diff options
35 files changed, 157 insertions, 578 deletions
diff --git a/Makefile.in b/Makefile.in index abc86c2c3..31c2442ed 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion | |||
27 | all: all_items mydirs $(MAN_TARGET) filters | 27 | all: all_items mydirs $(MAN_TARGET) filters |
28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck | 28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck |
29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids | 29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids |
30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats |
31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
@@ -83,6 +83,7 @@ clean: | |||
83 | rm -f $(SECCOMP_FILTERS) | 83 | rm -f $(SECCOMP_FILTERS) |
84 | rm -f test/utils/index.html* | 84 | rm -f test/utils/index.html* |
85 | rm -f test/utils/wget-log | 85 | rm -f test/utils/wget-log |
86 | rm -f test/utils/firejail-test-file* | ||
86 | rm -f test/utils/lstesting | 87 | rm -f test/utils/lstesting |
87 | rm -f test/environment/index.html* | 88 | rm -f test/environment/index.html* |
88 | rm -f test/environment/wget-log* | 89 | rm -f test/environment/wget-log* |
@@ -138,8 +139,6 @@ endif | |||
138 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 139 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
139 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config | 140 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config |
140 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 141 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
141 | # program used track profile statistics during development - no manpage, this is not a user program | ||
142 | install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats | ||
143 | ifeq ($(BUSYBOX_WORKAROUND),yes) | 142 | ifeq ($(BUSYBOX_WORKAROUND),yes) |
144 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc | 143 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc |
145 | endif | 144 | endif |
@@ -562,6 +562,7 @@ Jose Riha (https://github.com/jose1711) | |||
562 | - fix warshow, jumpnbump, tremulous, blobwars profile fixes | 562 | - fix warshow, jumpnbump, tremulous, blobwars profile fixes |
563 | - drop noinput for games with gampad/joystick support | 563 | - drop noinput for games with gampad/joystick support |
564 | - goldendict profile fix | 564 | - goldendict profile fix |
565 | - whitelist /usr/share/nextcloud to allow access to translation files | ||
565 | jrabe (https://github.com/jrabe) | 566 | jrabe (https://github.com/jrabe) |
566 | - disallow access to kdbx files | 567 | - disallow access to kdbx files |
567 | - Epiphany profile | 568 | - Epiphany profile |
@@ -882,6 +883,8 @@ Sebastian Hafner (https://github.com/DropNib) | |||
882 | Senemu (https://github.com/Senemu) | 883 | Senemu (https://github.com/Senemu) |
883 | - protection for .pythonrc.py | 884 | - protection for .pythonrc.py |
884 | - fixed evince | 885 | - fixed evince |
886 | Seonwoo Lee (https://github.com/seonwoolee) | ||
887 | - fix teams ignoring input sources e.g. microphones | ||
885 | Sergey Alirzaev (https://github.com/l29ah) | 888 | Sergey Alirzaev (https://github.com/l29ah) |
886 | - firejail.h enum fix | 889 | - firejail.h enum fix |
887 | - firefox-common-addons.inc: + tridactyl | 890 | - firefox-common-addons.inc: + tridactyl |
@@ -1106,6 +1109,9 @@ Hugo Osvaldo Barrera (https://github.com/WhyNotHugo) | |||
1106 | - Skype profile tweaks | 1109 | - Skype profile tweaks |
1107 | xee5ch (https://github.com/xee5ch) | 1110 | xee5ch (https://github.com/xee5ch) |
1108 | - skypeforlinux profile | 1111 | - skypeforlinux profile |
1112 | York Zhao (https://github.com/YorkZ) | ||
1113 | - tor browser profile fix | ||
1114 | - allow telegram to open hyperlinks | ||
1109 | Ypnose (https://github.com/Ypnose) | 1115 | Ypnose (https://github.com/Ypnose) |
1110 | - disable-shell.inc: add mksh shell | 1116 | - disable-shell.inc: add mksh shell |
1111 | yumkam (https://github.com/yumkam) | 1117 | yumkam (https://github.com/yumkam) |
@@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS) | |||
298 | 298 | ||
299 | ### Profile Statistics | 299 | ### Profile Statistics |
300 | 300 | ||
