diff options
43 files changed, 405 insertions, 293 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 37056a1ce..ec1b4a10f 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -47,10 +47,11 @@ _Any other detail that may help to understand/debug the problem_ | |||
47 | 47 | ||
48 | ### Environment | 48 | ### Environment |
49 | 49 | ||
50 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") | 50 | - Name/version/arch of the Linux kernel (`uname -srm`): |
51 | - Firejail version (`firejail --version`). | 51 | - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): |
52 | - Version of Firejail (`firejail --version`): | ||
52 | - If you use a development version of firejail, also the commit from which it | 53 | - If you use a development version of firejail, also the commit from which it |
53 | was compiled (`git rev-parse HEAD`). | 54 | was compiled (`git rev-parse HEAD`): |
54 | 55 | ||
55 | ### Checklist | 56 | ### Checklist |
56 | 57 | ||
diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md new file mode 100644 index 000000000..e9a0b2410 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/build_issue.md | |||
@@ -0,0 +1,73 @@ | |||
1 | --- | ||
2 | name: Build issue | ||
3 | about: There is an issue when trying to build the project from source | ||
4 | title: 'build: ' | ||
5 | labels: '' | ||
6 | assignees: '' | ||
7 | |||
8 | --- | ||
9 | |||
10 | <!-- | ||
11 | See the following links for help with formatting: | ||
12 | |||
13 | https://guides.github.com/features/mastering-markdown/ | ||
14 | https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax | ||
15 | --> | ||
16 | |||
17 | ### Description | ||
18 | |||
19 | _Describe the bug_ | ||
20 | |||
21 | ### Steps to Reproduce | ||
22 | |||
23 | <!-- | ||
24 | Note: If the output is too long to embed it into the comment, you can post it | ||
25 | in a gist at <https://gist.github.com/> and link it here or upload the build | ||
26 | log as a file. | ||
27 | |||
28 | Note: Make sure to include the exact command-line used for all commands and to | ||
29 | include the full output of ./configure. | ||
30 | |||
31 | Feel free to include only the errors in the make output if they are | ||
32 | self-explanatory (for example, with `make >/dev/null`). | ||
33 | --> | ||
34 | |||
35 | _Post the commands used to reproduce the issue and their output_ | ||
36 | |||
37 | Example: | ||
38 | |||
39 | ```console | ||
40 | $ ./configure --prefix=/usr --enable-apparmor | ||
41 | checking for gcc... gcc | ||
42 | checking whether the C compiler works... yes | ||
43 | [...] | ||
44 | $ make | ||
45 | make -C src/lib | ||
46 | gcc [...] | ||
47 | [...] | ||
48 | ``` | ||
49 | |||
50 | _If ./configure fails, include the output of config.log_ | ||
51 | |||
52 | Example: | ||
53 | |||
54 | ```console | ||
55 | $ cat config.log | ||
56 | This file contains any messages produced by compilers while | ||
57 | running configure, to aid debugging if configure makes a mistake. | ||
58 | [...] | ||
59 | ``` | ||
60 | |||
61 | ### Additional context | ||
62 | |||
63 | _(Optional) Any other detail that may help to understand/debug the problem_ | ||
64 | |||
65 | ### Environment | ||
66 | |||
67 | - Name/version/arch of the Linux kernel (`uname -srm`): | ||
68 | - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): | ||
69 | - Name/version of the C compiler (e.g. "gcc 14.1.1-1"): | ||
70 | - Name/version of the libc (e.g. "glibc 2.40-1"): | ||
71 | - Name/version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on | ||
72 | Arch Linux): | ||
73 | - Version of the source code being built (`git rev-parse HEAD`): | ||
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index ce1b70e39..08a5678e2 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md | |||
@@ -22,3 +22,11 @@ _A clear and concise description of any alternative solutions or features you've | |||
22 | ### Additional context | 22 | ### Additional context |
23 | 23 | ||
24 | _Add any other context or screenshots about the feature request here._ | 24 | _Add any other context or screenshots about the feature request here._ |
25 | |||
26 | ### Environment | ||
27 | |||
28 | - Name/version/arch of the Linux kernel (`uname -srm`): | ||
29 | - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): | ||
30 | - Version of Firejail (`firejail --version`): | ||
31 | - If you use a development version of firejail, also the commit from which it: | ||
32 | was compiled (`git rev-parse HEAD`): | ||
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 775a3c947..8ad73bb45 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -44,7 +44,7 @@ jobs: | |||
44 | timeout-minutes: 10 | 44 | timeout-minutes: 10 |
45 | steps: | 45 | steps: |
46 | - name: Harden Runner | 46 | - name: Harden Runner |
47 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 47 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
48 | with: | 48 | with: |
49 | egress-policy: block | 49 | egress-policy: block |
50 | allowed-endpoints: > | 50 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0c1317ed8..e8bfd0c16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | timeout-minutes: 10 | 60 | timeout-minutes: 10 |
61 | steps: | 61 | steps: |
62 | - name: Harden Runner | 62 | - name: Harden Runner |
63 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 63 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
64 | with: | 64 | with: |
65 | egress-policy: block | 65 | egress-policy: block |
66 | allowed-endpoints: > | 66 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index d3c9a8abf..1b35f684f 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -46,7 +46,7 @@ jobs: | |||
46 | timeout-minutes: 10 | 46 | timeout-minutes: 10 |
47 | steps: | 47 | steps: |
48 | - name: Harden Runner | 48 | - name: Harden Runner |
49 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 49 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
50 | with: | 50 | with: |
51 | egress-policy: block | 51 | egress-policy: block |
52 | allowed-endpoints: > | 52 | allowed-endpoints: > |
@@ -79,7 +79,7 @@ jobs: | |||
79 | timeout-minutes: 10 | 79 | timeout-minutes: 10 |
80 | steps: | 80 | steps: |
81 | - name: Harden Runner | 81 | - name: Harden Runner |
82 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 82 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
83 | with: | 83 | with: |
84 | egress-policy: block | 84 | egress-policy: block |
85 | allowed-endpoints: > | 85 | allowed-endpoints: > |
@@ -109,7 +109,7 @@ jobs: | |||
109 | timeout-minutes: 10 | 109 | timeout-minutes: 10 |
110 | steps: | 110 | steps: |
111 | - name: Harden Runner | 111 | - name: Harden Runner |
112 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 112 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
113 | with: | 113 | with: |
114 | egress-policy: block | 114 | egress-policy: block |
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | 143 | ||
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 146 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
147 | with: | 147 | with: |
148 | disable-sudo: true | 148 | disable-sudo: true |
149 | egress-policy: block | 149 | egress-policy: block |
@@ -161,7 +161,7 @@ jobs: | |||
161 | 161 | ||
162 | # Initializes the CodeQL tools for scanning. | 162 | # Initializes the CodeQL tools for scanning. |
163 | - name: Initialize CodeQL | 163 | - name: Initialize CodeQL |
164 | uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a | 164 | uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
165 | with: | 165 | with: |
166 | languages: cpp | 166 | languages: cpp |
167 | 167 | ||
@@ -172,4 +172,4 @@ jobs: | |||
172 | run: make -j "$(nproc)" | 172 | run: make -j "$(nproc)" |
173 | 173 | ||
174 | - name: Perform CodeQL Analysis | 174 | - name: Perform CodeQL Analysis |
175 | uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a | 175 | uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 040d3ab1c..cb9d9ce87 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -33,7 +33,7 @@ jobs: | |||
33 | 33 | ||
34 | steps: | 34 | steps: |
35 | - name: Harden Runner | 35 | - name: Harden Runner |
36 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 36 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
37 | with: | 37 | with: |
38 | disable-sudo: true | 38 | disable-sudo: true |
39 | egress-policy: block | 39 | egress-policy: block |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 3d233bc02..ed317a86f 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | 31 | ||
32 | steps: | 32 | steps: |
33 | - name: Harden Runner | 33 | - name: Harden Runner |
34 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 34 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
35 | with: | 35 | with: |
36 | disable-sudo: true | 36 | disable-sudo: true |
37 | egress-policy: block | 37 | egress-policy: block |
@@ -51,9 +51,9 @@ jobs: | |||
51 | 51 | ||
52 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
53 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
54 | uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a | 54 | uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
55 | with: | 55 | with: |
56 | languages: python | 56 | languages: python |
57 | 57 | ||
58 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
59 | uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a | 59 | uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 1bf714d65..27c6ab125 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -24,7 +24,7 @@ jobs: | |||
24 | timeout-minutes: 5 | 24 | timeout-minutes: 5 |
25 | steps: | 25 | steps: |
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 27 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
28 | with: | 28 | with: |
29 | egress-policy: block | 29 | egress-policy: block |
