 | exit(1); |
59 | } | 59 | } |
60 | } | 60 | } |
@@ -96,7 +96,7 @@ static void process_protocol(const char *fname) { | |||
96 | // process trace file | 96 | // process trace file |
97 | FILE *fp = fopen(fname, "r"); | 97 | FILE *fp = fopen(fname, "r"); |
98 | if (!fp) { | 98 | if (!fp) { |
99 | fprintf(stderr, "Error: cannot open %s\n", fname); | 99 | fprintf(stderr, "Error fbuilder: cannot open %s\n", fname); |
100 | exit(1); | 100 | exit(1); |
101 | } | 101 | } |
102 | 102 | ||
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 994618b34..d9a8a99b3 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -94,7 +94,7 @@ FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefi | |||
94 | errExit("asprintf"); | 94 | errExit("asprintf"); |
95 | FILE *fp = fopen(f, "r"); | 95 | FILE *fp = fopen(f, "r"); |
96 | if (!fp) { | 96 | if (!fp) { |
97 | fprintf(stderr, "Error: cannot open %s\n", f); | 97 | fprintf(stderr, "Error fbuilder: cannot open %s\n", f); |
98 | free(f); | 98 | free(f); |
99 | exit(1); | 99 | exit(1); |
100 | } | 100 | } |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index b03d2f3dd..884971d42 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -66,21 +66,21 @@ printf("\n"); | |||
66 | 66 | ||
67 | // don't run if the file exists | 67 | // don't run if the file exists |
68 | if (access(argv[i] + 8, F_OK) == 0) { | 68 | if (access(argv[i] + 8, F_OK) == 0) { |
69 | fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); | 69 | fprintf(stderr, "Error fbuilder: the profile file already exists. Please use a different file name.\n"); |
70 | exit(1); | 70 | exit(1); |
71 | } | 71 | } |
72 | 72 | ||
73 | // check file access | 73 | // check file access |
74 | fp = fopen(argv[i] + 8, "w"); | 74 | fp = fopen(argv[i] + 8, "w"); |
75 | if (!fp) { | 75 | if (!fp) { |
76 | fprintf(stderr, "Error: cannot open profile file.\n"); | 76 | fprintf(stderr, "Error fbuilder: cannot open profile file.\n"); |
77 | exit(1); | 77 | exit(1); |
78 | } | 78 | } |
79 | prof_file = argv[i] + 8; | 79 | prof_file = argv[i] + 8; |
80 | } | 80 | } |
81 | else { | 81 | else { |
82 | if (*argv[i] == '-') { | 82 | if (*argv[i] == '-') { |
83 | fprintf(stderr, "Error: invalid program\n"); | 83 | fprintf(stderr, "Error fbuilder: invalid program\n"); |
84 | usage(); | 84 | usage(); |
85 | exit(1); | 85 | exit(1); |
86 | } | 86 | } |
@@ -90,7 +90,7 @@ printf("\n"); | |||
90 | } | 90 | } |
91 | 91 | ||
92 | if (prog_index == 0) { | 92 | if (prog_index == 0) { |
93 | fprintf(stderr, "Error : program and arguments required\n"); | 93 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); |
94 | usage(); | 94 | usage(); |
95 | if (prof_file) { | 95 | if (prof_file) { |
96 | fclose(fp); | 96 | fclose(fp); |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c97db228d..8a20d939f 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -43,6 +43,7 @@ abrowser | |||
43 | akonadi_control | 43 | akonadi_control |
44 | akregator | 44 | akregator |
45 | alacarte | 45 | alacarte |
46 | alienblaster | ||
46 | alpine | 47 | alpine |
47 | alpinef | 48 | alpinef |
48 | amarok | 49 | amarok |
@@ -190,6 +191,7 @@ cryptocat | |||
190 | cvlc | 191 | cvlc |
191 | cyberfox | 192 | cyberfox |
192 | d-feet | 193 | d-feet |
194 | d-spy | ||
193 | daisy | 195 | daisy |
194 | darktable | 196 | darktable |
195 | dconf-editor | 197 | dconf-editor |
@@ -320,6 +322,8 @@ geany | |||
320 | gedit | 322 | gedit |
321 | geekbench | 323 | geekbench |