301 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: | 301 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
302 | Run it over the profiles in /etc/profiles: | ||
302 | ``` | 303 | ``` |
303 | $ sudo cp src/profstats/profstats /etc/firejail/. | 304 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
304 | $ cd /etc/firejail | 305 | No include .local found in /etc/firejail/noprofile.profile |
305 | $ ./profstats *.profile | 306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
306 | profiles 1167 | 307 | |
307 | include local profile 1167 (include profile-name.local) | 308 | Stats: |
308 | include globals 1136 (include globals.local) | 309 | profiles 1176 |
309 | blacklist ~/.ssh 1042 (include disable-common.inc) | 310 | include local profile 1175 (include profile-name.local) |
310 | seccomp 1062 | 311 | include globals 1144 (include globals.local) |
311 | capabilities 1163 | 312 | blacklist ~/.ssh 1050 (include disable-common.inc) |
312 | noexec 1049 (include disable-exec.inc) | 313 | seccomp 1070 |
313 | noroot 971 | 314 | capabilities 1171 |
314 | memory-deny-write-execute 256 | 315 | noexec 1057 (include disable-exec.inc) |
315 | apparmor 693 | 316 | noroot 979 |
316 | private-bin 677 | 317 | memory-deny-write-execute 258 |
317 | private-dev 1027 | 318 | apparmor 700 |
318 | private-etc 532 | 319 | private-bin 681 |
319 | private-tmp 897 | 320 | private-dev 1033 |
320 | whitelist home directory 557 | 321 | private-etc 533 |
321 | whitelist var 836 (include whitelist-var-common.inc) | 322 | private-tmp 905 |
322 | whitelist run/user 1137 (include whitelist-runuser-common.inc | 323 | whitelist home directory 562 |
324 | whitelist var 842 (include whitelist-var-common.inc) | ||
325 | whitelist run/user 1145 (include whitelist-runuser-common.inc | ||
323 | or blacklist ${RUNUSER}) | 326 | or blacklist ${RUNUSER}) |
324 | whitelist usr/share 609 (include whitelist-usr-share-common.inc | 327 | whitelist usr/share 614 (include whitelist-usr-share-common.inc |
325 | net none 396 | 328 | net none 399 |
326 | dbus-user none 656 | 329 | dbus-user none 662 |
327 | dbus-user filter 108 | 330 | dbus-user filter 113 |
328 | dbus-system none 808 | 331 | dbus-system none 816 |
329 | dbus-system filter 10 | 332 | dbus-system filter 10 |
330 | ``` | 333 | ``` |
331 | 334 | ||
@@ -1,16 +1,17 @@ | |||
1 | firejail (0.9.67) baseline; urgency=low | 1 | firejail (0.9.67) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * exit code: distinguish fatal signals by adding 128 | 3 | * exit code: distinguish fatal signals by adding 128 (#4533) |
4 | * intrusion detection system (--ids-init, --ids-check) | 4 | * intrusion detection system (--ids-init, --ids-check) |
5 | * deterministic shutdown (--deterministic-exit-code, | 5 | * deterministic shutdown (--deterministic-exit-code, |
6 | --deterministic-shutdown) | 6 | --deterministic-shutdown) (#4635) |
7 | * noprinters command (#4607) | ||
7 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) | 8 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) |
8 | * deprecated --disable-whitelist at compile time | 9 | * removed --disable-whitelist at compile time |
9 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | 10 | * removed whitelist=yes/no in /etc/firejail/firejail.config |
10 | * new condition: ALLOW_TRAY | 11 | * new condition: ALLOW_TRAY (#4510 #4599) |
11 | * remove (some) environment variables with auth-tokens | 12 | * remove (some) environment variables with auth-tokens (#4157) |
12 | * new includes: whitelist-run-common.inc, disable-X11.inc | 13 | * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) |
13 | * removed includes: disable-passwordmgr.inc | 14 | * removed includes: disable-passwordmgr.inc (#4461) |
14 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim | 15 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim |
15 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl | 16 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl |
16 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake | 17 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 3ec13e482..b1ec25987 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -630,3 +630,5 @@ blacklist ${RUNUSER}/inaccessible | |||