30 | allowed-endpoints: > | 30 | allowed-endpoints: > |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0cc1eea3e..92eb212e4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -54,7 +54,7 @@ jobs: | |||
54 | SHELL: /bin/bash | 54 | SHELL: /bin/bash |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 57 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -103,7 +103,7 @@ jobs: | |||
103 | SHELL: /bin/bash | 103 | SHELL: /bin/bash |
104 | steps: | 104 | steps: |
105 | - name: Harden Runner | 105 | - name: Harden Runner |
106 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 106 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
107 | with: | 107 | with: |
108 | egress-policy: block | 108 | egress-policy: block |
109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | SHELL: /bin/bash | 143 | SHELL: /bin/bash |
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 146 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
147 | with: | 147 | with: |
148 | egress-policy: block | 148 | egress-policy: block |
149 | allowed-endpoints: > | 149 | allowed-endpoints: > |
@@ -183,7 +183,7 @@ jobs: | |||
183 | SHELL: /bin/bash | 183 | SHELL: /bin/bash |
184 | steps: | 184 | steps: |
185 | - name: Harden Runner | 185 | - name: Harden Runner |
186 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 186 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
187 | with: | 187 | with: |
188 | egress-policy: block | 188 | egress-policy: block |
189 | allowed-endpoints: > | 189 | allowed-endpoints: > |
@@ -225,7 +225,7 @@ jobs: | |||
225 | SHELL: /bin/bash | 225 | SHELL: /bin/bash |
226 | steps: | 226 | steps: |
227 | - name: Harden Runner | 227 | - name: Harden Runner |
228 | uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c | 228 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
229 | with: | 229 | with: |
230 | egress-policy: block | 230 | egress-policy: block |
231 | allowed-endpoints: > | 231 | allowed-endpoints: > |
@@ -19,13 +19,13 @@ firejail (0.9.73) baseline; urgency=low | |||
19 | * feature: add support for comm, coredump, and prctl procevents in firemon | 19 | * feature: add support for comm, coredump, and prctl procevents in firemon |
20 | (#6414 #6415) | 20 | (#6414 #6415) |
21 | * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) | 21 | * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) |
22 | * feature: fshaper.sh: support tc on NixOS (#6426 #6431) | ||
22 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 23 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
23 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 24 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
24 | from containing only digits (#5578 #5741) | 25 | from containing only digits (#5578 #5741) |
25 | * modif: Escape control characters of the command line (#5613) | 26 | * modif: Escape control characters of the command line (#5613) |
26 | * modif: Allow mostly only ASCII letters and digits for sandbox name | 27 | * modif: Allow mostly only ASCII letters and digits for sandbox name |
27 | (--name=) and host name (--hostname=) (#5708 #5856) | 28 | (--name=) and host name (--hostname=) (#5708 #5856) |
28 | * modif: remove firemon --interface option (duplicating --net.print option) | ||
29 | * modif: make private-lib a configure-time option, disabled by default (see | 29 | * modif: make private-lib a configure-time option, disabled by default (see |
30 | --enable-private-lib) (#5727 #5732) | 30 | --enable-private-lib) (#5727 #5732) |
31 | * modif: Improve --version/--help & print version on startup (#5829 #6172) | 31 | * modif: Improve --version/--help & print version on startup (#5829 #6172) |
@@ -35,7 +35,9 @@ firejail (0.9.73) baseline; urgency=low | |||
35 | * modif: fcopy: Use lstat when copying directory (#5957) | 35 | * modif: fcopy: Use lstat when copying directory (#5957) |
36 | * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) | 36 | * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) |
37 | * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) | 37 | * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) |
38 | * removal: LTS and FIRETUNNEL support | 38 | * removal: firemon: remove --interface option (it duplicates the firejail |
39 | --net.print= option) (0e48f9933) | ||
40 | * removal: remove support for LTS and firetunnel (db09546f2) | ||
39 | * bugfix: fix --hostname and --hosts-file commands | 41 | * bugfix: fix --hostname and --hosts-file commands |
40 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) | 42 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) |
41 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | 43 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) |
@@ -57,8 +59,7 @@ firejail (0.9.73) baseline; urgency=low | |||
57 | * build: disable all built-in implicit make rules (#5864) | 59 | * build: disable all built-in implicit make rules (#5864) |
58 | * build: organize and standardize make vars and targets (#5866) | 60 | * build: organize and standardize make vars and targets (#5866) |
59 | * build: fix seccomp filters and man pages always being rebuilt when running | 61 | * build: fix seccomp filters and man pages always being rebuilt when running |
60 | make | 62 | make (#5156 #5898) |
61 | * build: simplify code related to man pages (#5898) | ||
62 | * build: fix hardcoded make & remove unnecessary distclean targets (#5911) | 63 | * build: fix hardcoded make & remove unnecessary distclean targets (#5911) |
63 | * build: dist and asc improvements (#5916) | 64 | * build: dist and asc improvements (#5916) |
64 | * build: fix some shellcheck issues & use config.sh in more scripts (#5927) | 65 | * build: fix some shellcheck issues & use config.sh in more scripts (#5927) |
@@ -112,6 +113,12 @@ firejail (0.9.73) baseline; urgency=low | |||
112 | #6359) | 113 | #6359) |
113 | * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) | 114 | * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) |
114 | * docs: man: format and sort some private- items (#6398) | 115 | * docs: man: format and sort some private- items (#6398) |
116 | * docs: man: improve blacklist/whitelist examples with spaces (#6425) | ||
117 | * docs: add build_issue.md issue template (#6423) | ||
118 | * docs: man: sort commands (firejail.1) (#6451) | ||
119 | * docs: man: fix bold in command TPs (#6472) | ||
120 | * docs: man: fix wrong escapes (#6474) | ||
121 | * docs: github: streamline environment in issue templates (#6471) | ||
115 | * legal: selinux.c: Split Copyright notice & use same license as upstream | 122 | * legal: selinux.c: Split Copyright notice & use same license as upstream |
116 | (#5667) | 123 | (#5667) |
117 | * profiles: qutebrowser: fix links not opening in the existing instance | 124 | * profiles: qutebrowser: fix links not opening in the existing instance |
@@ -138,6 +145,7 @@ firejail (0.9.73) baseline; urgency=low | |||
138 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) | 145 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) |
139 | * profiles: libreoffice: support signing documents with GPG (#6352 #6353) | 146 | * profiles: libreoffice: support signing documents with GPG (#6352 #6353) |
140 | * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) | 147 | * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) |
148 | * profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473) | ||
141 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater | 149 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
142 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 | 150 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
143 | 151 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 49ca3836f..371680b7b 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -728,6 +728,7 @@ blacklist ${HOME}/.dillo | |||
728 | blacklist ${HOME}/.dooble | 728 | blacklist ${HOME}/.dooble |
729 | blacklist ${HOME}/.dosbox | 729 | blacklist ${HOME}/.dosbox |
730 | blacklist ${HOME}/.dropbox* | 730 | blacklist ${HOME}/.dropbox* |
731 | blacklist ${HOME}/.dvdcss | ||
731 | blacklist ${HOME}/.easystroke | 732 | blacklist ${HOME}/.easystroke |
732 | blacklist ${HOME}/.electron-cache | 733 | blacklist ${HOME}/.electron-cache |
733 | blacklist ${HOME}/.electron-cash | 734 | blacklist ${HOME}/.electron-cash |
@@ -1261,6 +1262,7 @@ blacklist ${RUNUSER}/qutebrowser | |||
1261 | blacklist /etc/ssmtp | 1262 | blacklist /etc/ssmtp |
1262 | blacklist /tmp/.wine-* | 1263 | blacklist /tmp/.wine-* |
1263 | blacklist /tmp/akonadi-* | 1264 | blacklist /tmp/akonadi-* |
1265 | blacklist /tmp/evolution-* | ||
1264 | blacklist /tmp/i3-* | 1266 | blacklist /tmp/i3-* |
1265 | blacklist /tmp/lwjgl_* | 1267 | blacklist /tmp/lwjgl_* |
1266 | blacklist /var/games/nethack | 1268 | blacklist /var/games/nethack |
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile index 8b70756ba..6217af780 100644 --- a/etc/profile-a-l/abrowser.profile +++ b/etc/profile-a-l/abrowser.profile | |||
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser | |||
14 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
15 | whitelist /usr/share/abrowser | 15 | whitelist /usr/share/abrowser |
16 | 16 | ||
17 | # private-etc must first be enabled in firefox-common.profile | 17 | private-etc abrowser |
18 | #private-etc abrowser | ||
19 | 18 | ||
20 | # Redirect | 19 | # Redirect |
21 | include firefox-common.profile | 20 | include firefox-common.profile |
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index 7d2fe143c..f5595274e 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile | |||
@@ -19,8 +19,7 @@ seccomp | |||
19 | ignore seccomp | 19 | ignore seccomp |
20 | 20 | ||
21 | #private-bin basilisk | 21 | #private-bin basilisk |
22 | # private-etc must first be enabled in firefox-common.profile | 22 | private-etc basilisk |
23 | #private-etc basilisk | ||
24 | #private-opt basilisk | 23 | #private-opt basilisk |
25 | 24 | ||