322 | geeqie | 324 | geeqie |
325 | geki2 | ||
326 | geki3 | ||
323 | gfeeds | 327 | gfeeds |
324 | gh | 328 | gh |
325 | ghb | 329 | ghb |
@@ -493,6 +497,7 @@ ktouch | |||
493 | kube | 497 | kube |
494 | #kwin_x11 | 498 | #kwin_x11 |
495 | kwrite | 499 | kwrite |
500 | lbreakouthd | ||
496 | lbry-viewer | 501 | lbry-viewer |
497 | lbry-viewer-gtk | 502 | lbry-viewer-gtk |
498 | leafpad | 503 | leafpad |
@@ -521,6 +526,7 @@ lofromtemplate | |||
521 | loimpress | 526 | loimpress |
522 | lollypop | 527 | lollypop |
523 | lomath | 528 | lomath |
529 | loupe | ||
524 | loweb | 530 | loweb |
525 | lowriter | 531 | lowriter |
526 | #lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 532 | #lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
@@ -920,9 +926,11 @@ tshark | |||
920 | tuir | 926 | tuir |
921 | tutanota-desktop | 927 | tutanota-desktop |
922 | tuxguitar | 928 | tuxguitar |
929 | tuxtype | ||
923 | tvbrowser | 930 | tvbrowser |
924 | tvnamer | 931 | tvnamer |
925 | twitch | 932 | twitch |
933 | typespeed | ||
926 | udiskie | 934 | udiskie |
927 | uefitool | 935 | uefitool |
928 | uget-gtk | 936 | uget-gtk |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index ffa6c8b51..67097852e 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -273,7 +273,10 @@ void fs_chroot(const char *rootdir) { | |||
273 | errExit("mounting /proc"); | 273 | errExit("mounting /proc"); |
274 | 274 | ||
275 | // create all other /run/firejail files and directories | 275 | // create all other /run/firejail files and directories |
276 | preproc_build_firejail_dir(); | 276 | preproc_build_firejail_dir_unlocked(); |
277 | preproc_lock_firejail_dir(); | ||
278 | preproc_build_firejail_dir_locked(); | ||
279 | preproc_unlock_firejail_dir(); | ||
277 | 280 | ||
278 | // update /var directory in order to support multiple sandboxes running on the same root directory | 281 | // update /var directory in order to support multiple sandboxes running on the same root directory |
279 | // if (!arg_private_dev) | 282 | // if (!arg_private_dev) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b8ec4d474..736af018d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -282,6 +282,8 @@ static inline int any_dhcp(void) { | |||
282 | return any_ip_dhcp() || any_ip6_dhcp(); | 282 | return any_ip_dhcp() || any_ip6_dhcp(); |
283 | } | 283 | } |
284 | 284 | ||
285 | extern int lockfd_directory; | ||
286 | extern int lockfd_network; | ||
285 | extern int arg_private; // mount private /home | 287 | extern int arg_private; // mount private /home |
286 | extern int arg_private_cache; // private home/.cache | 288 | extern int arg_private_cache; // private home/.cache |
287 | extern int arg_debug; // print debug messages | 289 | extern int arg_debug; // print debug messages |
@@ -429,7 +431,12 @@ int net_get_mac(const char *ifname, unsigned char mac[6]); | |||
429 | void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); | 431 | void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); |
430 | 432 | ||
431 | // preproc.c | 433 | // preproc.c |
432 | void preproc_build_firejail_dir(void); | 434 | void preproc_lock_firejail_dir(void); |
435 | void preproc_unlock_firejail_dir(void); | ||
436 | void preproc_lock_firejail_network_dir(void); | ||
437 | void preproc_unlock_firejail_network_dir(void); | ||
438 | void preproc_build_firejail_dir_unlocked(void); | ||
439 | void preproc_build_firejail_dir_locked(void); | ||
