diff options
40 files changed, 338 insertions, 229 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 53066013d..fc74640d4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -22,7 +22,8 @@ _Describe the bug_ | |||
22 | 22 | ||
23 | _Steps to reproduce the behavior_ | 23 | _Steps to reproduce the behavior_ |
24 | 24 | ||
25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) | 25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent |
26 | output in English that can be understood by everybody) | ||
26 | 2. Click on '....' | 27 | 2. Click on '....' |
27 | 3. Scroll down to '....' | 28 | 3. Scroll down to '....' |
28 | 4. See error `ERROR` | 29 | 4. See error `ERROR` |
@@ -37,7 +38,8 @@ _What actually happened_ | |||
37 | 38 | ||
38 | ### Behavior without a profile | 39 | ### Behavior without a profile |
39 | 40 | ||
40 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ | 41 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a |
42 | terminal?_ | ||
41 | 43 | ||
42 | ### Additional context | 44 | ### Additional context |
43 | 45 | ||
@@ -47,7 +49,8 @@ _Any other detail that may help to understand/debug the problem_ | |||
47 | 49 | ||
48 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") | 50 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") |
49 | - Firejail version (`firejail --version`). | 51 | - Firejail version (`firejail --version`). |
50 | - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). | 52 | - If you use a development version of firejail, also the commit from which it |
53 | was compiled (`git rev-parse HEAD`). | ||
51 | 54 | ||
52 | ### Checklist | 55 | ### Checklist |
53 | 56 | ||
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index a723cdbde..ce1b70e39 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md | |||
@@ -4,6 +4,7 @@ about: Suggest an idea for this project | |||
4 | title: '' | 4 | title: '' |
5 | labels: '' | 5 | labels: '' |
6 | assignees: '' | 6 | assignees: '' |
7 | |||
7 | --- | 8 | --- |
8 | 9 | ||
9 | ### Is your feature request related to a problem? Please describe. | 10 | ### Is your feature request related to a problem? Please describe. |
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3c256dd87..4a7998e87 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,17 +1,21 @@ | |||
1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 1 | If your PR isn't about profiles or you have no idea how to do one of these, |
2 | skip the following and go ahead with this PR. | ||
2 | 3 | ||
3 | If you submit a PR for new profiles or changing profiles, please do the following: | 4 | If you submit a PR for new profiles or changing profiles, please do the |
4 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 5 | following: |
5 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. | ||
6 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | ||
7 | The path to it depends on your distro: | ||
8 | 6 | ||
9 | | Distro | Path | | 7 | - The ordering of options follow the rules described in |
10 | | ------ | ---- | | 8 | [etc/templates/profile.template](../blob/master/etc/templates/profile.template) |
11 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | 9 | (/usr/share/doc/firejail/profile.template when installed). |
12 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | 10 | - Order the arguments of options alphabetically. You can easily do this with |
13 | | local git clone | `contrib/sort.py` | | 11 | [sort.py](../blob/master/contrib/sort.py). |
14 | 12 | ||
15 | Note also that the sort.py script exists only since firejail `0.9.61`. | 13 | The path to it depends on your distro: |
16 | 14 | ||
17 | See also [CONTRIBUTING.md](/CONTRIBUTING.md). | 15 | | Distro | Path | |
16 | | ------ | ---- | | ||
17 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | ||
18 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | ||
19 | | local git clone | `contrib/sort.py` | | ||
20 | |||
21 | See also [CONTRIBUTING.md](../blob/master/CONTRIBUTING.md). | ||
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index d31aec004..8ee48310f 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -54,7 +54,7 @@ jobs: | |||
54 | runs-on: ubuntu-22.04 | 54 | runs-on: ubuntu-22.04 |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 57 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -77,7 +77,7 @@ jobs: | |||
77 | runs-on: ubuntu-22.04 | 77 | runs-on: ubuntu-22.04 |
78 | steps: | 78 | steps: |
79 | - name: Harden Runner | 79 | - name: Harden Runner |
80 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 80 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
81 | with: | 81 | with: |
82 | egress-policy: block | 82 | egress-policy: block |
83 | allowed-endpoints: > | 83 | allowed-endpoints: > |
@@ -96,7 +96,7 @@ jobs: | |||
96 | runs-on: ubuntu-22.04 | 96 | runs-on: ubuntu-22.04 |
97 | steps: | 97 | steps: |
98 | - name: Harden Runner | 98 | - name: Harden Runner |
99 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 99 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
100 | with: | 100 | with: |
101 | egress-policy: block | 101 | egress-policy: block |
102 | allowed-endpoints: > | 102 | allowed-endpoints: > |
@@ -115,7 +115,7 @@ jobs: | |||
115 | runs-on: ubuntu-20.04 | 115 | runs-on: ubuntu-20.04 |
116 | steps: | 116 | steps: |
117 | - name: Harden Runner | 117 | - name: Harden Runner |
118 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 118 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
119 | with: | 119 | with: |
120 | egress-policy: block | 120 | egress-policy: block |
121 | allowed-endpoints: > | 121 | allowed-endpoints: > |
@@ -132,7 +132,7 @@ jobs: | |||
132 | runs-on: ubuntu-22.04 | 132 | runs-on: ubuntu-22.04 |
133 | steps: | 133 | steps: |
134 | - name: Harden Runner | 134 | - name: Harden Runner |
135 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 135 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
136 | with: | 136 | with: |
137 | egress-policy: block | 137 | egress-policy: block |
138 | allowed-endpoints: > | 138 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9008408ae..7d2652b78 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -44,7 +44,7 @@ jobs: | |||
44 | runs-on: ubuntu-22.04 | 44 | runs-on: ubuntu-22.04 |
45 | steps: | 45 | steps: |
46 | - name: Harden Runner | 46 | - name: Harden Runner |
47 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 47 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
48 | with: | 48 | with: |
49 | egress-policy: block | 49 | egress-policy: block |
50 | allowed-endpoints: > | 50 | allowed-endpoints: > |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index cdbf1f2bf..4f06a3f26 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -74,13 +74,14 @@ jobs: | |||
74 | 74 | ||
75 | steps: | 75 | steps: |
76 | - name: Harden Runner | 76 | - name: Harden Runner |
77 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 77 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
78 | with: | 78 | with: |
79 | disable-sudo: true | 79 | disable-sudo: true |
80 | egress-policy: block | 80 | egress-policy: block |
81 | allowed-endpoints: > | 81 | allowed-endpoints: > |
82 | api.github.com:443 | 82 | api.github.com:443 |
83 | github.com:443 | 83 | github.com:443 |
84 | objects.githubusercontent.com:443 | ||
84 | uploads.github.com:443 | 85 | uploads.github.com:443 |
85 | 86 | ||
86 | - name: Checkout repository | 87 | - name: Checkout repository |
@@ -88,7 +89,7 @@ jobs: | |||
88 | 89 | ||
89 | # Initializes the CodeQL tools for scanning. | 90 | # Initializes the CodeQL tools for scanning. |
90 | - name: Initialize CodeQL | 91 | - name: Initialize CodeQL |
91 | uses: github/codeql-action/init@04df1262e6247151b5ac09cd2c303ac36ad3f62b | 92 | uses: github/codeql-action/init@d186a2a36cc67bfa1b860e6170d37fb9634742c7 |
92 | with: | 93 | with: |
93 | languages: ${{ matrix.language }} | 94 | languages: ${{ matrix.language }} |
94 | # If you wish to specify custom queries, you can do so here or in a config file. | 95 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -99,7 +100,7 @@ jobs: | |||
99 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 100 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
100 | # If this step fails, then you should remove it and run the build manually (see below) | 101 | # If this step fails, then you should remove it and run the build manually (see below) |
101 | - name: Autobuild | 102 | - name: Autobuild |
102 | uses: github/codeql-action/autobuild@04df1262e6247151b5ac09cd2c303ac36ad3f62b | 103 | uses: github/codeql-action/autobuild@d186a2a36cc67bfa1b860e6170d37fb9634742c7 |
103 | 104 | ||
104 | # ℹ️ Command-line programs to run using the OS shell. | 105 | # ℹ️ Command-line programs to run using the OS shell. |