26 | restrict-namespaces | 25 | restrict-namespaces |
diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile new file mode 100644 index 000000000..4c1994c50 --- /dev/null +++ b/etc/profile-a-l/bitwarden-desktop.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for bitwarden-desktop | ||
2 | # Description: A secure and free password manager for all of your devices | ||
3 | # This file is overwritten after every install/update. | ||
4 | # Persistent local customisations | ||
5 | include bitwarden-desktop.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include bitwarden.profile | ||
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 1572ca572..9ed48b02d 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -6,13 +6,13 @@ include bitwarden.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include whitelist-usr-share-common.inc | ||
11 | |||
12 | ignore noexec /tmp | 9 | ignore noexec /tmp |
13 | 10 | ||
14 | noblacklist ${HOME}/.config/Bitwarden | 11 | noblacklist ${HOME}/.config/Bitwarden |
15 | 12 | ||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
16 | include disable-shell.inc | 16 | include disable-shell.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/Bitwarden | 18 | mkdir ${HOME}/.config/Bitwarden |
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 05e1a69f1..6218dbbe8 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile | |||
@@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser | |||
26 | 26 | ||
27 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). | 27 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). |
28 | #private-bin dbus-launch,dbus-send,cachy-browser,sh | 28 | #private-bin dbus-launch,dbus-send,cachy-browser,sh |
29 | # Add the next line to your cachy-browser.local to enable private-etc. | 29 | private-etc cachy-browser |
30 | # Note: private-etc must first be enabled in firefox-common.local. | ||
31 | #private-etc cachy-browser | ||
32 | 30 | ||
33 | dbus-user filter | 31 | dbus-user filter |
34 | dbus-user.own org.mozilla.cachybrowser.* | 32 | dbus-user.own org.mozilla.cachybrowser.* |
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile index d0bf9797e..bded735a9 100644 --- a/etc/profile-a-l/cliqz.profile +++ b/etc/profile-a-l/cliqz.profile | |||
@@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz | |||
17 | whitelist ${HOME}/.config/cliqz | 17 | whitelist ${HOME}/.config/cliqz |
18 | whitelist /usr/share/cliqz | 18 | whitelist /usr/share/cliqz |
19 | 19 | ||
20 | # private-etc must first be enabled in firefox-common.profile | 20 | private-etc cliqz |
21 | #private-etc cliqz | ||
22 | 21 | ||
23 | # Redirect | 22 | # Redirect |
24 | include firefox-common.profile | 23 | include firefox-common.profile |
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index c7a42e0eb..173c5b4a5 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile | |||
@@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios | |||
16 | whitelist /usr/share/cyberfox | 16 | whitelist /usr/share/cyberfox |
17 | 17 | ||
18 | #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which | 18 | #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
19 | # private-etc must first be enabled in firefox-common.profile | 19 | private-etc cyberfox |
20 | #private-etc cyberfox | ||
21 | 20 | ||
22 | # Redirect | 21 | # Redirect |
23 | include firefox-common.profile | 22 | include firefox-common.profile |
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 517bb6206..e703938eb 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -6,6 +6,7 @@ include evolution.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /tmp/evolution-* | ||
9 | noblacklist /var/mail | 10 | noblacklist /var/mail |
10 | noblacklist /var/spool/mail | 11 | noblacklist /var/spool/mail |
11 | noblacklist ${HOME}/.bogofilter | 12 | noblacklist ${HOME}/.bogofilter |
@@ -41,7 +42,7 @@ protocol unix,inet,inet6 | |||
41 | seccomp | 42 | seccomp |
42 | 43 | ||
43 | private-dev | 44 | private-dev |
44 | private-tmp | 45 | #private-tmp |
45 | writable-var | 46 | writable-var |
46 | 47 | ||
47 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index af9d556db..895a7dbfb 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | noblacklist ${HOME}/.dvdcss | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index ccc2dc7f6..5e3d0983d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -92,8 +92,7 @@ include allow-python3.inc | |||
92 | #private-bin keepassxc-proxy | 92 | #private-bin keepassxc-proxy |
93 | 93 | ||
94 | # Flash plugin | 94 | # Flash plugin |
95 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | 95 | private-etc adobe |
96 | #private-etc adobe | ||
97 | 96 | ||
98 | # ff2mpv | 97 | # ff2mpv |
99 | #ignore noexec ${HOME} | 98 | #ignore noexec ${HOME} |
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index e0ef23cce..0853a8d77 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile | |||
@@ -7,6 +7,7 @@ include handbrake.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ghb | 9 | noblacklist ${HOME}/.config/ghb |
10 | noblacklist ${HOME}/.dvdcss | ||
10 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
12 | 13 | ||
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile index b0a42fb77..19bda5454 100644 --- a/etc/profile-a-l/icecat.profile +++ b/etc/profile-a-l/icecat.profile | |||
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat | |||
14 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
15 | whitelist /usr/share/icecat | 15 | whitelist /usr/share/icecat |
16 | 16 | ||
17 | # private-etc must first be enabled in firefox-common.profile | 17 | private-etc icecat |
18 | #private-etc icecat | ||
19 | 18 | ||
20 | # Redirect | 19 | # Redirect |
21 | include firefox-common.profile | 20 | include firefox-common.profile |
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile index badd2648a..d6a925a77 100644 --- a/etc/profile-a-l/iceweasel.profile +++ b/etc/profile-a-l/iceweasel.profile | |||
@@ -6,8 +6,7 @@ include iceweasel.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # private-etc must first be enabled in firefox-common.profile | 9 | private-etc iceweasel |
10 | #private-etc iceweasel | ||
11 | 10 | ||
12 | # Redirect | 11 | # Redirect |
13 | include firefox.profile | 12 | include firefox.profile |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 65a4a3787..650048807 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -27,11 +27,10 @@ whitelist /usr/share/librewolf | |||
27 | 27 | ||
28 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). | 28 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). |
29 | #private-bin dbus-launch,dbus-send,librewolf,sh | 29 | #private-bin dbus-launch,dbus-send,librewolf,sh |
30 | # Add the next line to your librewolf.local to enable private-etc. | 30 | private-etc librewolf |
31 | # Note: private-etc must first be enabled in firefox-common.local. | ||
32 | #private-etc librewolf | ||
33 | 31 | ||
34 | dbus-user filter | 32 | dbus-user filter |
33 | dbus-user.own io.gitlab.firefox.* | ||
35 | dbus-user.own io.gitlab.librewolf.* | 34 | dbus-user.own io.gitlab.librewolf.* |
36 | dbus-user.own org.mozilla.librewolf.* | 35 | dbus-user.own org.mozilla.librewolf.* |
37 | # Add the next line to your librewolf.local to enable native notifications. | 36 | # Add the next line to your librewolf.local to enable native notifications. |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index e7dba9cd5..023071f68 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -7,9 +7,10 @@ include QOwnNotes.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | noblacklist ${HOME}/Nextcloud/Notes | ||
11 | noblacklist ${HOME}/.config/PBE | 10 | noblacklist ${HOME}/.config/PBE |
12 | noblacklist ${HOME}/.local/share/PBE | 11 | noblacklist ${HOME}/.local/share/PBE |
12 | noblacklist ${HOME}/Nextcloud | ||
13 | noblacklist ${HOME}/Nextcloud/Notes | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -19,13 +20,13 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 20 | include disable-shell.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
22 | mkdir ${HOME}/Nextcloud/Notes | ||
23 | mkdir ${HOME}/.config/PBE | 23 | mkdir ${HOME}/.config/PBE |
24 | mkdir ${HOME}/.local/share/PBE | 24 | mkdir ${HOME}/.local/share/PBE |
25 | mkdir ${HOME}/Nextcloud/Notes | ||
25 | whitelist ${DOCUMENTS} | 26 | whitelist ${DOCUMENTS} |
26 | whitelist ${HOME}/Nextcloud/Notes | ||
27 | whitelist ${HOME}/.config/PBE | 27 | whitelist ${HOME}/.config/PBE |
28 | whitelist ${HOME}/.local/share/PBE | 28 | whitelist ${HOME}/.local/share/PBE |
29 | whitelist ${HOME}/Nextcloud/Notes | ||
29 | include whitelist-common.inc | 30 | include whitelist-common.inc |
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index bdb9fa51d..c4f989a77 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -6,6 +6,7 @@ include mplayer.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.dvdcss | ||
9 | noblacklist ${HOME}/.mplayer | 10 | noblacklist ${HOME}/.mplayer |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
@@ -16,6 +17,7 @@ include disable-programs.inc | |||
16 | 17 | ||
17 | read-only ${DESKTOP} | 18 | read-only ${DESKTOP} |
18 | mkdir ${HOME}/.mplayer | 19 | mkdir ${HOME}/.mplayer |
20 | whitelist ${HOME}/.dvdcss | ||
19 | whitelist ${HOME}/.mplayer | 21 | whitelist ${HOME}/.mplayer |
20 | include whitelist-common.inc | 22 | include whitelist-common.inc |
21 | include whitelist-player-common.inc | 23 | include whitelist-player-common.inc |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index b85002b00..1d03e894c 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -29,6 +29,7 @@ noblacklist ${HOME}/.config/mpv | |||
29 | noblacklist ${HOME}/.config/youtube-dl | 29 | noblacklist ${HOME}/.config/youtube-dl |
30 | noblacklist ${HOME}/.config/yt-dlp | 30 | noblacklist ${HOME}/.config/yt-dlp |