433 | void preproc_mount_mnt_dir(void); | 440 | void preproc_mount_mnt_dir(void); |
434 | void preproc_clean_run(void); | 441 | void preproc_clean_run(void); |
435 | 442 | ||
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index a360f155b..3ac1bddae 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -19,7 +19,6 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <linux/landlock.h> | ||
23 | #include <sys/prctl.h> | 22 | #include <sys/prctl.h> |
24 | #include <sys/syscall.h> | 23 | #include <sys/syscall.h> |
25 | #include <sys/types.h> | 24 | #include <sys/types.h> |
@@ -28,6 +27,8 @@ | |||
28 | 27 | ||
29 | #ifdef HAVE_LANDLOCK | 28 | #ifdef HAVE_LANDLOCK |
30 | 29 | ||
30 | #include <linux/landlock.h> | ||
31 | |||
31 | static int ll_ruleset_fd = -1; | 32 | static int ll_ruleset_fd = -1; |
32 | static int ll_abi = -1; | 33 | static int ll_abi = -1; |
33 | 34 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0ce18ab01..acbb4bf38 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -63,6 +63,8 @@ gid_t firejail_gid = 0; | |||
63 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack | 63 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack |
64 | 64 | ||
65 | Config cfg; // configuration | 65 | Config cfg; // configuration |
66 | int lockfd_directory = -1; | ||
67 | int lockfd_network = -1; | ||
66 | int arg_private = 0; // mount private /home and /tmp directoryu | 68 | int arg_private = 0; // mount private /home and /tmp directoryu |
67 | int arg_private_cache = 0; // mount private home/.cache | 69 | int arg_private_cache = 0; // mount private home/.cache |
68 | int arg_debug = 0; // print debug messages | 70 | int arg_debug = 0; // print debug messages |
@@ -1056,8 +1058,6 @@ static int check_postexec(const char *list) { | |||
1056 | int main(int argc, char **argv, char **envp) { | 1058 | int main(int argc, char **argv, char **envp) { |
1057 | int i; | 1059 | int i; |
1058 | int prog_index = -1; // index in argv where the program command starts | 1060 | int prog_index = -1; // index in argv where the program command starts |
1059 | int lockfd_network = -1; | ||
1060 | int lockfd_directory = -1; | ||
1061 | int custom_profile = 0; // custom profile loaded | 1061 | int custom_profile = 0; // custom profile loaded |
1062 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1062 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1063 | char **ptr; | 1063 | char **ptr; |
@@ -1166,19 +1166,13 @@ int main(int argc, char **argv, char **envp) { | |||
1166 | #endif | 1166 | #endif |
1167 | 1167 | ||
1168 | // build /run/firejail directory structure | 1168 | // build /run/firejail directory structure |
1169 | preproc_build_firejail_dir(); | 1169 | preproc_build_firejail_dir_unlocked(); |
1170 | preproc_lock_firejail_dir(); | ||
1171 | preproc_build_firejail_dir_locked(); | ||
1170 | const char *container_name = env_get("container"); | 1172 | const char *container_name = env_get("container"); |
1171 | if (!container_name || strcmp(container_name, "firejail")) { | 1173 | if (!container_name || strcmp(container_name, "firejail")) |
1172 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
1173 | if (lockfd_directory != -1) { | ||
1174 | int rv = fchown(lockfd_directory, 0, 0); | ||
1175 | (void) rv; | ||
1176 | flock(lockfd_directory, LOCK_EX); | ||
1177 | } | ||
1178 | preproc_clean_run(); | 1174 | preproc_clean_run(); |
1179 | flock(lockfd_directory, LOCK_UN); | 1175 | preproc_unlock_firejail_dir(); |