630 | blacklist ${RUNUSER}/pk-debconf-socket | 630 | blacklist ${RUNUSER}/pk-debconf-socket |
631 | blacklist ${RUNUSER}/update-notifier.pid | 631 | blacklist ${RUNUSER}/update-notifier.pid |
632 | 632 | ||
633 | # tor-browser | ||
634 | blacklist ${HOME}/.local/opt/tor-browser | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 7bfb61688..2992a2d6f 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -53,6 +53,9 @@ private-cache | |||
53 | ?BROWSER_DISABLE_U2F: private-dev | 53 | ?BROWSER_DISABLE_U2F: private-dev |
54 | #private-tmp - issues when using multiple browser sessions | 54 | #private-tmp - issues when using multiple browser sessions |
55 | 55 | ||
56 | blacklist ${PATH}/curl | ||
57 | blacklist ${PATH}/wget | ||
58 | |||
56 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 59 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
57 | dbus-system none | 60 | dbus-system none |
58 | 61 | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index ef647b5a0..e7d438b46 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -59,6 +59,9 @@ disable-mnt | |||
59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | blacklist ${PATH}/curl | ||
63 | blacklist ${PATH}/wget | ||
64 | |||
62 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, | 65 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, |
63 | # Gnome connector, KDE connect and power management on KDE Plasma. | 66 | # Gnome connector, KDE connect and power management on KDE Plasma. |
64 | dbus-user none | 67 | dbus-user none |
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 0145f7ceb..97f190723 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | blacklist ${RUNUSER} | 9 | blacklist ${RUNUSER} |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 354d3351e..2e4a95125 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -29,6 +29,7 @@ mkdir ${HOME}/.local/share/Nextcloud | |||
29 | whitelist ${HOME}/Nextcloud | 29 | whitelist ${HOME}/Nextcloud |
30 | whitelist ${HOME}/.config/Nextcloud | 30 | whitelist ${HOME}/.config/Nextcloud |
31 | whitelist ${HOME}/.local/share/Nextcloud | 31 | whitelist ${HOME}/.local/share/Nextcloud |
32 | whitelist /usr/share/nextcloud | ||
32 | # Add the next lines to your nextcloud.local to allow sync in more directories. | 33 | # Add the next lines to your nextcloud.local to allow sync in more directories. |
33 | #whitelist ${DOCUMENTS} | 34 | #whitelist ${DOCUMENTS} |
34 | #whitelist ${MUSIC} | 35 | #whitelist ${MUSIC} |
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index ee19bcd00..5711c1b36 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -11,6 +11,8 @@ ignore include disable-xdg.inc | |||
11 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
12 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
13 | 13 | ||
14 | ignore noinput | ||
15 | |||
14 | ignore dbus-user none | 16 | ignore dbus-user none |
15 | ignore dbus-system none | 17 | ignore dbus-system none |
16 | 18 | ||
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index c8d98cbaa..ad52ca45f 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -13,6 +13,8 @@ ignore include whitelist-usr-share-common.inc | |||
13 | ignore novideo | 13 | ignore novideo |
14 | ignore private-tmp | 14 | ignore private-tmp |
15 | 15 | ||
16 | ignore novideo | ||
17 | |||
16 | # see #3404 | 18 | # see #3404 |
17 | ignore apparmor | 19 | ignore apparmor |
18 | ignore dbus-user none | 20 | ignore dbus-user none |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index dc1f77664..ce0119078 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | noblacklist ${HOME}/.TelegramDesktop | 8 | noblacklist ${HOME}/.TelegramDesktop |
9 | noblacklist ${HOME}/.local/share/TelegramDesktop | 9 | noblacklist ${HOME}/.local/share/TelegramDesktop |
10 | 10 | ||
11 | # Allow opening hyperlinks | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -41,7 +44,7 @@ seccomp.block-secondary | |||
41 | shell none | 44 | shell none |
42 | 45 | ||
43 | disable-mnt | 46 | disable-mnt |
44 | private-bin telegram,Telegram,telegram-desktop | 47 | private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open |
45 | private-cache | 48 | private-cache |
46 | private-dev | 49 | private-dev |