105 | # 📚 https://git.io/JvXDl | 106 | # 📚 https://git.io/JvXDl |
@@ -113,4 +114,4 @@ jobs: | |||
113 | # make release | 114 | # make release |
114 | 115 | ||
115 | - name: Perform CodeQL Analysis | 116 | - name: Perform CodeQL Analysis |
116 | uses: github/codeql-action/analyze@04df1262e6247151b5ac09cd2c303ac36ad3f62b | 117 | uses: github/codeql-action/analyze@d186a2a36cc67bfa1b860e6170d37fb9634742c7 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 8212c646e..54188c787 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -26,7 +26,7 @@ jobs: | |||
26 | runs-on: ubuntu-latest | 26 | runs-on: ubuntu-latest |
27 | steps: | 27 | steps: |
28 | - name: Harden Runner | 28 | - name: Harden Runner |
29 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 | 29 | uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f |
30 | with: | 30 | with: |
31 | disable-sudo: true | 31 | disable-sudo: true |
32 | egress-policy: block | 32 | egress-policy: block |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6dcb40e67..b30dd9ee4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -12,7 +12,7 @@ build_ubuntu_package: | |||
12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk | 12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk |
13 | - ./configure && make deb && dpkg -i firejail*.deb | 13 | - ./configure && make deb && dpkg -i firejail*.deb |
14 | - command -V firejail && firejail --version | 14 | - command -V firejail && firejail --version |
15 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 15 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc |
16 | 16 | ||
17 | build_debian_package: | 17 | build_debian_package: |
18 | image: debian:stretch | 18 | image: debian:stretch |
@@ -37,7 +37,7 @@ build_fedora_package: | |||
37 | - dnf install -y rpm-build gcc make | 37 | - dnf install -y rpm-build gcc make |
38 | - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm | 38 | - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm |
39 | - command -V firejail && firejail --version | 39 | - command -V firejail && firejail --version |
40 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 40 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc |
41 | 41 | ||
42 | build_src_package: | 42 | build_src_package: |
43 | image: alpine:latest | 43 | image: alpine:latest |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 76d3e709b..1ae293264 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -1,38 +1,58 @@ | |||
1 | # Contributing | ||
2 | |||
1 | Welcome to firejail, and thank you for your interest in contributing! | 3 | Welcome to firejail, and thank you for your interest in contributing! |
2 | 4 | ||
3 | # Opening an issue: | 5 | ## Opening an issue |
4 | We welcome issues, whether to ask a question, provide information, request a new profile or | 6 | |
5 | feature, or to report a suspected bug or problem. | 7 | We welcome issues, whether to ask a question, provide information, request a |
8 | new profile or feature, or to report a suspected bug or problem. | ||
9 | |||
10 | If you want to request a program profile that we don't already have, please add | ||
11 | a comment in our dedicated issue: | ||
6 | 12 | ||
7 | If you want to request a program profile that we don't already have, please add a comment in | 13 | - [Profile requests](https://github.com/netblue30/firejail/issues/1139) |
8 | our [dedicated issue](https://github.com/netblue30/firejail/issues/1139). | ||
9 | 14 | ||
10 | When submitting a bug report, please provide the following information so that | 15 | When submitting a bug report, please provide the following information so that |
11 | we can handle the report more easily: | 16 | we can handle the report more easily: |
12 | - firejail version. If you're not sure, open a terminal and type `firejail --version`. | 17 | |
18 | - firejail version. If you're not sure, open a terminal and type `firejail | ||
19 | --version`. | ||
13 | - Linux distribution (so that we can try to reproduce it, if necessary). | 20 | - Linux distribution (so that we can try to reproduce it, if necessary). |
14 | - If you know that the problem did not exist in an earlier version of firejail, please mention it. | 21 | - If you know that the problem did not exist in an earlier version of firejail, |
15 | - If you are reporting that a program does not work with firejail, please also run firejail with | 22 | please mention it. |
16 | the `--noprofile` argument. | 23 | - If you are reporting that a program does not work with firejail, please also |
17 | For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and | 24 | run firejail with the `--noprofile` argument. For example, if `firejail |
18 | let us know if it runs correctly or not. | 25 | firefox` does not work, please also run `firejail --noprofile firefox` and |
19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. | 26 | let us know if it runs correctly or not. |
20 | 27 | - You may also try disabling various options provided in | |
21 | Please note: if you are running Debian, Ubuntu, Linux Mint, or another related | 28 | `/etc/firejail/<ProgramName.profile>` until you find out which one causes |
29 | problems. It will significantly help in finding a solution for your issue. | ||
30 | |||
31 | Please note: If you are running Debian, Ubuntu, Linux Mint, or another related | ||
22 | distribution and you installed firejail from your distro's repositories, please | 32 | distribution and you installed firejail from your distro's repositories, please |
23 | ensure that **both** of the following were installed: | 33 | ensure that **all** of the following packages were installed: |
24 | `firejail` and `firejail-profiles`. A common source of issues is that | 34 | |
25 | firejail-profiles was not installed when installing firejail. | 35 | - firejail |
36 | - firejail-profiles | ||
26 | 37 | ||
27 | We take security bugs very seriously. If you believe you have found one, please report it by | 38 | A common source of issues is that firejail-profiles was not installed when |
28 | emailing us at netblue30@protonmail.com | 39 | installing firejail. |
40 | |||
41 | ## Security vulnerabilities | ||
42 | |||
43 | See [SECURITY.md](SECURITY.md). | ||
44 | |||
45 | ## Opening a pull request | ||
29 | 46 | ||
30 | # Opening an pull request: | ||
31 | Pull requests with enhancements, bugfixes or new profiles are very welcome. | 47 | Pull requests with enhancements, bugfixes or new profiles are very welcome. |
32 | 48 | ||
33 | If you want to write a new profile, the easiest way to do this is to use the | 49 | If you want to write a new profile, the easiest way to do this is to use the |
34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 50 | profile template: |
35 | If you have already written a profile, please make sure it follows the rules described in the template. | 51 | |
52 | - [etc/templates/profile.template](etc/templates/profile.template) | ||
53 | |||
54 | If you have already written a profile, please make sure it follows the rules | ||
55 | described in the template. | ||
36 | 56 | ||
37 | If you add a new command, here's the checklist: | 57 | If you add a new command, here's the checklist: |
38 | 58 | ||
@@ -41,6 +61,7 @@ If you add a new command, here's the checklist: | |||
41 | - [ ] Update syntax files (run `make syntax` or just `make`) | 61 | - [ ] Update syntax files (run `make syntax` or just `make`) |
42 | - [ ] Update --help | 62 | - [ ] Update --help |
43 | 63 | ||
44 | # Editing the wiki | 64 | ## Editing the wiki |
45 | 65 | ||
46 | You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). | 66 | You are highly encouraged to add your own tips and tricks to the |
67 | [wiki](https://github.com/netblue30/firejail/wiki). | ||
@@ -1,13 +1,14 @@ | |||
1 | Firejail is a SUID sandbox program that reduces the risk of security | 1 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
2 | breaches by restricting the running environment of untrusted applications | 2 | by restricting the running environment of untrusted applications using Linux |
3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for | 3 | namespaces and seccomp-bpf. |
4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, | 4 | |
5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. | 5 | It includes sandbox profiles for many programs, including Iceweasel/Mozilla |
6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, | 6 | Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious, |
7 | Pidgin, Quassel, and XChat. | 7 | Clementine, Rhythmbox, Totem, Deluge, qBittorrent, DeaDBeeF, Dropbox, Empathy, |
8 | FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat. | ||