31 | noblacklist ${HOME}/.config/yt-dlp.conf | 31 | noblacklist ${HOME}/.config/yt-dlp.conf |
32 | noblacklist ${HOME}/.dvdcss | ||
32 | noblacklist ${HOME}/.local/state/mpv | 33 | noblacklist ${HOME}/.local/state/mpv |
33 | noblacklist ${HOME}/.netrc | 34 | noblacklist ${HOME}/.netrc |
34 | noblacklist ${HOME}/yt-dlp.conf | 35 | noblacklist ${HOME}/yt-dlp.conf |
@@ -60,6 +61,7 @@ whitelist ${HOME}/.config/mpv | |||
60 | whitelist ${HOME}/.config/youtube-dl | 61 | whitelist ${HOME}/.config/youtube-dl |
61 | whitelist ${HOME}/.config/yt-dlp | 62 | whitelist ${HOME}/.config/yt-dlp |
62 | whitelist ${HOME}/.config/yt-dlp.conf | 63 | whitelist ${HOME}/.config/yt-dlp.conf |
64 | whitelist ${HOME}/.dvdcss | ||
63 | whitelist ${HOME}/.local/state/mpv | 65 | whitelist ${HOME}/.local/state/mpv |
64 | whitelist ${HOME}/.netrc | 66 | whitelist ${HOME}/.netrc |
65 | whitelist ${HOME}/yt-dlp.conf | 67 | whitelist ${HOME}/yt-dlp.conf |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 960c494db..b6453f6a9 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -6,9 +6,10 @@ include nextcloud.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/Nextcloud | ||
10 | noblacklist ${HOME}/.config/Nextcloud | 9 | noblacklist ${HOME}/.config/Nextcloud |
11 | noblacklist ${HOME}/.local/share/Nextcloud | 10 | noblacklist ${HOME}/.local/share/Nextcloud |
11 | noblacklist ${HOME}/Nextcloud | ||
12 | noblacklist ${HOME}/Nextcloud/Notes | ||
12 | # Add the next lines to your nextcloud.local to allow sync in more directories. | 13 | # Add the next lines to your nextcloud.local to allow sync in more directories. |
13 | #noblacklist ${DOCUMENTS} | 14 | #noblacklist ${DOCUMENTS} |
14 | #noblacklist ${MUSIC} | 15 | #noblacklist ${MUSIC} |
@@ -23,12 +24,12 @@ include disable-programs.inc | |||
23 | include disable-shell.inc | 24 | include disable-shell.inc |
24 | include disable-xdg.inc | 25 | include disable-xdg.inc |
25 | 26 | ||
26 | mkdir ${HOME}/Nextcloud | ||
27 | mkdir ${HOME}/.config/Nextcloud | 27 | mkdir ${HOME}/.config/Nextcloud |
28 | mkdir ${HOME}/.local/share/Nextcloud | 28 | mkdir ${HOME}/.local/share/Nextcloud |
29 | whitelist ${HOME}/Nextcloud | 29 | mkdir ${HOME}/Nextcloud |
30 | whitelist ${HOME}/.config/Nextcloud | 30 | whitelist ${HOME}/.config/Nextcloud |
31 | whitelist ${HOME}/.local/share/Nextcloud | 31 | whitelist ${HOME}/.local/share/Nextcloud |
32 | whitelist ${HOME}/Nextcloud | ||
32 | whitelist /usr/share/nextcloud | 33 | whitelist /usr/share/nextcloud |
33 | # Add the next lines to your nextcloud.local to allow sync in more directories. | 34 | # Add the next lines to your nextcloud.local to allow sync in more directories. |
34 | #whitelist ${DOCUMENTS} | 35 | #whitelist ${DOCUMENTS} |
@@ -61,15 +62,15 @@ tracelog | |||
61 | disable-mnt | 62 | disable-mnt |
62 | private-bin nextcloud,nextcloud-desktop | 63 | private-bin nextcloud,nextcloud-desktop |
63 | private-cache | 64 | private-cache |
64 | private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release | ||
65 | private-dev | 65 | private-dev |
66 | private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release | ||
66 | private-tmp | 67 | private-tmp |
67 | 68 | ||
68 | # IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service | 69 | # IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service |
69 | # referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed | 70 | # referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed |
70 | # even when its dbus name gets activated | 71 | # even when its dbus name gets activated |
71 | # see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services | 72 | # see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services |
72 | dbus-user filter | 73 | dbus-user filter |
73 | dbus-user.own com.nextcloudgmbh.Nextcloud | 74 | dbus-user.own com.nextcloudgmbh.Nextcloud |
74 | dbus-user.talk org.freedesktop.secrets | 75 | dbus-user.talk org.freedesktop.secrets |
75 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 76 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 8917a9bc5..8e1a5daf5 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile | |||
@@ -21,8 +21,7 @@ seccomp | |||
21 | ignore seccomp | 21 | ignore seccomp |
22 | 22 | ||
23 | #private-bin palemoon | 23 | #private-bin palemoon |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | private-etc palemoon |
25 | #private-etc palemoon | ||
26 | 25 | ||
27 | restrict-namespaces | 26 | restrict-namespaces |
28 | ignore restrict-namespaces | 27 | ignore restrict-namespaces |
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index ece191b73..d2e872c5c 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/smplayer | 9 | noblacklist ${HOME}/.config/smplayer |
10 | noblacklist ${HOME}/.config/youtube-dl | 10 | noblacklist ${HOME}/.config/youtube-dl |
11 | noblacklist ${HOME}/.dvdcss | ||
11 | noblacklist ${HOME}/.mplayer | 12 | noblacklist ${HOME}/.mplayer |
12 | 13 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | 14 | # Allow lua (blacklisted by disable-interpreters.inc) |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 62efa28db..018e05230 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -19,10 +19,11 @@ include disable-exec.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/gcr/ssh | 21 | whitelist ${RUNUSER}/gcr/ssh |
22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | 22 | whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup |
23 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup | ||
23 | whitelist ${RUNUSER}/keyring/ssh | 24 | whitelist ${RUNUSER}/keyring/ssh |
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
26 | include whitelist-usr-share-common.inc | ||
26 | 27 | ||
27 | apparmor | 28 | apparmor |
28 | caps.drop all | 29 | caps.drop all |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 73d3b0b6f..4d5f4a1f0 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -14,6 +14,7 @@ include allow-lua.inc | |||
14 | include allow-python3.inc | 14 | include allow-python3.inc |
15 | 15 | ||
16 | noblacklist ${HOME}/.config/totem | 16 | noblacklist ${HOME}/.config/totem |
17 | noblacklist ${HOME}/.dvdcss | ||
17 | noblacklist ${HOME}/.local/share/totem | 18 | noblacklist ${HOME}/.local/share/totem |
18 | 19 | ||
19 | include disable-common.inc | 20 | include disable-common.inc |
@@ -27,6 +28,7 @@ read-only ${DESKTOP} | |||
27 | mkdir ${HOME}/.config/totem | 28 | mkdir ${HOME}/.config/totem |
28 | mkdir ${HOME}/.local/share/totem | 29 | mkdir ${HOME}/.local/share/totem |
29 | whitelist ${HOME}/.config/totem | 30 | whitelist ${HOME}/.config/totem |
31 | whitelist ${HOME}/.dvdcss | ||
30 | whitelist ${HOME}/.local/share/totem | 32 | whitelist ${HOME}/.local/share/totem |
31 | whitelist /usr/share/totem | 33 | whitelist /usr/share/totem |
32 | include whitelist-common.inc | 34 | include whitelist-common.inc |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 34e580085..3fc36a625 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/vlc | 9 | noblacklist ${HOME}/.cache/vlc |
10 | noblacklist ${HOME}/.config/vlc | 10 | noblacklist ${HOME}/.config/vlc |
11 | noblacklist ${HOME}/.config/aacs | 11 | noblacklist ${HOME}/.config/aacs |
12 | noblacklist ${HOME}/.dvdcss | ||
12 | noblacklist ${HOME}/.local/share/vlc | 13 | noblacklist ${HOME}/.local/share/vlc |
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
@@ -24,6 +25,7 @@ mkdir ${HOME}/.local/share/vlc | |||
24 | whitelist ${HOME}/.cache/vlc | 25 | whitelist ${HOME}/.cache/vlc |
25 | whitelist ${HOME}/.config/vlc | 26 | whitelist ${HOME}/.config/vlc |
26 | whitelist ${HOME}/.config/aacs | 27 | whitelist ${HOME}/.config/aacs |
28 | whitelist ${HOME}/.dvdcss | ||
27 | whitelist ${HOME}/.local/share/vlc | 29 | whitelist ${HOME}/.local/share/vlc |
28 | include whitelist-common.inc | 30 | include whitelist-common.inc |
29 | include whitelist-player-common.inc | 31 | include whitelist-player-common.inc |
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index bf6f45e41..cf2fced64 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile | |||
@@ -21,9 +21,7 @@ whitelist /usr/share/waterfox | |||
21 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 21 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
22 | # Add the next line to your waterfox.local to enable private-bin. | 22 | # Add the next line to your waterfox.local to enable private-bin. |
23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which | 23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which |
24 | # Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be | 24 | private-etc waterfox |
25 | # enabled in your firefox-common.local. | ||
26 | #private-etc waterfox | ||
27 | 25 | ||
28 | # Redirect | 26 | # Redirect |
29 | include firefox-common.profile | 27 | include firefox-common.profile |
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile index b6f29cfbf..90de16bdb 100644 --- a/etc/profile-m-z/wesnoth.profile +++ b/etc/profile-m-z/wesnoth.profile | |||
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/wesnoth | |||
10 | noblacklist ${HOME}/.config/wesnoth | 10 | noblacklist ${HOME}/.config/wesnoth |
11 | noblacklist ${HOME}/.local/share/wesnoth | 11 | noblacklist ${HOME}/.local/share/wesnoth |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 306212f85..430934df2 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -19,6 +19,7 @@ ignore dbus-system none | |||
19 | noblacklist ${HOME}/.config/zoom.conf | 19 | noblacklist ${HOME}/.config/zoom.conf |
20 | noblacklist ${HOME}/.config/zoomus.conf | 20 | noblacklist ${HOME}/.config/zoomus.conf |
21 | noblacklist ${HOME}/.zoom | 21 | noblacklist ${HOME}/.zoom |
22 | noblacklist ${DOCUMENTS} | ||
22 | 23 | ||
23 | nowhitelist ${DOWNLOADS} | 24 | nowhitelist ${DOWNLOADS} |
24 | 25 | ||
@@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom | |||
26 | mkfile ${HOME}/.config/zoom.conf | 27 | mkfile ${HOME}/.config/zoom.conf |