47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 50 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile index 76a0e1fa5..13f422b0a 100644 --- a/etc/profile-m-z/tor-browser.profile +++ b/etc/profile-m-z/tor-browser.profile | |||
@@ -7,9 +7,12 @@ include tor-browser.local | |||
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.tor-browser | 9 | noblacklist ${HOME}/.tor-browser |
10 | noblacklist ${HOME}/.local/opt/tor-browser | ||
10 | 11 | ||
11 | mkdir ${HOME}/.tor-browser | 12 | mkdir ${HOME}/.tor-browser |
12 | whitelist ${HOME}/.tor-browser | 13 | whitelist ${HOME}/.tor-browser |
14 | mkdir ${HOME}/.local/opt/tor-browser | ||
15 | whitelist ${HOME}/.local/opt/tor-browser | ||
13 | 16 | ||
14 | # Redirect | 17 | # Redirect |
15 | include torbrowser-launcher.profile | 18 | include torbrowser-launcher.profile |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4558934da..b410ba68e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) { | |||
456 | void fs_check_private_cwd(const char *dir) { | 456 | void fs_check_private_cwd(const char *dir) { |
457 | EUID_ASSERT(); | 457 | EUID_ASSERT(); |
458 | invalid_filename(dir, 0); // no globbing | 458 | invalid_filename(dir, 0); // no globbing |
459 | if (strcmp(dir, ".") == 0 || *dir != '/') | ||
460 | goto errout; | ||
459 | 461 | ||
460 | // Expand the working directory | 462 | // Expand the working directory |
461 | cfg.cwd = expand_macros(dir); | 463 | cfg.cwd = expand_macros(dir); |
462 | 464 | ||
463 | // realpath/is_dir not used because path may not exist outside of jail | 465 | // realpath/is_dir not used because path may not exist outside of jail |
464 | if (strstr(cfg.cwd, "..")) { | 466 | if (strstr(cfg.cwd, "..")) |
465 | fprintf(stderr, "Error: invalid private working directory\n"); | 467 | goto errout; |
466 | exit(1); | 468 | |
467 | } | 469 | return; |
470 | errout: | ||
471 | fprintf(stderr, "Error: invalid private working directory\n"); | ||
472 | exit(1); | ||
468 | } | 473 | } |
469 | 474 | ||
470 | //*********************************************************************************** | 475 | //*********************************************************************************** |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0262db608..58e374b8b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1574,7 +1574,6 @@ int main(int argc, char **argv, char **envp) { | |||
1574 | profile_add(line); | 1574 | profile_add(line); |
1575 | } | 1575 | } |
1576 | 1576 | ||
1577 | // blacklist/deny | ||
1578 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { | 1577 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { |
1579 | char *line; | 1578 | char *line; |
1580 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) | 1579 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) |
@@ -1583,14 +1582,6 @@ int main(int argc, char **argv, char **envp) { | |||
1583 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1582 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1584 | profile_add(line); | 1583 | profile_add(line); |
1585 | } | 1584 | } |
1586 | else if (strncmp(argv[i], "--deny=", 7) == 0) { | ||
1587 | char *line; | ||
1588 | if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1) | ||
1589 | errExit("asprintf"); | ||
1590 | |||
1591 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1592 | profile_add(line); | ||
1593 | } | ||
1594 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { | 1585 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { |
1595 | char *line; | 1586 | char *line; |
1596 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) | 1587 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) |
@@ -1599,16 +1590,6 @@ int main(int argc, char **argv, char **envp) { | |||
1599 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1590 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1600 | profile_add(line); | 1591 | profile_add(line); |
1601 | } | 1592 | } |
1602 | else if (strncmp(argv[i], "--nodeny=", 9) == 0) { | ||
1603 | char *line; | ||
1604 | if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1) | ||
1605 | errExit("asprintf"); | ||
1606 | |||
1607 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1608 | profile_add(line); | ||
1609 | } | ||
1610 | |||
1611 | // whitelist | ||