1180 | close(lockfd_directory); | ||
1181 | } | ||
1182 | 1176 | ||
1183 | delete_run_files(getpid()); | 1177 | delete_run_files(getpid()); |
1184 | atexit(clear_atexit); | 1178 | atexit(clear_atexit); |
@@ -2990,12 +2984,7 @@ int main(int argc, char **argv, char **envp) { | |||
2990 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2984 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
2991 | if (any_bridge_configured()) { | 2985 | if (any_bridge_configured()) { |
2992 | EUID_ROOT(); | 2986 | EUID_ROOT(); |
2993 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | 2987 | preproc_lock_firejail_network_dir(); |
2994 | if (lockfd_network != -1) { | ||
2995 | int rv = fchown(lockfd_network, 0, 0); | ||
2996 | (void) rv; | ||
2997 | flock(lockfd_network, LOCK_EX); | ||
2998 | } | ||
2999 | 2988 | ||
3000 | if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) | 2989 | if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) |
3001 | check_network(&cfg.bridge0); | 2990 | check_network(&cfg.bridge0); |
@@ -3024,21 +3013,13 @@ int main(int argc, char **argv, char **envp) { | |||
3024 | 3013 | ||
3025 | // set name and x11 run files | 3014 | // set name and x11 run files |
3026 | EUID_ROOT(); | 3015 | EUID_ROOT(); |
3027 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | 3016 | preproc_lock_firejail_dir(); |
3028 | if (lockfd_directory != -1) { | ||
3029 | int rv = fchown(lockfd_directory, 0, 0); | ||
3030 | (void) rv; | ||
3031 | flock(lockfd_directory, LOCK_EX); | ||
3032 | } | ||
3033 | if (cfg.name) | 3017 | if (cfg.name) |
3034 | set_name_run_file(sandbox_pid); | 3018 | set_name_run_file(sandbox_pid); |
3035 | int display = x11_display(); | 3019 | int display = x11_display(); |
3036 | if (display > 0) | 3020 | if (display > 0) |
3037 | set_x11_run_file(sandbox_pid, display); | 3021 | set_x11_run_file(sandbox_pid, display); |
3038 | if (lockfd_directory != -1) { | 3022 | preproc_unlock_firejail_dir(); |
3039 | flock(lockfd_directory, LOCK_UN); | ||
3040 | close(lockfd_directory); | ||
3041 | } | ||
3042 | EUID_USER(); | 3023 | EUID_USER(); |
3043 | 3024 | ||
3044 | #ifdef HAVE_DBUSPROXY | 3025 | #ifdef HAVE_DBUSPROXY |
@@ -3276,10 +3257,7 @@ int main(int argc, char **argv, char **envp) { | |||
3276 | close(parent_to_child_fds[1]); | 3257 | close(parent_to_child_fds[1]); |
3277 | 3258 | ||
3278 | EUID_ROOT(); | 3259 | EUID_ROOT(); |
3279 | if (lockfd_network != -1) { | 3260 | preproc_unlock_firejail_network_dir(); |
3280 | flock(lockfd_network, LOCK_UN); | ||
3281 | close(lockfd_network); | ||
3282 | } | ||
3283 | EUID_USER(); | 3261 | EUID_USER(); |
3284 | 3262 | ||
3285 | // lock netfilter firewall | 3263 | // lock netfilter firewall |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2c7d4264d..e0ca2141f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -18,15 +18,101 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/file.h> | ||
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
23 | #include <sys/types.h> | 24 | #include <sys/types.h> |
24 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <fcntl.h> | ||
25 | 27 | ||
26 | static int tmpfs_mounted = 0; | 28 | static int tmpfs_mounted = 0; |
27 | 29 | ||
30 | static void preproc_lock_file(const char *path, int *lockfd_ptr) { | ||
31 | assert(path != NULL); | ||
32 | assert(lockfd_ptr != NULL); | ||
33 | |||
34 | long pid = (long)getpid(); | ||
35 | if (arg_debug) | ||