8 | 9 | ||
9 | Firejail also expands the restricted shell facility found in bash by adding | 10 | Firejail also expands the restricted shell facility found in bash by adding |
10 | Linux namespace support. It supports sandboxing specific users upon login. | 11 | Linux namespace support. It supports sandboxing specific users upon login. |
11 | 12 | ||
12 | Download: https://sourceforge.net/projects/firejail/files/ | 13 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 14 | Build and install: ./configure && make && sudo make install |
@@ -17,30 +18,33 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | |||
17 | Development: https://github.com/netblue30/firejail | 18 | Development: https://github.com/netblue30/firejail |
18 | License: GPL v2 | 19 | License: GPL v2 |
19 | 20 | ||
20 | Please report all security vulnerabilities at netblue30@protonmail.com | 21 | Please report all security vulnerabilities to: |
22 | |||
23 | * <netblue30@protonmail.com> | ||
21 | 24 | ||
22 | Compile and install mainline version from GitHub: | 25 | Compile and install the mainline version from GitHub: |
23 | 26 | ||
24 | $ git clone https://github.com/netblue30/firejail.git | 27 | git clone https://github.com/netblue30/firejail.git |
25 | $ cd firejail | 28 | cd firejail |
26 | $ ./configure && make && sudo make install-strip | 29 | ./configure && make && sudo make install-strip |
27 | 30 | ||
28 | On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | 31 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development |
29 | development libraries and pkg-config are required when using --enable-apparmor | 32 | libraries and pkg-config are required when using the --enable-apparmor |
30 | ./configure option: | 33 | ./configure option: |
31 | 34 | ||
32 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk | 35 | sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
33 | 36 | ||
34 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). | 37 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). |
35 | 38 | ||
36 | We build our release firejail.tar.xz and firejail.deb packages using the following command: | 39 | We build our release firejail.tar.xz and firejail.deb packages using the |
37 | $ make distclean && ./configure && make deb | 40 | following commands: |
38 | 41 | ||
42 | make distclean && ./configure && make deb | ||
39 | 43 | ||
40 | Maintainer: | 44 | Maintainer: |
41 | - netblue30 (netblue30@protonmail.com) | 45 | - netblue30 (netblue30@protonmail.com) |
42 | 46 | ||
43 | Committers | 47 | Committers: |
44 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 48 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
45 | - crass (https://github.com/crass) | 49 | - crass (https://github.com/crass) |
46 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | 50 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) |
@@ -55,15 +59,16 @@ Committers | |||
55 | - rusty-snake (https://github.com/rusty-snake) | 59 | - rusty-snake (https://github.com/rusty-snake) |
56 | - smitsohu (https://github.com/smitsohu) | 60 | - smitsohu (https://github.com/smitsohu) |
57 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 61 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
58 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) | 62 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches |
63 | maintainer) | ||
59 | - Topi Miettinen (https://github.com/topimiettinen) | 64 | - Topi Miettinen (https://github.com/topimiettinen) |
60 | - veloute (https://github.com/veloute) | 65 | - veloute (https://github.com/veloute) |
61 | - Vincent43 (https://github.com/Vincent43) | 66 | - Vincent43 (https://github.com/Vincent43) |
62 | - netblue30 (netblue30@protonmail.com) | 67 | - netblue30 (netblue30@protonmail.com) |
63 | 68 | ||
69 | --- | ||
64 | 70 | ||
65 | 71 | Firejail Authors (alphabetical order): | |
66 | Firejail Authors (alphabetical order) | ||
67 | 72 | ||
68 | 0x7969 (https://github.com/0x7969) | 73 | 0x7969 (https://github.com/0x7969) |
69 | - fix wire-desktop.profile | 74 | - fix wire-desktop.profile |
@@ -313,7 +318,8 @@ curiosityseeker (https://github.com/curiosityseeker - new) | |||
313 | - updated keypassxc profile | 318 | - updated keypassxc profile |
314 | - added syscalls.sh, which determine the necessary syscalls for a program | 319 | - added syscalls.sh, which determine the necessary syscalls for a program |
315 | - fixed conky profile | 320 | - fixed conky profile |
316 | - thunderbird.profile: harden and enable the rules necessary to make Firefox open links | 321 | - thunderbird.profile: harden and enable the rules necessary to make |
322 | Firefox open links | ||
317 | da2x (https://github.com/da2x) | 323 | da2x (https://github.com/da2x) |
318 | - matched RPM license tag | 324 | - matched RPM license tag |
319 | Daan Bakker (https://github.com/dbakker) | 325 | Daan Bakker (https://github.com/dbakker) |
@@ -358,7 +364,8 @@ Disconnect3d (https://github.com/disconnect3d) | |||
358 | dm9pZCAq (https://github.com/dm9pZCAq) | 364 | dm9pZCAq (https://github.com/dm9pZCAq) |
359 | - fix for compilation under musl | 365 | - fix for compilation under musl |
360 | dmfreemon (https://github.com/dmfreemon) | 366 | dmfreemon (https://github.com/dmfreemon) |
361 | - add sandbox name or name of private directory to the window title when xpra is used | 367 | - add sandbox name or name of private directory to the window title |
368 | when xpra is used | ||
362 | - handle malloc() failures; use gnu_basename() instead of basenaem() | 369 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
363 | Dmitriy Chestnykh (https://github.com/chestnykh) | 370 | Dmitriy Chestnykh (https://github.com/chestnykh) |
364 | - add ability to disable user profiles at compile time | 371 | - add ability to disable user profiles at compile time |
@@ -1030,7 +1037,8 @@ soredake (https://github.com/soredake) | |||
1030 | - add localtime to private-etc to make qtox show correct time | 1037 | - add localtime to private-etc to make qtox show correct time |
1031 | - fixes for the keepassxc 2.2.5 version | 1038 | - fixes for the keepassxc 2.2.5 version |
1032 | SkewedZeppelin (https://github.com/SkewedZeppelin) | 1039 | SkewedZeppelin (https://github.com/SkewedZeppelin) |
1033 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | 1040 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, |
1041 | Lollypop, MultiMC5 profiles | ||
1034 | - added PDFSam, Pithos, and Xonotic profiles | 1042 | - added PDFSam, Pithos, and Xonotic profiles |
1035 | - disabled Go, Rust, and OpenSSL in disable-devel.conf | 1043 | - disabled Go, Rust, and OpenSSL in disable-devel.conf |
1036 | - added dino profile | 1044 | - added dino profile |
@@ -1048,7 +1056,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin) | |||
1048 | - added IntelliJ IDEA and Android Studio profiles | 1056 | - added IntelliJ IDEA and Android Studio profiles |
1049 | - added arm profile | 1057 | - added arm profile |
1050 | - lots of profile improvements/tightening | 1058 | - lots of profile improvements/tightening |
1051 | - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img, | 1059 | - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, |
1060 | sdat2img, | ||
1052 | soundconverter, sqlitebrowser, and truecraft profiles | 1061 | soundconverter, sqlitebrowser, and truecraft profiles |
1053 | - added gnome-twitch profile | 1062 | - added gnome-twitch profile |
1054 | - Unified all 341 profiles | 1063 | - Unified all 341 profiles |
@@ -1085,10 +1094,12 @@ SYN-cook (https://github.com/SYN-cook) | |||
1085 | - gnome-calculator changes | 1094 | - gnome-calculator changes |
1086 | startx2017 (https://github.com/startx2017) | 1095 | startx2017 (https://github.com/startx2017) |
1087 | - syscall list update | 1096 | - syscall list update |
1088 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 1097 | - updated default seccomp filters - added bpf, clock_settime, |
1089 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 1098 | personality, process_vm_writev, query_module, settimeofday, stime, |
1099 | umount, userfaultfd, ustat, vm86, and vm86old | ||
1090 | - enable/disable join support in /etc/firejail/firejail.config | 1100 | - enable/disable join support in /etc/firejail/firejail.config |
1091 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 1101 | - firecfg fix: create ~/.local/share/applications directory if it |
1102 | doesn't exist | ||
1092 | - firejail.config cleanup | 1103 | - firejail.config cleanup |
1093 | - --quiet fixes | 1104 | - --quiet fixes |
1094 | - bugfixes branches maintainer | 1105 | - bugfixes branches maintainer |