1612 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1593 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1613 | char *line; | 1594 | char *line; |
1614 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1595 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
@@ -1617,14 +1598,6 @@ int main(int argc, char **argv, char **envp) { | |||
1617 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1598 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1618 | profile_add(line); | 1599 | profile_add(line); |
1619 | } | 1600 | } |
1620 | else if (strncmp(argv[i], "--allow=", 8) == 0) { | ||
1621 | char *line; | ||
1622 | if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) | ||
1623 | errExit("asprintf"); | ||
1624 | |||
1625 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1626 | profile_add(line); | ||
1627 | } | ||
1628 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { | 1601 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { |
1629 | char *line; | 1602 | char *line; |
1630 | if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1) | 1603 | if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1) |
@@ -1633,15 +1606,6 @@ int main(int argc, char **argv, char **envp) { | |||
1633 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1606 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1634 | profile_add(line); | 1607 | profile_add(line); |
1635 | } | 1608 | } |
1636 | else if (strncmp(argv[i], "--noallow=", 10) == 0) { | ||
1637 | char *line; | ||
1638 | if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1) | ||
1639 | errExit("asprintf"); | ||
1640 | |||
1641 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1642 | profile_add(line); | ||
1643 | } | ||
1644 | |||
1645 | 1609 | ||
1646 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1610 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
1647 | char *line; | 1611 | char *line; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5e24591fa..9504b26de 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1752,44 +1752,6 @@ void profile_read(const char *fname) { | |||
1752 | continue; | 1752 | continue; |
1753 | } | 1753 | } |
1754 | 1754 | ||
1755 | // translate allow/deny to whitelist/blacklist | ||
1756 | if (strncmp(ptr, "allow ", 6) == 0) { | ||
1757 | char *tmp; | ||
1758 | if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1) | ||
1759 | errExit("asprintf"); | ||
1760 | free(ptr); | ||
1761 | ptr = tmp; | ||
1762 | } | ||
1763 | else if (strncmp(ptr, "deny ", 5) == 0) { | ||
1764 | char *tmp; | ||
1765 | if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1) | ||
1766 | errExit("asprintf"); | ||
1767 | free(ptr); | ||
1768 | ptr = tmp; | ||
1769 | } | ||
1770 | else if (strncmp(ptr, "deny-nolog ", 11) == 0) { | ||
1771 | char *tmp; | ||
1772 | if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1) | ||
1773 | errExit("asprintf"); | ||
1774 | free(ptr); | ||
1775 | ptr = tmp; | ||
1776 | } | ||
1777 | // translate noallow/nodeny to nowhitelist/noblacklist | ||
1778 | else if (strncmp(ptr, "noallow ", 8) == 0) { | ||
1779 | char *tmp; | ||
1780 | if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1) | ||
1781 | errExit("asprintf"); | ||
1782 | free(ptr); | ||
1783 | ptr = tmp; | ||
1784 | } | ||
1785 | else if (strncmp(ptr, "nodeny ", 7) == 0) { | ||
1786 | char *tmp; | ||
1787 | if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1) | ||
1788 | errExit("asprintf"); | ||
1789 | free(ptr); | ||
1790 | ptr = tmp; | ||
1791 | } | ||
1792 | |||
1793 | // process quiet | 1755 | // process quiet |
1794 | // todo: a quiet in the profile file cannot be disabled by --ignore on command line | 1756 | // todo: a quiet in the profile file cannot be disabled by --ignore on command line |
1795 | if (strcmp(ptr, "quiet") == 0) { | 1757 | if (strcmp(ptr, "quiet") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96fa4c81a..53b1e6914 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1058,6 +1058,11 @@ int sandbox(void* sandbox_arg) { | |||
1058 | EUID_USER(); | 1058 | EUID_USER(); |
1059 | int cwd = 0; | 1059 | int cwd = 0; |
1060 | if (cfg.cwd) { | 1060 | if (cfg.cwd) { |
1061 | if (is_link(cfg.cwd)) { | ||