36 | fprintf(stderr, "pid=%ld: locking %s ...\n", pid, path); | ||
37 | |||
38 | if (*lockfd_ptr != -1) { | ||
39 | if (arg_debug) | ||
40 | fprintf(stderr, "pid=%ld: already locked %s\n", pid, path); | ||
41 | return; | ||
42 | } | ||
43 | |||
44 | int lockfd = open(path, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
45 | if (lockfd == -1) { | ||
46 | fprintf(stderr, "Error: cannot create a lockfile at %s\n", path); | ||
47 | errExit("open"); | ||
48 | } | ||
49 | |||
50 | if (fchown(lockfd, 0, 0) == -1) { | ||
51 | fprintf(stderr, "Error: cannot chown root:root %s\n", path); | ||
52 | errExit("fchown"); | ||
53 | } | ||
54 | |||
55 | if (flock(lockfd, LOCK_EX) == -1) { | ||
56 | fprintf(stderr, "Error: cannot lock %s\n", path); | ||
57 | errExit("flock"); | ||
58 | } | ||
59 | |||
60 | *lockfd_ptr = lockfd; | ||
61 | if (arg_debug) | ||
62 | fprintf(stderr, "pid=%ld: locked %s\n", pid, path); | ||
63 | } | ||
64 | |||
65 | static void preproc_unlock_file(const char *path, int *lockfd_ptr) { | ||
66 | assert(path != NULL); | ||
67 | assert(lockfd_ptr != NULL); | ||
68 | |||
69 | long pid = (long)getpid(); | ||
70 | if (arg_debug) | ||
71 | fprintf(stderr, "pid=%ld: unlocking %s ...\n", pid, path); | ||
72 | |||
73 | int lockfd = *lockfd_ptr; | ||
74 | if (lockfd == -1) { | ||
75 | if (arg_debug) | ||
76 | fprintf(stderr, "pid=%ld: already unlocked %s\n", pid, path); | ||
77 | return; | ||
78 | } | ||
79 | |||
80 | if (flock(lockfd, LOCK_UN) == -1) { | ||
81 | fprintf(stderr, "Error: cannot unlock %s\n", path); | ||
82 | errExit("flock"); | ||
83 | } | ||
84 | |||
85 | if (close(lockfd) == -1) { | ||
86 | fprintf(stderr, "Error: cannot close %s\n", path); | ||
87 | errExit("close"); | ||
88 | } | ||
89 | |||
90 | *lockfd_ptr = -1; | ||
91 | if (arg_debug) | ||
92 | fprintf(stderr, "pid=%ld: unlocked %s\n", pid, path); | ||
93 | } | ||
94 | |||
95 | void preproc_lock_firejail_dir(void) { | ||
96 | preproc_lock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory); | ||
97 | } | ||
98 | |||
99 | void preproc_unlock_firejail_dir(void) { | ||
100 | preproc_unlock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory); | ||
101 | } | ||
102 | |||
103 | void preproc_lock_firejail_network_dir(void) { | ||
104 | preproc_lock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network); | ||
105 | } | ||
106 | |||
107 | void preproc_unlock_firejail_network_dir(void) { | ||
108 | preproc_unlock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network); | ||
109 | } | ||
110 | |||
28 | // build /run/firejail directory | 111 | // build /run/firejail directory |
29 | void preproc_build_firejail_dir(void) { | 112 | // |
113 | // Note: This creates the base directory of the rundir lockfile; | ||
114 | // it should be called before preproc_lock_firejail_dir(). | ||
115 | void preproc_build_firejail_dir_unlocked(void) { | ||
30 | struct stat s; | 116 | struct stat s; |
31 | 117 | ||
32 | // CentOS 6 doesn't have /run directory | 118 | // CentOS 6 doesn't have /run directory |
@@ -35,6 +121,14 @@ void preproc_build_firejail_dir(void) { | |||
35 | } | 121 | } |
36 | 122 | ||
37 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 123 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
124 | } | ||
125 | |||
126 | // build directory hierarchy under /run/firejail | ||
127 | // | ||
128 | // Note: Remounts have timing hazards. This function should | ||
129 | // only be called after acquiring the directory lock via | ||