27 | mkfile ${HOME}/.config/zoomus.conf | 28 | mkfile ${HOME}/.config/zoomus.conf |
28 | mkdir ${HOME}/.zoom | 29 | mkdir ${HOME}/.zoom |
30 | mkdir ${HOME}/Documents/Zoom | ||
29 | whitelist ${HOME}/.cache/zoom | 31 | whitelist ${HOME}/.cache/zoom |
30 | whitelist ${HOME}/.config/zoom.conf | 32 | whitelist ${HOME}/.config/zoom.conf |
31 | whitelist ${HOME}/.config/zoomus.conf | 33 | whitelist ${HOME}/.config/zoomus.conf |
32 | whitelist ${HOME}/.zoom | 34 | whitelist ${HOME}/.zoom |
35 | whitelist ${HOME}/Documents/Zoom | ||
33 | 36 | ||
34 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 | 37 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 |
35 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 38 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 84bf32625..08170bee6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -101,6 +101,7 @@ bibletime | |||
101 | bitcoin-qt | 101 | bitcoin-qt |
102 | bitlbee | 102 | bitlbee |
103 | bitwarden | 103 | bitwarden |
104 | bitwarden-desktop | ||
104 | bleachbit | 105 | bleachbit |
105 | blender | 106 | blender |
106 | blender-2.8 | 107 | blender-2.8 |
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index cd2bf79bf..16a2485bf 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh | |||
@@ -3,13 +3,9 @@ | |||
3 | # Copyright (C) 2014-2024 Firejail Authors | 3 | # Copyright (C) 2014-2024 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | TCFILE="" | 6 | TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)" |
7 | if [ -x "/usr/sbin/tc" ]; then | 7 | if [ -z "$TCFILE" ]; then |
8 | TCFILE="/usr/sbin/tc" | 8 | echo "Error: traffic control utility (tc) not found" |
9 | elif [ -x "/sbin/tc" ]; then | ||
10 | TCFILE="/sbin/tc"; | ||
11 | else | ||
12 | echo "Error: traffic control utility (tc) not found"; | ||
13 | exit 1 | 9 | exit 1 |
14 | fi | 10 | fi |
15 | 11 | ||
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a50ed765e..e47014702 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in | |||
@@ -139,29 +139,6 @@ $ sudo firecfg --clean | |||
139 | /usr/local/bin/vlc removed | 139 | /usr/local/bin/vlc removed |
140 | .br | 140 | .br |
141 | [...] | 141 | [...] |
142 | .SH FILES | ||
143 | .PP | ||
144 | Configuration files are searched for and parsed in the following paths: | ||
145 | .PP | ||
146 | .RS | ||
147 | 1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) | ||
148 | .br | ||
149 | 2. /etc/firejail/firecfg.config | ||
150 | .RE | ||
151 | .PP | ||
152 | The programs that are supported by default are listed in | ||
153 | /etc/firejail/firecfg.config. | ||
154 | It is recommended to leave it as is and put all customizations inside | ||
155 | /etc/firejail/firecfg.d/. | ||
156 | .PP | ||
157 | Profile files are also searched in the user configuration directory: | ||
158 | .PP | ||
159 | .RS | ||
160 | 3. ~/.config/firejail/*.profile | ||
161 | .RE | ||
162 | .PP | ||
163 | For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a | ||
164 | symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. | ||
165 | .SH SYNTAX | 142 | .SH SYNTAX |
166 | Configuration file syntax: | 143 | Configuration file syntax: |
167 | .PP | 144 | .PP |
@@ -200,6 +177,29 @@ following lines can to be used to ignore both: | |||
200 | .br | 177 | .br |
201 | !spectacle | 178 | !spectacle |
202 | .RE | 179 | .RE |
180 | .SH FILES | ||
181 | .PP | ||
182 | Configuration files are searched for and parsed in the following paths: | ||
183 | .PP | ||
184 | .RS | ||
185 | 1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) | ||
186 | .br | ||
187 | 2. /etc/firejail/firecfg.config | ||
188 | .RE | ||
189 | .PP | ||
190 | The programs that are supported by default are listed in | ||
191 | /etc/firejail/firecfg.config. | ||
192 | It is recommended to leave it as is and put all customizations inside | ||
193 | /etc/firejail/firecfg.d/. | ||
194 | .PP | ||
195 | Profile files are also searched in the user configuration directory: | ||
196 | .PP | ||
197 | .RS | ||
198 | 3. ~/.config/firejail/*.profile | ||
199 | .RE | ||
200 | .PP | ||
201 | For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a | ||
202 | symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. | ||
203 | .SH LICENSE | 203 | .SH LICENSE |
204 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 204 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
205 | .PP | 205 | .PP |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 89784a984..a6856212e 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -243,7 +243,7 @@ host filesystem. Each line describes a file/directory that is inaccessible | |||
243 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), | 243 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), |
244 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). | 244 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). |
245 | Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and | 245 | Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and |
246 | HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section | 246 | HOME directories are searched, see the \fBfirejail\fR(1) \fBFILE GLOBBING\fR section |
247 | for more details. | 247 | for more details. |
248 | Examples: | 248 | Examples: |
249 | .TP | 249 | .TP |
@@ -511,30 +511,30 @@ Blacklist all Linux capabilities. | |||
511 | Whitelist given Linux capabilities. | 511 | Whitelist given Linux capabilities. |
512 | #ifdef HAVE_LANDLOCK | 512 | #ifdef HAVE_LANDLOCK |
513 | .TP | 513 | .TP |
514 | \fBlandlock.enforce (experimental) | 514 | \fBlandlock.enforce\fR (experimental) |
515 | Enforce the Landlock ruleset. | 515 | Enforce the Landlock ruleset. |
516 | .PP | 516 | .PP |
517 | Without it, the other Landlock commands have no effect. | 517 | Without it, the other Landlock commands have no effect. |
518 | .TP | 518 | .TP |
519 | \fBlandlock.fs.read path (experimental) | 519 | \fBlandlock.fs.read path\fR (experimental) |
520 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 520 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
521 | rule for path. | 521 | rule for path. |
522 | .TP | 522 | .TP |
523 | \fBlandlock.fs.write path (experimental) | 523 | \fBlandlock.fs.write path\fR (experimental) |
524 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 524 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
525 | rule for path. | 525 | rule for path. |
526 | .TP | 526 | .TP |
527 | \fBlandlock.fs.makeipc path (experimental) | 527 | \fBlandlock.fs.makeipc path\fR (experimental) |
528 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 528 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
529 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 529 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
530 | the given path. | 530 | the given path. |
531 | .TP | 531 | .TP |
532 | \fBlandlock.fs.makedev path (experimental) | 532 | \fBlandlock.fs.makedev path\fR (experimental) |
533 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 533 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
534 | allows the creation of block devices and character devices beneath the given | 534 | allows the creation of block devices and character devices beneath the given |
535 | path. | 535 | path. |
536 | .TP | 536 | .TP |
537 | \fBlandlock.fs.execute path (experimental) | 537 | \fBlandlock.fs.execute path\fR (experimental) |
538 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 538 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
539 | permission rule for path. | 539 | permission rule for path. |
540 | #endif | 540 | #endif |
@@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu | |||
668 | \fBdbus-system none | 668 | \fBdbus-system none |
669 | Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. | 669 | Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. |
670 | .TP | 670 | .TP |
671 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
672 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
673 | .TP | ||
674 | \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
675 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
676 | .TP | ||
671 | \fBdbus-system.own org.gnome.ghex.* | 677 | \fBdbus-system.own org.gnome.ghex.* |
672 | Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. | 678 | Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. |
673 | .TP | 679 | .TP |
674 | \fBdbus-system.talk org.freedesktop.Notifications | ||
675 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. | ||
676 | .TP | ||
677 | \fBdbus-system.see org.freedesktop.Notifications | 680 | \fBdbus-system.see org.freedesktop.Notifications |
678 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. | 681 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. |
679 | .TP | 682 | .TP |
680 | \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 683 | \fBdbus-system.talk org.freedesktop.Notifications |
681 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 684 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. |
682 | .TP | ||
683 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
684 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
685 | .TP | 685 | .TP |
686 | \fBdbus-user filter | 686 | \fBdbus-user filter |
687 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 687 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
@@ -689,22 +689,22 @@ Enable filtered access to the session DBus. Filters can be specified with the db | |||
689 | \fBdbus-user none | 689 | \fBdbus-user none |
690 | Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. | 690 | Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. |
691 | .TP | 691 | .TP |
692 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
693 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
694 | .TP | ||
695 | \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