1062 | fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd); | ||
1063 | exit(1); | ||
1064 | } | ||
1065 | |||
1061 | if (chdir(cfg.cwd) == 0) | 1066 | if (chdir(cfg.cwd) == 0) |
1062 | cwd = 1; | 1067 | cwd = 1; |
1063 | else if (arg_private_cwd) { | 1068 | else if (arg_private_cwd) { |
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index e025f5939..fa1b4f200 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in | |||
@@ -3,7 +3,7 @@ all: profstats | |||
3 | 3 | ||
4 | include ../common.mk | 4 | include ../common.mk |
5 | 5 | ||
6 | %.o : %.c $(H_FILE_LIST) | 6 | %.o : %.c $(H_FILE_LIST) ../include/common.h |
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
8 | 8 | ||
9 | profstats: $(OBJS) | 9 | profstats: $(OBJS) |
diff --git a/src/profstats/main.c b/src/profstats/main.c index a472ce259..bc5047bfe 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -17,10 +17,8 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include <stdio.h> | 20 | |
21 | #include <stdlib.h> | 21 | #include "../include/common.h" |
22 | #include <string.h> | ||
23 | #include <assert.h> | ||
24 | 22 | ||
25 | #define MAXBUF 2048 | 23 | #define MAXBUF 2048 |
26 | // stats | 24 | // stats |
@@ -99,8 +97,9 @@ static void usage(void) { | |||
99 | printf("\n"); | 97 | printf("\n"); |
100 | } | 98 | } |
101 | 99 | ||
102 | void process_file(const char *fname) { | 100 | static void process_file(char *fname) { |
103 | assert(fname); | 101 | assert(fname); |
102 | char *tmpfname = NULL; | ||
104 | 103 | ||
105 | if (arg_debug) | 104 | if (arg_debug) |
106 | printf("processing #%s#\n", fname); | 105 | printf("processing #%s#\n", fname); |
@@ -109,9 +108,19 @@ void process_file(const char *fname) { | |||
109 | 108 | ||
110 | FILE *fp = fopen(fname, "r"); | 109 | FILE *fp = fopen(fname, "r"); |
111 | if (!fp) { | 110 | if (!fp) { |
112 | fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile); | 111 | // the file was not found in the current directory |
113 | level--; | 112 | // look for it in /etc/firejail directory |
114 | return; | 113 | if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1) |
114 | errExit("asprintf"); | ||
115 | |||
116 | fp = fopen(tmpfname, "r"); | ||
117 | if (!fp) { | ||
118 | fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile); | ||
119 | free(tmpfname); | ||
120 | level--; | ||
121 | return; | ||
122 | } | ||
123 | fname = tmpfname; | ||
115 | } | 124 | } |
116 | 125 | ||
117 | int have_include_local = 0; | 126 | int have_include_local = 0; |
@@ -204,6 +213,8 @@ void process_file(const char *fname) { | |||
204 | if (!have_include_local) | 213 | if (!have_include_local) |
205 | printf("No include .local found in %s\n", fname); | 214 | printf("No include .local found in %s\n", fname); |
206 | level--; | 215 | level--; |
216 | if (tmpfname) | ||
217 | free(tmpfname); | ||
207 | } | 218 | } |
208 | 219 | ||
209 | int main(int argc, char **argv) { | 220 | int main(int argc, char **argv) { |
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c deleted file mode 100644 index beff93199..000000000 --- a/src/tools/profcleaner.c +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | //************************************************************* | ||
22 | // Small utility program to convert profiles from blacklist/whitelist to deny/allow | ||
23 | // Compile: | ||
24 | // gcc -o profcleaner profcleaner.c | ||
25 | // Usage: | ||
26 | // profcleaner *.profile | ||
27 | //************************************************************* | ||
28 | |||
29 | #include <stdio.h> | ||
30 | #include <stdlib.h> | ||
31 | #include <string.h> | ||
32 | #include <unistd.h> | ||
33 | #define MAXBUF 4096 | ||
34 | |||
35 | int main(int argc, char **argv) { | ||
36 | printf("Usage: profcleaner files\n"); | ||
37 | int i; | ||
38 | |||
39 | for (i = 1; i < argc; i++) { | ||
40 | FILE *fp = fopen(argv[i], "r"); | ||
41 | if (!fp) { | ||
42 | fprintf(stderr, "Error: cannot open %s\n", argv[i]); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | FILE *fpout = fopen("profcleaner-tmp", "w"); | ||
47 | if (!fpout) { | ||
48 | fprintf(stderr, "Error: cannot open output file\n"); | ||
49 | return 1; | ||
50 | } | ||
51 | |||
52 | char buf[MAXBUF]; | ||
53 | while (fgets(buf, MAXBUF, fp)) { | ||