130 | // preproc_lock_firejail_dir(). | ||
131 | void preproc_build_firejail_dir_locked(void) { | ||
38 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | 132 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
39 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 133 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); |
40 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | 134 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index e17ed659b..430730374 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -301,7 +301,9 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
301 | proc_ev = (struct proc_event *)cn_msg->data; | 301 | proc_ev = (struct proc_event *)cn_msg->data; |
302 | pid_t pid = 0; | 302 | pid_t pid = 0; |
303 | pid_t child = 0; | 303 | pid_t child = 0; |
304 | char *new_comm = NULL; | ||
304 | int remove_pid = 0; | 305 | int remove_pid = 0; |
306 | int nodisplay = 0; | ||
305 | switch (proc_ev->what) { | 307 | switch (proc_ev->what) { |
306 | case PROC_EVENT_FORK: | 308 | case PROC_EVENT_FORK: |
307 | #ifdef DEBUG_PRCTL | 309 | #ifdef DEBUG_PRCTL |
@@ -322,6 +324,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
322 | pids[child].parent = pid; | 324 | pids[child].parent = pid; |
323 | } | 325 | } |
324 | sprintf(lineptr, " fork"); | 326 | sprintf(lineptr, " fork"); |
327 | nodisplay = 1; | ||
325 | break; | 328 | break; |
326 | case PROC_EVENT_EXEC: | 329 | case PROC_EVENT_EXEC: |
327 | pid = proc_ev->event_data.exec.process_tgid; | 330 | pid = proc_ev->event_data.exec.process_tgid; |
@@ -363,6 +366,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
363 | sprintf(lineptr, " uid (%d:%d)", | 366 | sprintf(lineptr, " uid (%d:%d)", |
364 | proc_ev->event_data.id.r.ruid, | 367 | proc_ev->event_data.id.r.ruid, |
365 | proc_ev->event_data.id.e.euid); | 368 | proc_ev->event_data.id.e.euid); |
369 | nodisplay = 1; | ||
366 | break; | 370 | break; |
367 | 371 | ||
368 | case PROC_EVENT_GID: | 372 | case PROC_EVENT_GID: |
@@ -379,6 +383,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
379 | sprintf(lineptr, " gid (%d:%d)", | 383 | sprintf(lineptr, " gid (%d:%d)", |
380 | proc_ev->event_data.id.r.rgid, | 384 | proc_ev->event_data.id.r.rgid, |
381 | proc_ev->event_data.id.e.egid); | 385 | proc_ev->event_data.id.e.egid); |
386 | nodisplay = 1; | ||
382 | break; | 387 | break; |
383 | 388 | ||
384 | 389 | ||
@@ -391,6 +396,41 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
391 | sprintf(lineptr, " sid "); | 396 | sprintf(lineptr, " sid "); |
392 | break; | 397 | break; |
393 | 398 | ||
399 | case PROC_EVENT_COREDUMP: | ||
400 | pid = proc_ev->event_data.coredump.process_tgid; | ||
401 | #ifdef DEBUG_PRCTL | ||
402 | printf("%s: %d, event coredump, pid %d\n", __FUNCTION__, __LINE__, pid); | ||
403 | #endif | ||
404 | sprintf(lineptr, " coredump "); | ||
405 | break; | ||
406 | |||
407 | case PROC_EVENT_COMM: | ||
408 | pid = proc_ev->event_data.comm.process_tgid; | ||
409 | #ifdef DEBUG_PRCTL | ||
410 | printf("%s: %d, event comm, pid %d\n", __FUNCTION__, __LINE__, pid); | ||
411 | #endif | ||
412 | if (proc_ev->event_data.comm.process_pid != | ||
413 | proc_ev->event_data.comm.process_tgid) | ||
414 | continue; // this is a thread, not a process | ||
415 | |||
416 | if (pids[pid].level == 1 || | ||
417 | pids[pids[pid].parent].level == 1) { | ||
418 | sprintf(lineptr, "\n"); | ||
419 | continue; | ||
420 | } | ||