@@ -1250,10 +1261,9 @@ Zack Weinberg (https://github.com/zackw) | |||
1250 | - wait_for_other function rewrite | 1261 | - wait_for_other function rewrite |
1251 | - Xvfb X11 server support | 1262 | - Xvfb X11 server support |
1252 | - Xvfb and Xephyr profiles, modified Xpra profile | 1263 | - Xvfb and Xephyr profiles, modified Xpra profile |
1253 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started | 1264 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes |
1254 | with firejail --x11 | 1265 | when started with firejail --x11 |
1255 | - support for xpra-extra-params in firejail.config | 1266 | - support for xpra-extra-params in firejail.config |
1256 | |||
1257 | zupatisc (https://github.com/zupatisc) | 1267 | zupatisc (https://github.com/zupatisc) |
1258 | - patch-util fix | 1268 | - patch-util fix |
1259 | 1269 | ||
@@ -1,79 +1,91 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) | 2 | |
3 | [![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) | 3 | [![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) |
4 | [![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) | 4 | [![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) |
5 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 5 | [![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) |
6 | 6 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | |
7 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting | 7 | |
8 | the running environment of untrusted applications using Linux namespaces, seccomp-bpf | 8 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
9 | and Linux capabilities. It allows a process and all its descendants to have their own private | 9 | by restricting the running environment of untrusted applications using Linux |
10 | view of the globally shared kernel resources, such as the network stack, process table, mount table. | 10 | namespaces, seccomp-bpf and Linux capabilities. It allows a process and all |
11 | Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups. | 11 | its descendants to have their own private view of the globally shared kernel |
12 | 12 | resources, such as the network stack, process table, mount table. Firejail can | |
13 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel | 13 | work in a SELinux or AppArmor environment, and it is integrated with Linux |
14 | version or newer. It can sandbox any type of processes: servers, graphical applications, and even | 14 | Control Groups. |
15 | user login sessions. The software includes sandbox profiles for a number of more common Linux programs, | 15 | |
16 | Written in C with virtually no dependencies, the software runs on any Linux | ||
17 | computer with a 3.x kernel version or newer. It can sandbox any type of | ||
18 | processes: servers, graphical applications, and even user login sessions. The | ||
19 | software includes sandbox profiles for a number of more common Linux programs, | ||
16 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 20 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
17 | 21 | ||
18 | The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, | 22 | The sandbox is lightweight, the overhead is low. There are no complicated |
19 | no socket connections open, no daemons running in the background. All security features are | 23 | configuration files to edit, no socket connections open, no daemons running in |
20 | implemented directly in Linux kernel and available on any Linux computer. | 24 | the background. All security features are implemented directly in Linux kernel |
25 | and available on any Linux computer. | ||
26 | |||
27 | ## Videos | ||
21 | 28 | ||
22 | <table><tr> | 29 | <table> |
30 | <tr> | ||
23 | 31 | ||
24 | <td> | 32 | <td> |
25 | <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> | 33 | <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> |
26 | <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" | 34 | <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" |
27 | alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a> | 35 | alt="Advanced Browser Security" width="240" height="142" border="10" /> |
36 | <br/>Advanced Browser Security | ||
37 | </a> | ||
28 | </td> | 38 | </td> |
29 | 39 | ||
30 | <td> | 40 | <td> |
31 | <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> | 41 | <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> |
32 | <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" | 42 | <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" |
33 | alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a> | 43 | alt="How To Disable Network Access" width="240" height="142" border="10" /> |
44 | <br/>How To Disable Network Access | ||
45 | </a> | ||
34 | </td> | 46 | </td> |
35 | 47 | ||
36 | <td> | 48 | <td> |
37 | <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> | 49 | <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> |
38 | <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" | 50 | <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" |
39 | alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> | 51 | alt="Deep Dive" width="240" height="142" border="10" /> |
52 | <br/>Deep Dive | ||
53 | </a> | ||
40 | </td> | 54 | </td> |
41 | 55 | ||
42 | </tr></table> | 56 | </tr> |
43 | 57 | </table> | |
44 | Project webpage: https://firejail.wordpress.com/ | ||
45 | |||
46 | IRC: https://web.libera.chat/#firejail | ||
47 | |||
48 | Download and Installation: https://firejail.wordpress.com/download-2/ | ||
49 | |||
50 | Features: https://firejail.wordpress.com/features-3/ | ||
51 | 58 | ||
52 | Documentation: https://firejail.wordpress.com/documentation-2/ | 59 | ## Links |
53 | 60 | ||
54 | FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | 61 | * Project webpage: <https://firejail.wordpress.com/> |
55 | 62 | * IRC: <https://web.libera.chat/#firejail> | |
56 | Wiki: https://github.com/netblue30/firejail/wiki | 63 | * Download and Installation: <https://firejail.wordpress.com/download-2/> |
57 | 64 | * Features: <https://firejail.wordpress.com/features-3/> | |
58 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | 65 | * Documentation: <https://firejail.wordpress.com/documentation-2/> |
59 | 66 | * FAQ: <https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions> | |
60 | Video Channel: https://odysee.com/@netblue30:9?order=new | 67 | * Wiki: <https://github.com/netblue30/firejail/wiki> |
61 | 68 | * GitHub Actions: <https://github.com/netblue30/firejail/actions> | |
62 | Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | 69 | * GitLab CI: <https://gitlab.com/Firejail/firejail_ci/pipelines> |
70 | * Video Channel: <https://odysee.com/@netblue30:9?order=new> | ||
71 | * Backup Video Channel: <https://www.bitchute.com/profile/JSBsA1aoQVfW/> | ||
63 | 72 | ||
64 | ## Security vulnerabilities | 73 | ## Security vulnerabilities |
65 | 74 | ||
66 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com | 75 | See [SECURITY.md](SECURITY.md). |
67 | 76 | ||
68 | ## Installing | 77 | ## Installing |
69 | 78 | ||
70 | ### Debian | 79 | ### Debian |
71 | 80 | ||
72 | Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. | 81 | Debian stable (bullseye): We recommend to use the |
82 | [backports](https://packages.debian.org/bullseye-backports/firejail) package. | ||
73 | 83 | ||
74 | ### Ubuntu | 84 | ### Ubuntu |
75 | 85 | ||
76 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | 86 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly |
87 | advised** to use the | ||
88 | [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | ||
77 | 89 | ||
78 | How to add and install from the PPA: | 90 | How to add and install from the PPA: |
79 | 91 | ||
@@ -83,140 +95,186 @@ sudo apt-get update | |||
83 | sudo apt-get install firejail firejail-profiles | 95 | sudo apt-get install firejail firejail-profiles |
84 | ``` | 96 | ``` |
85 | 97 | ||
86 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad: | 98 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to |
99 | CVE-2021-26910 for months after a patch for it was posted on Launchpad: | ||
87 | 100 | ||
88 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | 101 | * [CVE-2021-26910](https://github.com/advisories/GHSA-2q4h-h5jp-942w) |
102 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to | ||
103 | CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | ||
89 | 104 | ||
90 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: | 105 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: |
91 | 106 | ||
92 | > What software is supported by the Ubuntu Security team? | 107 | > What software is supported by the Ubuntu Security team? |
93 | > | 108 | > |