696 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
697 | .TP | ||
692 | \fBdbus-user.own org.gnome.ghex.* | 698 | \fBdbus-user.own org.gnome.ghex.* |
693 | Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. | 699 | Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. |
694 | .TP | 700 | .TP |
695 | \fBdbus-user.talk org.freedesktop.Notifications | ||
696 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. | ||
697 | .TP | ||
698 | \fBdbus-user.see org.freedesktop.Notifications | 701 | \fBdbus-user.see org.freedesktop.Notifications |
699 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. | 702 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. |
700 | .TP | 703 | .TP |
701 | \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 704 | \fBdbus-user.talk org.freedesktop.Notifications |
702 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | 705 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. |
703 | .TP | ||
704 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
705 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
706 | .TP | 706 | .TP |
707 | \fBnodbus \fR(deprecated) | 707 | \fBnodbus\fR (deprecated) |
708 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | 708 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. |
709 | .TP | 709 | .TP |
710 | .br | 710 | .br |
@@ -804,7 +804,7 @@ name browser | |||
804 | \fBno3d | 804 | \fBno3d |
805 | Disable 3D hardware acceleration. | 805 | Disable 3D hardware acceleration. |
806 | .TP | 806 | .TP |
807 | \fBnoautopulse \fR(deprecated) | 807 | \fBnoautopulse\fR (deprecated) |
808 | See keep-config-pulse. | 808 | See keep-config-pulse. |
809 | .TP | 809 | .TP |
810 | \fBnodvd | 810 | \fBnodvd |
@@ -867,20 +867,6 @@ net eth0 | |||
867 | ip 10.10.20.56 | 867 | ip 10.10.20.56 |
868 | 868 | ||
869 | .TP | 869 | .TP |
870 | \fBip none | ||
871 | No IP address and no default gateway are configured for the last interface | ||
872 | defined by a net command. Use this option | ||
873 | in case you intend to start an external DHCP client in the sandbox. | ||
874 | .br | ||
875 | |||
876 | .br | ||
877 | Example: | ||
878 | .br | ||
879 | net eth0 | ||
880 | .br | ||
881 | ip none | ||
882 | |||
883 | .TP | ||
884 | \fBip dhcp | 870 | \fBip dhcp |
885 | Acquire an IP address and default gateway for the last interface defined by a | 871 | Acquire an IP address and default gateway for the last interface defined by a |
886 | net command, as well as set the DNS servers according to the DHCP response. | 872 | net command, as well as set the DNS servers according to the DHCP response. |
@@ -908,6 +894,20 @@ a DHCP client and releasing the lease manually in conjunction with the | |||
908 | net none command. | 894 | net none command. |
909 | 895 | ||
910 | .TP | 896 | .TP |
897 | \fBip none | ||
898 | No IP address and no default gateway are configured for the last interface | ||
899 | defined by a net command. Use this option | ||
900 | in case you intend to start an external DHCP client in the sandbox. | ||
901 | .br | ||
902 | |||
903 | .br | ||
904 | Example: | ||
905 | .br | ||
906 | net eth0 | ||
907 | .br | ||
908 | ip none | ||
909 | |||
910 | .TP | ||
911 | \fBip6 address | 911 | \fBip6 address |
912 | Assign IPv6 addresses to the last network interface defined by a net command. | 912 | Assign IPv6 addresses to the last network interface defined by a net command. |
913 | .br | 913 | .br |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 4edb0902e..47cb7ccde 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -611,8 +611,9 @@ Example: | |||
611 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* | 611 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* |
612 | 612 | ||
613 | .TP | 613 | .TP |
614 | \fB\-\-dbus-user.talk=name | 614 | \fB\-\-dbus-user.see=name |
615 | Allows the application to talk to the specified well-known name on the session DBus. | 615 | Allows the application to see, but not talk to the specified well-known name on |
616 | the session DBus. | ||
616 | The name may have a .* suffix to match all names underneath it, including itself | 617 | The name may have a .* suffix to match all names underneath it, including itself |
617 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | 618 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but |
618 | not "foobar"). | 619 | not "foobar"). |
@@ -621,14 +622,13 @@ not "foobar"). | |||
621 | .br | 622 | .br |
622 | Example: | 623 | Example: |
623 | .br | 624 | .br |
624 | $ firejail --dbus-user=filter --dbus-user.talk=\\ | 625 | $ firejail --dbus-user=filter --dbus-user.see=\\ |
625 | .br | 626 | .br |
626 | org.freedesktop.Notifications | 627 | org.freedesktop.Notifications |
627 | 628 | ||
628 | .TP | 629 | .TP |
629 | \fB\-\-dbus-user.see=name | 630 | \fB\-\-dbus-user.talk=name |
630 | Allows the application to see, but not talk to the specified well-known name on | 631 | Allows the application to talk to the specified well-known name on the session DBus. |
631 | the session DBus. | ||
632 | The name may have a .* suffix to match all names underneath it, including itself | 632 | The name may have a .* suffix to match all names underneath it, including itself |
633 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | 633 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but |
634 | not "foobar"). | 634 | not "foobar"). |
@@ -637,7 +637,7 @@ not "foobar"). | |||
637 | .br | 637 | .br |
638 | Example: | 638 | Example: |
639 | .br | 639 | .br |
640 | $ firejail --dbus-user=filter --dbus-user.see=\\ | 640 | $ firejail --dbus-user=filter --dbus-user.talk=\\ |
641 | .br | 641 | .br |
642 | org.freedesktop.Notifications | 642 | org.freedesktop.Notifications |
643 | #endif | 643 | #endif |
@@ -888,6 +888,32 @@ Example: | |||
888 | .br | 888 | .br |
889 | $ firejail \-\-hosts-file=~/myhosts firefox | 889 | $ firejail \-\-hosts-file=~/myhosts firefox |
890 | 890 | ||
891 | .TP | ||
892 | \fB\-\-icmptrace[=name|pid] | ||
893 | Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes | ||
894 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
895 | .br | ||
896 | |||
897 | .br | ||
898 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
899 | .br | ||
900 | |||
901 | .br | ||
902 | Example | ||
903 | .br | ||
904 | $ sudo firejail --icmptrace | ||
905 | .br | ||
906 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
907 | .br | ||
908 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
909 | .br | ||
910 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
911 | .br | ||
912 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
913 | .br | ||
914 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable | ||
915 | .br | ||
916 | |||
891 | #ifdef HAVE_IDS | 917 | #ifdef HAVE_IDS |
892 | .TP | 918 | .TP |
893 | \fB\-\-ids-check | 919 | \fB\-\-ids-check |
@@ -925,33 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox | |||
925 | #endif | 951 | #endif |
926 | 952 | ||
927 | .TP | 953 | .TP |
928 | \fB\-\-icmptrace[=name|pid] | 954 | \fB\-\-include=file.profile |
929 | Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes | ||
930 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
931 | .br | ||
932 | |||
933 | .br | ||
934 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
935 | .br | ||
936 | |||
937 | .br | ||
938 | Example | ||
939 | .br | ||
940 | $ sudo firejail --icmptrace | ||
941 | .br | ||
942 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
943 | .br | ||
944 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
945 | .br | ||
946 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
947 | .br | ||
948 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
949 | .br | ||
950 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable | ||
951 | .br | ||
952 | |||
953 | .TP | ||
954 | \fB\-\-\include=file.profile | ||
955 | Include a profile file before the regular profiles are used. | 955 | Include a profile file before the regular profiles are used. |
956 | .br | 956 | .br |
957 | 957 | ||
@@ -984,23 +984,6 @@ Example: | |||
984 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox | 984 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox |
985 | 985 | ||
986 | .TP | 986 | .TP |
987 | \fB\-\-ip=none | ||
988 | No IP address and no default gateway are configured for the last interface | ||
989 | defined by a \-\-net option. Use this option | ||
990 | in case you intend to start an external DHCP client in the sandbox. | ||
991 | .br | ||
992 | |||
993 | .br | ||
994 | Example: | ||
995 | .br | ||
996 | $ firejail \-\-net=eth0 \-\-\ip=none | ||
997 | .br | ||
998 | |||
999 | .br | ||
1000 | If the corresponding interface doesn't have an IP address configured, this | ||
1001 | option is enabled by default. | ||
1002 | |||
1003 | .TP | ||
1004 | \fB\-\-ip=dhcp | 987 | \fB\-\-ip=dhcp |
1005 | Acquire an IP address and default gateway for the last interface defined by a | 988 | Acquire an IP address and default gateway for the last interface defined by a |
1006 | \-\-net option, as well as set the DNS servers according to the DHCP response. | 989 | \-\-net option, as well as set the DNS servers according to the DHCP response. |
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the | |||
1026 | \-\-net=none option. | 1009 | \-\-net=none option. |
1027 | 1010 | ||
1028 | .TP | 1011 | .TP |
1012 | \fB\-\-ip=none | ||
1013 | No IP address and no default gateway are configured for the last interface | ||
1014 | defined by a \-\-net option. Use this option | ||
1015 | in case you intend to start an external DHCP client in the sandbox. | ||
1016 | .br | ||
1017 | |||
1018 | .br | ||
1019 | Example: | ||
1020 | .br | ||
1021 | $ firejail \-\-net=eth0 \-\-ip=none | ||
1022 | .br | ||
1023 | |||
1024 | .br | ||
1025 | If the corresponding interface doesn't have an IP address configured, this | ||