54 | if (strncmp(buf, "blacklist-nolog", 15) == 0) | ||
55 | fprintf(fpout, "deny-nolog %s", buf + 15); | ||
56 | else if (strncmp(buf, "blacklist", 9) == 0) | ||
57 | fprintf(fpout, "deny %s", buf + 9); | ||
58 | else if (strncmp(buf, "noblacklist", 11) == 0) | ||
59 | fprintf(fpout, "nodeny %s", buf + 11); | ||
60 | else if (strncmp(buf, "whitelist", 9) == 0) | ||
61 | fprintf(fpout, "allow %s", buf + 9); | ||
62 | else if (strncmp(buf, "nowhitelist", 11) == 0) | ||
63 | fprintf(fpout, "noallow %s", buf + 11); | ||
64 | else | ||
65 | fprintf(fpout, "%s", buf); | ||
66 | } | ||
67 | |||
68 | fclose(fp); | ||
69 | fclose(fpout); | ||
70 | unlink(argv[i]); | ||
71 | rename("profcleaner-tmp", argv[i]); | ||
72 | } | ||
73 | |||
74 | return 0; | ||
75 | } | ||
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh deleted file mode 100755 index 96402aed6..000000000 --- a/src/tools/profcleaner.sh +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # Copyright (C) 2021 Firejail Authors | ||
4 | # | ||
5 | # This file is part of firejail project | ||
6 | # | ||
7 | # This program is free software; you can redistribute it and/or modify | ||
8 | # it under the terms of the GNU General Public License as published by | ||
9 | # the Free Software Foundation; either version 2 of the License, or | ||
10 | # (at your option) any later version. | ||
11 | # | ||
12 | # This program is distributed in the hope that it will be useful, | ||
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
15 | # GNU General Public License for more details. | ||
16 | # | ||
17 | # You should have received a copy of the GNU General Public License along | ||
18 | # with this program; if not, write to the Free Software Foundation, Inc., | ||
19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
20 | |||
21 | if [[ $1 == --help ]]; then | ||
22 | cat <<-EOM | ||
23 | USAGE: | ||
24 | profcleaner.sh --help Show this help message and exit | ||
25 | profcleaner.sh --system Clean all profiles in /etc/firejail | ||
26 | profcleaner.sh --user Clean all profiles in ~/.config/firejail | ||
27 | profcleaner.sh /path/to/profile1 /path/to/profile2 ... | ||
28 | EOM | ||
29 | exit 0 | ||
30 | fi | ||
31 | |||
32 | if [[ $1 == --system ]]; then | ||
33 | profiles=(/etc/firejail/*.{inc,local,profile}) | ||
34 | elif [[ $1 == --user ]]; then | ||
35 | profiles=("$HOME"/.config/firejail/*.{inc,local,profile}) | ||
36 | else | ||
37 | profiles=("$@") | ||
38 | fi | ||
39 | |||
40 | sed -i -E \ | ||
41 | -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \ | ||
42 | -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \ | ||
43 | -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \ | ||
44 | -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \ | ||
45 | "${profiles[@]}" | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8..8c1d758cc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -48,8 +48,8 @@ _firejail_args=( | |||
48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
49 | 49 | ||
50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
51 | '--build[build a profile for the application and print it on stdout]' | 51 | '--build[build a whitelisted profile for the application and print it on stdout]' |
52 | '--build=-[build a profile for the application and save it]: :_files' | 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' |
53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
@@ -66,14 +66,14 @@ _firejail_args=( | |||
66 | '--ids-init[initialize IDS database]' | 66 | '--ids-init[initialize IDS database]' |
67 | 67 | ||
68 | '--debug[print sandbox debug messages]' | 68 | '--debug[print sandbox debug messages]' |
69 | '--debug-allow[debug file system access]' | 69 | '--debug-blacklists[debug blacklisting]' |
70 | '--debug-caps[print all recognized capabilities]' | 70 | '--debug-caps[print all recognized capabilities]' |
71 | '--debug-deny[debug file system access]' | ||
72 | '--debug-errnos[print all recognized error numbers]' | 71 | '--debug-errnos[print all recognized error numbers]' |
73 | '--debug-private-lib[debug for --private-lib option]' | 72 | '--debug-private-lib[debug for --private-lib option]' |