94 | > Ubuntu is currently divided into four components: main, restricted, universe | 109 | > Ubuntu is currently divided into four components: main, restricted, universe |
95 | > and multiverse. All binary packages in main and restricted are supported by | 110 | > and multiverse. All binary packages in main and restricted are supported by |
96 | > the Ubuntu Security team for the life of an Ubuntu release, while binary | 111 | > the Ubuntu Security team for the life of an Ubuntu release, while binary |
97 | > packages in universe and multiverse are supported by the Ubuntu community. | 112 | > packages in universe and multiverse are supported by the Ubuntu community. |
98 | 113 | ||
99 | Additionally, the PPA version is likely to be more recent and to contain more profile fixes. | 114 | Additionally, the PPA version is likely to be more recent and to contain more |
115 | profile fixes. | ||
100 | 116 | ||
101 | See the following discussions for details: | 117 | See the following discussions for details: |
102 | 118 | ||
103 | * [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666) | 119 | * [Should I keep using the version of firejail available in my distro |
104 | * [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663) | 120 | repos?](https://github.com/netblue30/firejail/discussions/4666) |
121 | * [How to install the latest version on Ubuntu and | ||
122 | derivatives](https://github.com/netblue30/firejail/discussions/4663) | ||
105 | 123 | ||
106 | ### Other | 124 | ### Other |
107 | 125 | ||
108 | Firejail is included in a large number of Linux distributions. | 126 | Firejail is available in multiple Linux distributions: |
127 | |||
128 | <details> | ||
129 | <summary>Repology</summary> | ||
130 | <p> | ||
131 | |||
132 | [![Packaging status (Repology)](https://repology.org/badge/vertical-allrepos/firejail.svg)](https://repology.org/project/firejail/versions) | ||
109 | 133 | ||
110 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: | 134 | </p> |
135 | </details> | ||
111 | 136 | ||
112 | ````` | 137 | Other than the [aforementioned exceptions](#installing), as long as your |
113 | $ git clone https://github.com/netblue30/firejail.git | 138 | distribution provides a [supported version](SECURITY.md) of firejail, it's |
114 | $ cd firejail | 139 | generally a good idea to install it from the distribution. |
115 | $ ./configure && make && sudo make install-strip | 140 | |
116 | ````` | 141 | The version can be checked with `firejail --version` after installing. |
117 | On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | 142 | |
118 | development libraries and pkg-config are required when using `--enable-apparmor` | 143 | You can also install one of the [released |
144 | packages](https://github.com/netblue30/firejail/releases). | ||
145 | |||
146 | Or clone the source code from our git repository and build manually: | ||
147 | |||
148 | ```sh | ||
149 | git clone https://github.com/netblue30/firejail.git | ||
150 | cd firejail | ||
151 | ./configure && make && sudo make install-strip | ||
152 | ``` | ||
153 | |||
154 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development | ||
155 | libraries and pkg-config are required when using the `--enable-apparmor` | ||
119 | ./configure option: | 156 | ./configure option: |
120 | ````` | 157 | |
121 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk | 158 | ```sh |
122 | ````` | 159 | sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
160 | ``` | ||
161 | |||
123 | For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). | 162 | For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). |
124 | 163 | ||
125 | Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). | 164 | Detailed information on using firejail from git is available on the |
165 | [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). | ||
126 | 166 | ||
127 | ## Running the sandbox | 167 | ## Running the sandbox |
128 | 168 | ||
129 | To start the sandbox, prefix your command with `firejail`: | 169 | To start the sandbox, prefix your command with `firejail`: |
130 | 170 | ||
131 | ````` | 171 | ```sh |
132 | $ firejail firefox # starting Mozilla Firefox | 172 | firejail firefox # starting Mozilla Firefox |
133 | $ firejail transmission-gtk # starting Transmission BitTorrent | 173 | firejail transmission-gtk # starting Transmission BitTorrent |
134 | $ firejail vlc # starting VideoLAN Client | 174 | firejail vlc # starting VideoLAN Client |
135 | $ sudo firejail /etc/init.d/nginx start | 175 | sudo firejail /etc/init.d/nginx start |
136 | ````` | 176 | ``` |
137 | Run `firejail --list` in a terminal to list all active sandboxes. Example: | 177 | |
138 | ````` | 178 | Run `firejail --list` in a terminal to list all active sandboxes. Example: |
179 | |||
180 | ```console | ||
139 | $ firejail --list | 181 | $ firejail --list |
140 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr | 182 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr |
141 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt | 183 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt |
142 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator | 184 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator |
143 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 | 185 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 |
144 | 7916:netblue:firejail --list | 186 | 7916:netblue:firejail --list |
145 | ````` | 187 | ``` |
146 | 188 | ||
147 | ## Desktop integration | 189 | ## Desktop integration |
148 | 190 | ||
149 | Integrate your sandbox into your desktop by running the following two commands: | 191 | Integrate your sandbox into your desktop by running the following two commands: |
150 | ````` | ||
151 | $ firecfg --fix-sound | ||
152 | $ sudo firecfg | ||
153 | ````` | ||
154 | 192 | ||
155 | The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. | 193 | ```sh |
156 | The second command integrates Firejail into your desktop. You would need to logout and login back to apply | 194 | firecfg --fix-sound |
157 | PulseAudio changes. | 195 | sudo firecfg |
196 | ``` | ||
197 | |||
198 | The first command solves some shared memory/PID namespace bugs in PulseAudio | ||
199 | software prior to version 9. The second command integrates Firejail into your | ||
200 | desktop. You would need to logout and login back to apply PulseAudio changes. | ||
201 | |||
202 | Start your programs the way you are used to: desktop manager menus, file | ||
203 | manager, desktop launchers. | ||
158 | 204 | ||
159 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. | 205 | The integration applies to any program supported by default by Firejail. There |
160 | The integration applies to any program supported by default by Firejail. There are about 250 default applications | 206 | are over 900 default applications in the current Firejail version, and the |
161 | in current Firejail version, and the number goes up with every new release. | 207 | number goes up with every new release. |
162 | We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. | 208 | |
209 | We keep the application list in | ||
210 | [src/firecfg/firecfg.config](src/firecfg/firecfg.config) | ||
211 | (/etc/firejail/firecfg.config when installed). | ||
163 | 212 | ||
164 | ## Security profiles | 213 | ## Security profiles |
165 | 214 | ||
166 | Most Firejail command line options can be passed to the sandbox using profile files. | 215 | Most Firejail command line options can be passed to the sandbox using profile |
167 | You can find the profiles for all supported applications in [/etc/firejail](https://github.com/netblue30/firejail/tree/master/etc) directory. | 216 | files. |
217 | |||
218 | You can find the profiles for all supported applications in [etc/](etc/) | ||
219 | (/etc/firejail/ when installed). | ||
220 | |||
221 | We also keep a list of profile fixes for previous released versions in | ||
222 | [etc-fixes/](etc-fixes/). | ||
168 | 223 | ||
169 | If you keep additional Firejail security profiles in a public repository, please give us a link: | 224 | If you keep additional Firejail security profiles in a public repository, |
225 | please give us a link: | ||
170 | 226 | ||
171 | * https://github.com/chiraag-nataraj/firejail-profiles | 227 | * <https://github.com/chiraag-nataraj/firejail-profiles> |
228 | * <https://github.com/triceratops1/fe> | ||
172 | 229 | ||
173 | * https://github.com/triceratops1/fe | 230 | Use this issue to request new profiles: |
174 | 231 | ||
175 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 232 | * [Profile requests](https://github.com/netblue30/firejail/issues/1139) |
176 | 233 | ||
177 | You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh). | 234 | You can also use this tool to get a list of syscalls needed by a program: |