421 | else | ||
422 | sprintf(lineptr, " comm %s", proc_ev->event_data.comm.comm); | ||
423 | nodisplay = 1; | ||
424 | break; | ||
425 | |||
426 | case PROC_EVENT_PTRACE: | ||
427 | pid = proc_ev->event_data.ptrace.process_tgid; | ||
428 | #ifdef DEBUG_PRCTL | ||
429 | printf("%s: %d, event ptrace, pid %d\n", __FUNCTION__, __LINE__, pid); | ||
430 | #endif | ||
431 | sprintf(lineptr, " ptrace "); | ||
432 | break; | ||
433 | |||
394 | default: | 434 | default: |
395 | #ifdef DEBUG_PRCTL | 435 | #ifdef DEBUG_PRCTL |
396 | printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__); | 436 | printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__); |
@@ -449,7 +489,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
449 | if (!cmd) { | 489 | if (!cmd) { |
450 | cmd = pid_proc_cmdline(pid); | 490 | cmd = pid_proc_cmdline(pid); |
451 | } | 491 | } |
452 | if (cmd == NULL) | 492 | if (cmd == NULL || nodisplay) |
453 | sprintf(lineptr, "\n"); | 493 | sprintf(lineptr, "\n"); |
454 | else { | 494 | else { |
455 | sprintf(lineptr, " %s\n", cmd); | 495 | sprintf(lineptr, " %s\n", cmd); |
@@ -473,15 +513,12 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
473 | } | 513 | } |
474 | 514 | ||
475 | // print forked child | 515 | // print forked child |
476 | if (child) { | 516 | if (child) |
477 | cmd = pid_proc_cmdline(child); | 517 | printf("\tchild %u\n", child); |
478 | if (cmd) { | 518 | |
479 | printf("\tchild %u %s\n", child, cmd); | 519 | // print new comm |
480 | free(cmd); | 520 | if (new_comm) |
481 | } | 521 | printf("\tnew comm %s\n", new_comm); |
482 | else | ||
483 | printf("\tchild %u\n", child); | ||
484 | } | ||
485 | 522 | ||
486 | // on uid events the uid is changing | 523 | // on uid events the uid is changing |
487 | if (proc_ev->what == PROC_EVENT_UID) { | 524 | if (proc_ev->what == PROC_EVENT_UID) { |
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt index 03163b4fc..2faf5a49c 100644 --- a/src/fnettrace/static-ip-map.txt +++ b/src/fnettrace/static-ip-map.txt | |||
@@ -44,10 +44,15 @@ | |||
44 | 127.0.0.0/8 Local host | 44 | 127.0.0.0/8 Local host |
45 | 169.254.0.0/16 Local link | 45 | 169.254.0.0/16 Local link |
46 | 172.16.0.0/12 Local network | 46 | 172.16.0.0/12 Local network |
47 | 192.0.0.0/24 DS-Lite | ||
47 | 192.0.2.0/24 Documentation | 48 | 192.0.2.0/24 Documentation |
48 | 192.168.0.0/16 Local network | 49 | 192.168.0.0/16 Local network |
50 | 198.18.0.0/15 Testing | ||
49 | 198.51.100.0/24 Documentation | 51 | 198.51.100.0/24 Documentation |
52 | 192.88.99.0/24 Reserved | ||
50 | 203.0.113.0/24 Documentation | 53 | 203.0.113.0/24 Documentation |
54 | 233.252.0.0/24 Documentation | ||
55 | 240.0.0.0/4 Reserved | ||
51 | 56 | ||
52 | # multicast | 57 | # multicast |
53 | 224.0.0.0/4 Multicast | 58 | 224.0.0.0/4 Multicast |
@@ -252,8 +257,10 @@ | |||
252 | 63.141.247.240/29 BitChute | 257 | 63.141.247.240/29 BitChute |
253 | 69.30.200.200/29 BitChute | 258 | 69.30.200.200/29 BitChute |
254 | 69.30.230.64/29 BitChute | 259 | 69.30.230.64/29 BitChute |
260 | 69.30.230.96/29 BitChute | ||
255 | 69.30.241.40/29 BitChute | 261 | 69.30.241.40/29 BitChute |
256 | 69.30.241.48/29 BitChute | 262 | 69.30.241.48/29 BitChute |
263 | 69.30.243.152/29 BitChute | ||
257 | 69.30.243.168/29 BitChute | 264 | 69.30.243.168/29 BitChute |
258 | 69.30.245.232/29 BitChute | 265 | 69.30.245.232/29 BitChute |
259 | 69.30.253.16/29 BitChute | 266 | 69.30.253.16/29 BitChute |