1026 | option is enabled by default. | ||
1027 | |||
1028 | .TP | ||
1029 | \fB\-\-ip6=address | 1029 | \fB\-\-ip6=address |
1030 | Assign IPv6 addresses to the last network interface defined by a \-\-net option. | 1030 | Assign IPv6 addresses to the last network interface defined by a \-\-net option. |
1031 | .br | 1031 | .br |
@@ -1070,7 +1070,7 @@ default gateway is assigned by default. | |||
1070 | .br | 1070 | .br |
1071 | Example: | 1071 | Example: |
1072 | .br | 1072 | .br |
1073 | $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | 1073 | $ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150 |
1074 | 1074 | ||
1075 | .TP | 1075 | .TP |
1076 | \fB\-\-ipc-namespace | 1076 | \fB\-\-ipc-namespace |
@@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp | |||
1241 | 1241 | ||
1242 | #ifdef HAVE_LANDLOCK | 1242 | #ifdef HAVE_LANDLOCK |
1243 | .TP | 1243 | .TP |
1244 | \fB\-\-landlock.enforce (experimental) | 1244 | \fB\-\-landlock.enforce\fR (experimental) |
1245 | Enforce the Landlock ruleset. | 1245 | Enforce the Landlock ruleset. |
1246 | Without it, the other Landlock commands have no effect. | 1246 | Without it, the other Landlock commands have no effect. |
1247 | See the \fBLANDLOCK\fR section for more information. | 1247 | See the \fBLANDLOCK\fR section for more information. |
1248 | .TP | 1248 | .TP |
1249 | \fB\-\-landlock.fs.read=path (experimental) | 1249 | \fB\-\-landlock.fs.read=path\fR (experimental) |
1250 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1250 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1251 | rule for path. | 1251 | rule for path. |
1252 | .TP | 1252 | .TP |
1253 | \fB\-\-landlock.fs.write=path (experimental) | 1253 | \fB\-\-landlock.fs.write=path\fR (experimental) |
1254 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1254 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1255 | rule for path. | 1255 | rule for path. |
1256 | .TP | 1256 | .TP |
1257 | \fB\-\-landlock.fs.makeipc=path (experimental) | 1257 | \fB\-\-landlock.fs.makeipc=path\fR (experimental) |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1259 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 1259 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1260 | the given path. | 1260 | the given path. |
1261 | .TP | 1261 | .TP |
1262 | \fB\-\-landlock.fs.makedev=path (experimental) | 1262 | \fB\-\-landlock.fs.makedev=path\fR (experimental) |
1263 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1264 | allows the creation of block devices and character devices beneath the given | 1264 | allows the creation of block devices and character devices beneath the given |
1265 | path. | 1265 | path. |
1266 | .TP | 1266 | .TP |
1267 | \fB\-\-landlock.fs.execute=path (experimental) | 1267 | \fB\-\-landlock.fs.execute=path\fR (experimental) |
1268 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1268 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
1269 | permission rule for path. | 1269 | permission rule for path. |
1270 | .br | 1270 | .br |
@@ -1324,6 +1324,21 @@ Example: | |||
1324 | $ firejail \-\-machine-id | 1324 | $ firejail \-\-machine-id |
1325 | 1325 | ||
1326 | .TP | 1326 | .TP |
1327 | \fB\-\-memory-deny-write-execute | ||
1328 | Install a seccomp filter to block attempts to create memory mappings | ||
1329 | that are both writable and executable, to change mappings to be | ||
1330 | executable, or to create executable shared memory. The filter examines | ||
1331 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | ||
1332 | and shmat system calls and returns error EPERM to the process (or | ||
1333 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | ||
1334 | .br | ||
1335 | |||
1336 | .br | ||
1337 | Note: shmat is not implemented | ||
1338 | as a system call on some platforms including i386, and it cannot be | ||
1339 | handled by seccomp-bpf. | ||
1340 | |||
1341 | .TP | ||
1327 | \fB\-\-mkdir=dirname | 1342 | \fB\-\-mkdir=dirname |
1328 | Create a directory in user home. Parent directories are created as needed. | 1343 | Create a directory in user home. Parent directories are created as needed. |
1329 | .br | 1344 | .br |
@@ -1343,20 +1358,6 @@ Example: | |||
1343 | .br | 1358 | .br |
1344 | $ firejail --mkfile=~/work/project/readme | 1359 | $ firejail --mkfile=~/work/project/readme |
1345 | 1360 | ||
1346 | .TP | ||
1347 | \fB\-\-memory-deny-write-execute | ||
1348 | Install a seccomp filter to block attempts to create memory mappings | ||
1349 | that are both writable and executable, to change mappings to be | ||
1350 | executable, or to create executable shared memory. The filter examines | ||
1351 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | ||
1352 | and shmat system calls and returns error EPERM to the process (or | ||
1353 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | ||
1354 | .br | ||
1355 | |||
1356 | .br | ||
1357 | Note: shmat is not implemented | ||
1358 | as a system call on some platforms including i386, and it cannot be | ||
1359 | handled by seccomp-bpf. | ||
1360 | #ifdef HAVE_NETWORK | 1361 | #ifdef HAVE_NETWORK |
1361 | .TP | 1362 | .TP |
1362 | \fB\-\-mtu=number | 1363 | \fB\-\-mtu=number |
@@ -1726,7 +1727,7 @@ Example: | |||
1726 | $ firejail --no3d firefox | 1727 | $ firejail --no3d firefox |
1727 | 1728 | ||
1728 | .TP | 1729 | .TP |
1729 | \fB\-\-noautopulse \fR(deprecated) | 1730 | \fB\-\-noautopulse\fR (deprecated) |
1730 | See --keep-config-pulse. | 1731 | See --keep-config-pulse. |
1731 | 1732 | ||
1732 | .TP | 1733 | .TP |
@@ -1772,7 +1773,7 @@ $ nc dict.org 2628 | |||
1772 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 1773 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
1773 | .br | 1774 | .br |
1774 | .TP | 1775 | .TP |
1775 | \fB\-\-nodbus \fR(deprecated) | 1776 | \fB\-\-nodbus\fR (deprecated) |
1776 | #ifdef HAVE_DBUSPROXY | 1777 | #ifdef HAVE_DBUSPROXY |
1777 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. | 1778 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. |
1778 | .br | 1779 | .br |
@@ -1792,15 +1793,6 @@ Example: | |||
1792 | .br | 1793 | .br |
1793 | $ firejail \-\-nodvd | 1794 | $ firejail \-\-nodvd |
1794 | .TP | 1795 | .TP |
1795 | \fB\-\-noinput | ||
1796 | Disable input devices. | ||
1797 | .br | ||
1798 | |||
1799 | .br | ||
1800 | Example: | ||
1801 | .br | ||
1802 | $ firejail \-\-noinput | ||
1803 | .TP | ||
1804 | \fB\-\-noexec=dirname_or_filename | 1796 | \fB\-\-noexec=dirname_or_filename |
1805 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 1797 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1806 | .br | 1798 | .br |
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) | |||
1845 | $ | 1837 | $ |
1846 | 1838 | ||
1847 | .TP | 1839 | .TP |
1840 | \fB\-\-noinput | ||
1841 | Disable input devices. | ||
1842 | .br | ||
1843 | |||
1844 | .br | ||
1845 | Example: | ||
1846 | .br | ||
1847 | $ firejail \-\-noinput | ||
1848 | |||
1849 | .TP | ||
1848 | \fB\-\-nonewprivs | 1850 | \fB\-\-nonewprivs |
1849 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | 1851 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes |
1850 | cannot acquire new privileges using execve(2); in particular, | 1852 | cannot acquire new privileges using execve(2); in particular, |
@@ -3353,16 +3355,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | |||
3353 | .br | 3355 | .br |
3354 | #endif | 3356 | #endif |
3355 | .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. | 3357 | .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. |
3356 | .SH NAME VALIDATION | ||
3357 | For simplicity, the same name validation is used for multiple options. | ||
3358 | Rules: | ||
3359 | .PP | ||
3360 | The name must be 1-253 characters long. | ||
3361 | The name can only contain ASCII letters, digits and the special characters | ||
3362 | "-._" (that is, the name cannot contain spaces or control characters). | ||
3363 | The name cannot contain only digits. | ||
3364 | The first and last characters must be an ASCII letter or digit and the name | ||
3365 | may contain special characters in the middle. | ||
3366 | #ifdef HAVE_APPARMOR | 3358 | #ifdef HAVE_APPARMOR |
3367 | .SH APPARMOR | 3359 | .SH APPARMOR |
3368 | .TP | 3360 | .TP |
@@ -3408,64 +3400,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
3408 | $ firejail --apparmor firefox | 3400 | $ firejail --apparmor firefox |
3409 | #endif | 3401 | #endif |
3410 | 3402 | ||
3411 | #ifdef HAVE_LANDLOCK | ||
3412 | .SH LANDLOCK | ||
3413 | Warning: Landlock support in firejail is considered experimental and unstable. | ||
3414 | The contents of landlock-common.inc are likely to change and the feature is | ||
3415 | still being expanded upon in the Linux kernel. | ||
3416 | Also, note that its functionality overlaps with existing firejail features, | ||
3417 | such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. | ||
3418 | Its filesystem access rules can currently only restrict direct access to paths; | ||
3419 | it is not able to make only select paths appear in the sandbox such as with the | ||
3420 | \fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). | ||
3421 | Lastly, note that depending on the Linux kernel version, Landlock may not | ||
3422 | protect all of the relevant syscalls (see the kernel's Landlock documentation | ||
3423 | for details). | ||
3424 | Therefore, it is recommended to treat Landlock as an extra layer of protection, | ||
3425 | to be used together with other firejail features (rather than as a bulletproof | ||
3426 | mechanism by itself). | ||
3427 | .PP | ||
3428 | Landlock is a Linux security module first introduced in version 5.13 of the | ||
3429 | Linux kernel. | ||
3430 | It allows unprivileged processes to restrict their access to the filesystem. | ||
3431 | Once imposed, these restrictions can never be removed, and all child processes | ||