178 | 235 | ||
179 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 236 | * [contrib/syscalls.sh](contrib/syscalls.sh) |
180 | 237 | ||
181 | ## Latest released version: 0.9.72 | 238 | ## Latest released version: 0.9.72 |
182 | 239 | ||
183 | ## Current development version: 0.9.73 | 240 | ## Current development version: 0.9.73 |
184 | 241 | ||
185 | ### --keep-shell-rc | 242 | ### --keep-shell-rc |
186 | ````` | 243 | |
244 | ```text | ||
187 | --keep-shell-rc | 245 | --keep-shell-rc |
188 | By default, when using a private home directory, firejail copies | 246 | By default, when using a private home directory, firejail copies |
189 | files from the system's user home template (/etc/skel) into it, | 247 | files from the system's user home template (/etc/skel) into it, |
190 | which overrides attempts to whitelist the original files (such | 248 | which overrides attempts to whitelist the original files (such |
191 | as ~/.bashrc and ~/.zshrc). This option disables this feature, | 249 | as ~/.bashrc and ~/.zshrc). This option disables this feature, |
192 | and enables the user to whitelist the original files. | 250 | and enables the user to whitelist the original files. |
193 | 251 | ``` | |
194 | ````` | ||
195 | 252 | ||
196 | ### private-etc rework | 253 | ### private-etc rework |
197 | ````` | 254 | |
255 | ```text | ||
198 | --private-etc, --private-etc=file,directory,@group | 256 | --private-etc, --private-etc=file,directory,@group |
199 | The files installed by --private-etc are copies of the original | 257 | The files installed by --private-etc are copies of the original |
200 | system files from /etc directory. By default, the command | 258 | system files from /etc directory. By default, the command |
201 | brings in a skeleton of files and directories used by most con‐ | 259 | brings in a skeleton of files and directories used by most |
202 | sole tools: | 260 | console tools: |
203 | 261 | ||
204 | $ firejail --private-etc dig debian.org | 262 | $ firejail --private-etc dig debian.org |
205 | 263 | ||
206 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame‐ | 264 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a |
207 | ter. Example: | 265 | parameter. Example: |
208 | 266 | ||
209 | $ firejail --private-etc=@x11,gcrypt,python* gimp | 267 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
210 | 268 | ||
211 | gcrypt and /etc/python* directories are not part of the generic | 269 | gcrypt and /etc/python* directories are not part of the generic |
212 | @x11 group. File globbing is supported. | 270 | @x11 group. File globbing is supported. |
213 | 271 | ||
214 | For games, add @games group: | 272 | For games, add @games group: |
215 | 273 | ||
216 | $ firejail --private-etc=@games,@x11 warzone2100 | 274 | $ firejail --private-etc=@games,@x11 warzone2100 |
217 | 275 | ||
218 | Sound and networking files are included automatically, unless | 276 | Sound and networking files are included automatically, unless |
219 | --nosound or --net=none are specified. Files for encrypted | 277 | --nosound or --net=none are specified. Files for encrypted |
220 | TLS/SSL protocol are in @tls-ca group. | 278 | TLS/SSL protocol are in @tls-ca group. |
221 | 279 | ||
222 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org | 280 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org |
@@ -225,22 +283,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
225 | by your program is using strace utility: | 283 | by your program is using strace utility: |
226 | 284 | ||
227 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | 285 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc |
286 | ``` | ||
287 | |||
288 | We keep the list of groups in | ||
289 | [src/include/etc_groups.h](src/include/etc_groups.h). | ||
228 | 290 | ||
229 | ````` | 291 | Discussion: |
230 | We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h) | 292 | |
231 | Discussion: https://github.com/netblue30/firejail/discussions/5610 | 293 | * [private-etc rework](https://github.com/netblue30/firejail/discussions/5610) |
232 | 294 | ||
233 | ### Profile Statistics | 295 | ### Profile Statistics |
234 | 296 | ||
235 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 297 | A small tool to print profile statistics. Compile and install as usual. The |
298 | tool is installed in the /usr/lib/firejail directory. | ||
299 | |||
236 | Run it over the profiles in /etc/profiles: | 300 | Run it over the profiles in /etc/profiles: |
237 | ``` | 301 | |
302 | ```console | ||
238 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile | 303 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
239 | No include .local found in /etc/firejail/noprofile.profile | 304 | No include .local found in /etc/firejail/noprofile.profile |
240 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 305 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
241 | 306 | ||
242 | Stats: | 307 | Stats: |
243 | profiles 1209 | 308 | profiles 1209 |
244 | include local profile 1208 (include profile-name.local) | 309 | include local profile 1208 (include profile-name.local) |
245 | include globals 1181 (include globals.local) | 310 | include globals 1181 (include globals.local) |
246 | blacklist ~/.ssh 1079 (include disable-common.inc) | 311 | blacklist ~/.ssh 1079 (include disable-common.inc) |
@@ -266,5 +331,4 @@ Stats: | |||
266 | dbus-user filter 141 | 331 | dbus-user filter 141 |
267 | dbus-system none 851 | 332 | dbus-system none 851 |
268 | dbus-system filter 12 | 333 | dbus-system filter 12 |
269 | |||
270 | ``` | 334 | ``` |
@@ -21,14 +21,16 @@ firejail (0.9.73) baseline; urgency=low | |||
21 | * build: deb: enable apparmor by default & remove deb-apparmor (#5668) | 21 | * build: deb: enable apparmor by default & remove deb-apparmor (#5668) |
22 | * build: Fix whitespace and add .editorconfig (#5674) | 22 | * build: Fix whitespace and add .editorconfig (#5674) |
23 | * ci: always update the package db before installing packages (#5742) | 23 | * ci: always update the package db before installing packages (#5742) |
24 | * ci: fix codeql unable to download its own bundle (#5783) | ||
24 | * test: split individual test groups in github workflows | 25 | * test: split individual test groups in github workflows |
25 | * test: add chroot, appimage and network tests in github workflows | 26 | * test: add chroot, appimage and network tests in github workflows |
26 | * docs: remove apparmor options in --help when building without apparmor | 27 | * docs: remove apparmor options in --help when building without apparmor |
27 | support (#5589) | 28 | support (#5589) |
28 | * docs: selinux.c: Split Copyright notice & use same license as upstream | 29 | * docs: markdown formatting and misc improvements (#5757) |
30 | * legal: selinux.c: Split Copyright notice & use same license as upstream | ||
29 | (#5667) | 31 | (#5667) |
30 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes | 32 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes |
31 | -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500 | 33 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
32 | 34 | ||
33 | firejail (0.9.72) baseline; urgency=low | 35 | firejail (0.9.72) baseline; urgency=low |
34 | * feature: On failing to remount a fuse filesystem, give warning instead of | 36 | * feature: On failing to remount a fuse filesystem, give warning instead of |
diff --git a/SECURITY.md b/SECURITY.md index 734d04ccf..2a9cc7f6f 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -26,4 +26,8 @@ | |||
26 | 26 | ||
27 | ## Security vulnerabilities | 27 | ## Security vulnerabilities |
28 | 28 | ||
29 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com | 29 | We take security bugs very seriously. |
30 | |||
31 | If you believe you have found one, please report it to: | ||
32 | |||
33 | * <netblue30@protonmail.com> | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 5f4233363..4277100ce 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc | |||
69 | blacklist /etc/X11/Xsession.d | 69 | blacklist /etc/X11/Xsession.d |
70 | blacklist /etc/xdg/autostart | 70 | blacklist /etc/xdg/autostart |
71 | read-only ${HOME}/.Xauthority | 71 | read-only ${HOME}/.Xauthority |
72 | read-only ${HOME}/.config/awesome/autorun.sh | ||
73 | read-only ${HOME}/.config/openbox/autostart | ||
74 | read-only ${HOME}/.config/openbox/environment | ||
72 | 75 | ||
73 | # Session manager | 76 | # Session manager |
74 | # see #3358 | 77 | # see #3358 |
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc | |||
123 | read-only ${HOME}/.config/kiorc | 126 | read-only ${HOME}/.config/kiorc |