3432 | created by a Landlock-restricted processes inherit these restrictions. | ||
3433 | Firejail supports Landlock as an additional sandboxing feature. | ||
3434 | It can be used to ensure that a sandboxed application can only access files and | ||
3435 | directories that it was explicitly allowed to access. | ||
3436 | Firejail supports populating the ruleset with both a basic set of rules (see | ||
3437 | landlock-common.inc) and with a custom set of rules. | ||
3438 | .TP | ||
3439 | Important notes: | ||
3440 | .PP | ||
3441 | .RS | ||
3442 | - Currently only Landlock ABI version 1 is supported. | ||
3443 | .PP | ||
3444 | - If "lsm=" is used in the kernel command line, it should contain "landlock" | ||
3445 | (such as "lsm=apparmor,landlock"), or else it will be disabled. | ||
3446 | .PP | ||
3447 | - A process can install a Landlock ruleset only if it has either | ||
3448 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New | ||
3449 | Privileges" restriction enabled. | ||
3450 | Because of this, enabling the Landlock feature will also cause Firejail to | ||
3451 | enable the "No New Privileges" restriction, regardless of the profile or the | ||
3452 | \fB\-\-nonewprivs\fR command line option. | ||
3453 | .PP | ||
3454 | - Access to the /etc directory is automatically allowed. | ||
3455 | To override this, use the \fB\-\-writable\-etc\fR command line option. | ||
3456 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | ||
3457 | /etc directory. | ||
3458 | .RE | ||
3459 | .PP | ||
3460 | To enable Landlock self-restriction on top of your current Firejail security | ||
3461 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. | ||
3462 | Without it, the other Landlock commands have no effect. | ||
3463 | Example: | ||
3464 | .PP | ||
3465 | $ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc | ||
3466 | .PP | ||
3467 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3468 | #endif | ||
3469 | .SH DESKTOP INTEGRATION | 3403 | .SH DESKTOP INTEGRATION |
3470 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3404 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
3471 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 3405 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
@@ -3519,37 +3453,37 @@ $ firejail --tree | |||
3519 | 1221:netblue:/usr/lib/firefox/firefox | 3453 | 1221:netblue:/usr/lib/firefox/firefox |
3520 | .RE | 3454 | .RE |
3521 | 3455 | ||
3522 | We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details. | 3456 | We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details. |
3523 | 3457 | ||
3524 | .SH EXAMPLES | 3458 | .SH EXAMPLES |
3525 | .TP | 3459 | .TP |
3526 | \f\firejail | 3460 | \fBfirejail |
3527 | Sandbox a regular shell session. | 3461 | Sandbox a regular shell session. |
3528 | .TP | 3462 | .TP |
3529 | \f\firejail firefox | 3463 | \fBfirejail firefox |
3530 | Start Mozilla Firefox. | 3464 | Start Mozilla Firefox. |
3531 | .TP | 3465 | .TP |
3532 | \f\firejail \-\-debug firefox | 3466 | \fBfirejail \-\-debug firefox |
3533 | Debug Firefox sandbox. | 3467 | Debug Firefox sandbox. |
3534 | .TP | 3468 | .TP |
3535 | \f\firejail \-\-private firefox | 3469 | \fBfirejail \-\-private firefox |
3536 | Start Firefox with a new, empty home directory. | 3470 | Start Firefox with a new, empty home directory. |
3537 | .TP | 3471 | .TP |
3538 | \f\firejail --net=none vlc | 3472 | \fBfirejail --net=none vlc |
3539 | Start VLC in an unconnected network namespace. | 3473 | Start VLC in an unconnected network namespace. |
3540 | #ifdef HAVE_NETWORK | 3474 | #ifdef HAVE_NETWORK |
3541 | .TP | 3475 | .TP |
3542 | \f\firejail \-\-net=eth0 firefox | 3476 | \fBfirejail \-\-net=eth0 firefox |
3543 | Start Firefox in a new network namespace. An IP address is | 3477 | Start Firefox in a new network namespace. An IP address is |
3544 | assigned automatically. | 3478 | assigned automatically. |
3545 | .TP | 3479 | .TP |
3546 | \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 | 3480 | \fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 |
3547 | Start a shell session in a new network namespace and connect it | 3481 | Start a shell session in a new network namespace and connect it |
3548 | to br0, br1, and br2 host bridge devices. IP addresses are assigned | 3482 | to br0, br1, and br2 host bridge devices. IP addresses are assigned |
3549 | automatically for the interfaces connected to br1 and b2 | 3483 | automatically for the interfaces connected to br1 and b2 |
3550 | #endif | 3484 | #endif |
3551 | .TP | 3485 | .TP |
3552 | \f\firejail \-\-list | 3486 | \fBfirejail \-\-list |
3553 | List all sandboxed processes. | 3487 | List all sandboxed processes. |
3554 | 3488 | ||
3555 | .SH FILE GLOBBING | 3489 | .SH FILE GLOBBING |
@@ -3713,6 +3647,65 @@ Currently while scanning the file system, symbolic links are not followed, and f | |||
3713 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | 3647 | The program can also be run as root (sudo firejail --ids-init/--ids-check). |
3714 | #endif | 3648 | #endif |
3715 | 3649 | ||
3650 | #ifdef HAVE_LANDLOCK | ||
3651 | .SH LANDLOCK | ||
3652 | Warning: Landlock support in firejail is considered experimental and unstable. | ||
3653 | The contents of landlock-common.inc are likely to change and the feature is | ||
3654 | still being expanded upon in the Linux kernel. | ||
3655 | Also, note that its functionality overlaps with existing firejail features, | ||
3656 | such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. | ||
3657 | Its filesystem access rules can currently only restrict direct access to paths; | ||
3658 | it is not able to make only select paths appear in the sandbox such as with the | ||
3659 | \fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). | ||
3660 | Lastly, note that depending on the Linux kernel version, Landlock may not | ||
3661 | protect all of the relevant syscalls (see the kernel's Landlock documentation | ||
3662 | for details). | ||
3663 | Therefore, it is recommended to treat Landlock as an extra layer of protection, | ||
3664 | to be used together with other firejail features (rather than as a bulletproof | ||
3665 | mechanism by itself). | ||
3666 | .PP | ||
3667 | Landlock is a Linux security module first introduced in version 5.13 of the | ||
3668 | Linux kernel. | ||
3669 | It allows unprivileged processes to restrict their access to the filesystem. | ||
3670 | Once imposed, these restrictions can never be removed, and all child processes | ||
3671 | created by a Landlock-restricted processes inherit these restrictions. | ||
3672 | Firejail supports Landlock as an additional sandboxing feature. | ||
3673 | It can be used to ensure that a sandboxed application can only access files and | ||
3674 | directories that it was explicitly allowed to access. | ||
3675 | Firejail supports populating the ruleset with both a basic set of rules (see | ||
3676 | landlock-common.inc) and with a custom set of rules. | ||
3677 | .TP | ||
3678 | Important notes: | ||
3679 | .PP | ||
3680 | .RS | ||
3681 | - Currently only Landlock ABI version 1 is supported. | ||
3682 | .PP | ||
3683 | - If "lsm=" is used in the kernel command line, it should contain "landlock" | ||
3684 | (such as "lsm=apparmor,landlock"), or else it will be disabled. | ||
3685 | .PP | ||
3686 | - A process can install a Landlock ruleset only if it has either | ||
3687 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New | ||
3688 | Privileges" restriction enabled. | ||
3689 | Because of this, enabling the Landlock feature will also cause Firejail to | ||
3690 | enable the "No New Privileges" restriction, regardless of the profile or the | ||
3691 | \fB\-\-nonewprivs\fR command line option. | ||
3692 | .PP | ||
3693 | - Access to the /etc directory is automatically allowed. | ||
3694 | To override this, use the \fB\-\-writable\-etc\fR command line option. | ||
3695 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | ||
3696 | /etc directory. | ||
3697 | .RE | ||
3698 | .PP | ||
3699 | To enable Landlock self-restriction on top of your current Firejail security | ||
3700 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. | ||
3701 | Without it, the other Landlock commands have no effect. | ||
3702 | Example: | ||
3703 | .PP | ||
3704 | $ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc | ||
3705 | .PP | ||
3706 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3707 | #endif | ||
3708 | |||
3716 | .SH MONITORING | 3709 | .SH MONITORING |
3717 | Option \-\-list prints a list of all sandboxes. The format | 3710 | Option \-\-list prints a list of all sandboxes. The format |
3718 | for each process entry is as follows: | 3711 | for each process entry is as follows: |
@@ -3770,6 +3763,17 @@ Sandbox running time in hours:minutes:seconds format. | |||
3770 | USER | 3763 | USER |
3771 | The owner of the sandbox. | 3764 | The owner of the sandbox. |
3772 | 3765 | ||
3766 | .SH NAME VALIDATION | ||
3767 | For simplicity, the same name validation is used for multiple options. | ||
3768 | Rules: | ||
3769 | .PP | ||
3770 | The name must be 1-253 characters long. | ||
3771 | The name can only contain ASCII letters, digits and the special characters | ||
3772 | "-._" (that is, the name cannot contain spaces or control characters). | ||
3773 | The name cannot contain only digits. | ||
3774 | The first and last characters must be an ASCII letter or digit and the name | ||
3775 | may contain special characters in the middle. | ||
3776 | |||
3773 | .SH RESTRICTED SHELL | 3777 | .SH RESTRICTED SHELL |
3774 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 3778 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
3775 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 3779 | /etc/passwd file for each user that needs to be restricted. Alternatively, |