124 | read-only ${HOME}/.config/kioslaverc | 127 | read-only ${HOME}/.config/kioslaverc |
125 | read-only ${HOME}/.config/ksslcablacklist | 128 | read-only ${HOME}/.config/ksslcablacklist |
129 | read-only ${HOME}/.config/lxqt | ||
126 | read-only ${HOME}/.kde/share/apps/konsole | 130 | read-only ${HOME}/.kde/share/apps/konsole |
127 | read-only ${HOME}/.kde/share/apps/kssl | 131 | read-only ${HOME}/.kde/share/apps/kssl |
128 | read-only ${HOME}/.kde/share/config/*notifyrc | 132 | read-only ${HOME}/.kde/share/config/*notifyrc |
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d | |||
329 | # Initialization files that allow arbitrary command execution | 333 | # Initialization files that allow arbitrary command execution |
330 | read-only ${HOME}/.caffrc | 334 | read-only ${HOME}/.caffrc |
331 | read-only ${HOME}/.cargo/env | 335 | read-only ${HOME}/.cargo/env |
336 | read-only ${HOME}/.config/mpv | ||
332 | read-only ${HOME}/.config/nano | 337 | read-only ${HOME}/.config/nano |
333 | read-only ${HOME}/.config/nvim | 338 | read-only ${HOME}/.config/nvim |
334 | read-only ${HOME}/.config/pkcs11 | 339 | read-only ${HOME}/.config/pkcs11 |
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks | |||
337 | read-only ${HOME}/.emacs | 342 | read-only ${HOME}/.emacs |
338 | read-only ${HOME}/.emacs.d | 343 | read-only ${HOME}/.emacs.d |
339 | read-only ${HOME}/.exrc | 344 | read-only ${HOME}/.exrc |
345 | read-only ${HOME}/.gnupg/gpg.conf | ||
340 | read-only ${HOME}/.gvimrc | 346 | read-only ${HOME}/.gvimrc |
341 | read-only ${HOME}/.homesick | 347 | read-only ${HOME}/.homesick |
342 | read-only ${HOME}/.iscreenrc | 348 | read-only ${HOME}/.iscreenrc |
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term | |||
345 | read-only ${HOME}/.local/share/nvim | 351 | read-only ${HOME}/.local/share/nvim |
346 | read-only ${HOME}/.local/state/nvim | 352 | read-only ${HOME}/.local/state/nvim |
347 | read-only ${HOME}/.mailcap | 353 | read-only ${HOME}/.mailcap |
354 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
348 | read-only ${HOME}/.msmtprc | 355 | read-only ${HOME}/.msmtprc |
349 | read-only ${HOME}/.mutt/muttrc | 356 | read-only ${HOME}/.mutt/muttrc |
350 | read-only ${HOME}/.muttrc | 357 | read-only ${HOME}/.muttrc |
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc | |||
366 | read-only ${HOME}/_vimrc | 373 | read-only ${HOME}/_vimrc |
367 | read-only ${HOME}/dotfiles | 374 | read-only ${HOME}/dotfiles |
368 | 375 | ||
376 | # System package managers and AUR helpers | ||
377 | blacklist ${HOME}/.config/cower | ||
378 | read-only ${HOME}/.config/cower/config | ||
379 | |||
369 | # Make directories commonly found in $PATH read-only | 380 | # Make directories commonly found in $PATH read-only |
370 | read-only ${HOME}/.bin | 381 | read-only ${HOME}/.bin |
371 | read-only ${HOME}/.cargo/bin | 382 | read-only ${HOME}/.cargo/bin |
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs | |||
391 | read-only ${HOME}/.config/user-dirs.locale | 402 | read-only ${HOME}/.config/user-dirs.locale |
392 | read-only ${HOME}/.local/share/mime | 403 | read-only ${HOME}/.local/share/mime |
393 | 404 | ||
405 | # Configuration files that do not allow arbitrary command execution but that | ||
406 | # are intended to be modified manually (in a text editor and/or by a program | ||
407 | # dedicated to managing them) | ||
408 | read-only ${HOME}/.config/MangoHud | ||
409 | |||
394 | # Write-protection for thumbnailer dir | 410 | # Write-protection for thumbnailer dir |
395 | read-only ${HOME}/.local/share/thumbnailers | 411 | read-only ${HOME}/.local/share/thumbnailers |
396 | 412 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index c7e2f2ca9..211111aaa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -402,7 +402,6 @@ blacklist ${HOME}/.config/cmus | |||
402 | blacklist ${HOME}/.config/cointop | 402 | blacklist ${HOME}/.config/cointop |
403 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | 403 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle |
404 | blacklist ${HOME}/.config/corebird | 404 | blacklist ${HOME}/.config/corebird |
405 | blacklist ${HOME}/.config/cower | ||
406 | blacklist ${HOME}/.config/coyim | 405 | blacklist ${HOME}/.config/coyim |
407 | blacklist ${HOME}/.config/d-feet | 406 | blacklist ${HOME}/.config/d-feet |
408 | blacklist ${HOME}/.config/darktable | 407 | blacklist ${HOME}/.config/darktable |
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index c9f21b2dc..cae059f89 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc | |||
10 | whitelist ${HOME}/.config/ibus | 10 | whitelist ${HOME}/.config/ibus |
11 | whitelist ${HOME}/.config/mimeapps.list | 11 | whitelist ${HOME}/.config/mimeapps.list |
12 | whitelist ${HOME}/.config/pkcs11 | 12 | whitelist ${HOME}/.config/pkcs11 |
13 | read-only ${HOME}/.config/pkcs11 | ||
14 | whitelist ${HOME}/.config/user-dirs.dirs | 13 | whitelist ${HOME}/.config/user-dirs.dirs |
15 | read-only ${HOME}/.config/user-dirs.dirs | ||
16 | whitelist ${HOME}/.config/user-dirs.locale | 14 | whitelist ${HOME}/.config/user-dirs.locale |
17 | read-only ${HOME}/.config/user-dirs.locale | ||
18 | whitelist ${HOME}/.drirc | 15 | whitelist ${HOME}/.drirc |
19 | whitelist ${HOME}/.icons | 16 | whitelist ${HOME}/.icons |
20 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit | 17 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit |
21 | whitelist ${HOME}/.local/share/applications | 18 | whitelist ${HOME}/.local/share/applications |
22 | read-only ${HOME}/.local/share/applications | ||
23 | whitelist ${HOME}/.local/share/icons | 19 | whitelist ${HOME}/.local/share/icons |
24 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
25 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals | |||
68 | whitelist ${HOME}/.config/kio_httprc | 64 | whitelist ${HOME}/.config/kio_httprc |
69 | whitelist ${HOME}/.config/kioslaverc | 65 | whitelist ${HOME}/.config/kioslaverc |
70 | whitelist ${HOME}/.config/ksslcablacklist | 66 | whitelist ${HOME}/.config/ksslcablacklist |
67 | whitelist ${HOME}/.config/lxqt | ||
71 | whitelist ${HOME}/.config/qt5ct | 68 | whitelist ${HOME}/.config/qt5ct |
72 | whitelist ${HOME}/.config/qt6ct | 69 | whitelist ${HOME}/.config/qt6ct |
73 | whitelist ${HOME}/.config/qtcurve | 70 | whitelist ${HOME}/.config/qtcurve |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile index 231b5bca0..f05653719 100644 --- a/etc/profile-a-l/ani-cli.profile +++ b/etc/profile-a-l/ani-cli.profile | |||
@@ -35,7 +35,5 @@ private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohu | |||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | read-only ${HOME}/.config/mpv | ||
39 | |||
40 | # Redirect | 38 | # Redirect |
41 | include mpv.profile | 39 | include mpv.profile |
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile | |||
@@ -16,5 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
20 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -45,5 +45,4 @@ private-dev | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
49 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9f4fabd68..766fe523b 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | machine-id | 28 | machine-id |
30 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 0a44a62a3..7d5c859e9 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -85,6 +85,5 @@ dbus-user.talk org.gnome.seahorse.* | |||
85 | dbus-user.talk org.mozilla.* | 85 | dbus-user.talk org.mozilla.* |
86 | dbus-system none | 86 | dbus-system none |
87 | 87 | ||
88 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
89 | read-only ${HOME}/.signature | 88 | read-only ${HOME}/.signature |
90 | restrict-namespaces | 89 | restrict-namespaces |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 0e1d30958..42d59157c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,9 @@ include globals.local | |||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | 14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox |
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | 15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 |
16 | 16 | ||
17 | # (Ignore entry from disable-common.inc) | ||
18 | ignore read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | |||
17 | noblacklist ${HOME}/.cache/mozilla | 20 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 21 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | 22 | noblacklist ${RUNUSER}/*firefox* |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba7..ba0837780 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 | |||
91 | dbus-user.talk org.mozilla.* | 91 | dbus-user.talk org.mozilla.* |
92 | dbus-system none | 92 | dbus-system none |
93 | 93 | ||
94 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
95 | restrict-namespaces | 94 | restrict-namespaces |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a9327..5cf30ed40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets | |||
77 | dbus-user.talk org.freedesktop.Notifications | 77 | dbus-user.talk org.freedesktop.Notifications |
78 | dbus-system none | 78 | dbus-system none |
79 | 79 | ||
80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
81 | restrict-namespaces | 80 | restrict-namespaces |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 9157d910b..6ca8b8103 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor | |||
37 | dbus-user.talk org.mozilla.* | 37 | dbus-user.talk org.mozilla.* |
38 | ignore dbus-user none | 38 | ignore dbus-user none |
39 | 39 | ||
40 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
41 | |||
42 | # Redirect | 40 | # Redirect |
43 | include electron-common.profile | 41 | include electron-common.profile |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile index 01928c775..2b0fc5275 100644 --- a/etc/profile-a-l/lobster.profile +++ b/etc/profile-a-l/lobster.profile | |||
@@ -35,7 +35,5 @@ private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname | |||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | read-only ${HOME}/.config/mpv | ||
39 | |||
40 | # Redirect | 38 | # Redirect |
41 | include mpv.profile | 39 | include mpv.profile |
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index e9d245a6d..266d00395 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-* | |||
19 | 19 | ||
20 | # Enable severely restricted access to ${HOME}/.gnupg | 20 | # Enable severely restricted access to ${HOME}/.gnupg |
21 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
22 | read-only ${HOME}/.gnupg/gpg.conf | ||
23 | read-only ${HOME}/.gnupg/trustdb.gpg | 22 | read-only ${HOME}/.gnupg/trustdb.gpg |
24 | read-only ${HOME}/.gnupg/pubring.kbx | 23 | read-only ${HOME}/.gnupg/pubring.kbx |
25 | blacklist ${HOME}/.gnupg/random_seed | 24 | blacklist ${HOME}/.gnupg/random_seed |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 8ad94b949..74d630e24 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -25,7 +25,5 @@ private-bin ffmpeg,fzf,mov-cli | |||
25 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 25 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
26 | private-tmp | 26 | private-tmp |
27 | 27 | ||
28 | read-only ${HOME}/.config/mpv | ||
29 | |||
30 | # Redirect | 28 | # Redirect |
31 | include mpv.profile | 29 | include mpv.profile |
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 2da867dec..9b566a42b 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
@@ -16,6 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/openbox/autostart | ||
20 | read-only ${HOME}/.config/openbox/environment | ||
21 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index a26b41524..3e1899ef3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal | |||
14 | # These lines are needed to allow Firefox to open links | 14 | # These lines are needed to allow Firefox to open links |
15 | noblacklist ${HOME}/.mozilla | 15 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
18 | 17 | ||
19 | mkdir ${HOME}/.config/Signal | 18 | mkdir ${HOME}/.config/Signal |
20 | whitelist ${HOME}/.config/Signal | 19 | whitelist ${HOME}/.config/Signal |
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 95dc35741..3fe0963a9 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups | |||
18 | mkdir ${HOME}/.config/Standard Notes | 18 | mkdir ${HOME}/.config/Standard Notes |
19 | whitelist ${HOME}/Standard Notes Backups | 19 | whitelist ${HOME}/Standard Notes Backups |
20 | whitelist ${HOME}/.config/Standard Notes | 20 | whitelist ${HOME}/.config/Standard Notes |
21 | include whitelist-common.inc | ||
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
22 | 26 | ||
23 | apparmor | 27 | apparmor |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87..63d629a32 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -181,5 +181,4 @@ private-tmp | |||
181 | #dbus-user none | 181 | #dbus-user none |
182 | #dbus-system none | 182 | #dbus-system none |
183 | 183 | ||
184 | read-only ${HOME}/.config/MangoHud | ||
185 | #restrict-namespaces | 184 | #restrict-namespaces |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 1ac80bc9a..5df207e25 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -24,7 +24,6 @@ writable-run-user | |||
24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email | 24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | noblacklist ${HOME}/.cache/thunderbird | 28 | noblacklist ${HOME}/.cache/thunderbird |
30 | noblacklist ${HOME}/.gnupg | 29 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 378c8a1b7..ba68ccb53 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -60,5 +60,4 @@ dbus-user filter | |||
60 | dbus-user.talk org.freedesktop.secrets | 60 | dbus-user.talk org.freedesktop.secrets |
61 | dbus-system none | 61 | dbus-system none |
62 | 62 | ||
63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
64 | restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index 4793e9dbb..55e4a4392 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile | |||
@@ -28,7 +28,6 @@ whitelist ${HOME}/.config/tutanota-desktop | |||
28 | # there isn't a Firefox instance running with the default profile; see #5352) | 28 | # there isn't a Firefox instance running with the default profile; see #5352) |
29 | noblacklist ${HOME}/.mozilla | 29 | noblacklist ${HOME}/.mozilla |
30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
31 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
32 | 31 | ||
33 | machine-id | 32 | machine-id |
34 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 9ef90eb92..d2b73ec4c 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -24,7 +24,6 @@ include allow-python3.inc | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | include disable-common.inc | 28 | include disable-common.inc |
30 | include disable-devel.inc | 29 | include disable-devel.inc |
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index caf9eab63..09a1d37a3 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -23,7 +23,6 @@ include disable-xdg.inc | |||
23 | # This also requires dbus-user filtering (see below). | 23 | # This also requires dbus-user filtering (see below). |
24 | noblacklist ${HOME}/.mozilla | 24 | noblacklist ${HOME}/.mozilla |
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
26 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | 26 | ||
28 | mkdir ${HOME}/.cache/Zeal | 27 | mkdir ${HOME}/.cache/Zeal |
29 | mkdir ${HOME}/.config/Zeal | 28 | mkdir ${HOME}/.config/Zeal |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index fd328f36c..b88566f54 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -221,6 +221,8 @@ include globals.local | |||
221 | #dbus-user.talk org.freedesktop.Notifications | 221 | #dbus-user.talk org.freedesktop.Notifications |
222 | #dbus-system none | 222 | #dbus-system none |
223 | 223 | ||
224 | # Note: read-only entries should usually go in disable-common.inc (especially | ||
225 | # entries for configuration files that allow arbitrary command execution). | ||
224 | ##deterministic-shutdown | 226 | ##deterministic-shutdown |
225 | ##env VAR=VALUE | 227 | ##env VAR=VALUE |
226 | ##join-or-start NAME | 228 | ##join-or-start NAME |
diff --git a/src/firejail/env.c b/src/firejail/env.c index ede5f812d..da3c3ac53 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -279,7 +279,8 @@ static void env_apply_list(const char * const *list, unsigned int num_items) { | |||
279 | 279 | ||
280 | while (env) { | 280 | while (env) { |
281 | if (env->op == SETENV) { | 281 | if (env->op == SETENV) { |
282 | for (unsigned int i = 0; i < num_items; i++) | 282 | unsigned int i; |
283 | for (i = 0; i < num_items; i++) | ||
283 | if (strcmp(env->name, list[i]) == 0) { | 284 | if (strcmp(env->name, list[i]) == 0) { |
284 | // sanity check for whitelisted environment variables | 285 | // sanity check for whitelisted environment variables |
285 | if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { | 286 | if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b2a0c85f1..a0af3d4bf 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -56,7 +56,8 @@ long long unsigned parse_arg_size(char *str) { | |||
56 | } | 56 | } |
57 | 57 | ||
58 | /* checks for is value valid positive number */ | 58 | /* checks for is value valid positive number */ |
59 | for (int i = 0; i < len; i++) { | 59 | int i; |
60 | for (i = 0; i < len; i++) { | ||
60 | if (!isdigit(*(str+i))) { | 61 | if (!isdigit(*(str+i))) { |
61 | return 0; | 62 | return 0; |
62 | } | 63 | } |