74 | '--debug-protocols[print all recognized protocols]' | 73 | '--debug-protocols[print all recognized protocols]' |
75 | '--debug-syscalls[print all recognized system calls]' | 74 | '--debug-syscalls[print all recognized system calls]' |
76 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 75 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
76 | '--debug-whitelists[debug whitelisting]' | ||
77 | 77 | ||
78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
@@ -86,13 +86,13 @@ _firejail_args=( | |||
86 | '--allusers[all user home directories are visible inside the sandbox]' | 86 | '--allusers[all user home directories are visible inside the sandbox]' |
87 | # Should be _files, a comma and files or files -/ | 87 | # Should be _files, a comma and files or files -/ |
88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
89 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
89 | '--caps[enable default Linux capabilities filter]' | 90 | '--caps[enable default Linux capabilities filter]' |
90 | '--caps.drop=all[drop all capabilities]' | 91 | '--caps.drop=all[drop all capabilities]' |
91 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
92 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
93 | '--cgroup=-[place the sandbox in the specified control group]: :' | 94 | '--cgroup=-[place the sandbox in the specified control group]: :' |
94 | '--cpu=-[set cpu affinity]: :->cpus' | 95 | '--cpu=-[set cpu affinity]: :->cpus' |
95 | '*--deny=-[deny access to directory or file]: :_files' | ||
96 | "--deterministic-exit-code[always exit with first child's status code]" | 96 | "--deterministic-exit-code[always exit with first child's status code]" |
97 | '--deterministic-shutdown[terminate orphan processes]' | 97 | '--deterministic-shutdown[terminate orphan processes]' |
98 | '*--dns=-[set DNS server]: :' | 98 | '*--dns=-[set DNS server]: :' |
@@ -116,7 +116,7 @@ _firejail_args=( | |||
116 | '--nice=-[set nice value]: :(1 10 15 20)' | 116 | '--nice=-[set nice value]: :(1 10 15 20)' |
117 | '--no3d[disable 3D hardware acceleration]' | 117 | '--no3d[disable 3D hardware acceleration]' |
118 | '--noautopulse[disable automatic ~/.config/pulse init]' | 118 | '--noautopulse[disable automatic ~/.config/pulse init]' |
119 | '--nodeny=-[disable deny command for file or directory]: :_files' | 119 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
120 | '--nodbus[disable D-Bus access]' | 120 | '--nodbus[disable D-Bus access]' |
121 | '--nodvd[disable DVD and audio CD devices]' | 121 | '--nodvd[disable DVD and audio CD devices]' |
122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
@@ -147,13 +147,13 @@ _firejail_args=( | |||
147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
150 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' | 150 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' |
151 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' | 151 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' |
152 | '--seccomp.block-secondary[build only the native architecture filters]' | 152 | '--seccomp.block-secondary[build only the native architecture filters]' |
153 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' | 153 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' |
154 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' | 154 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' |
155 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 155 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' |
156 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 156 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
157 | # FIXME: Add errnos | 157 | # FIXME: Add errnos |
158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
159 | '--shell=none[run the program directly without a user shell]' | 159 | '--shell=none[run the program directly without a user shell]' |
@@ -161,7 +161,7 @@ _firejail_args=( | |||
161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
162 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 162 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
164 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' | 164 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' |
165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
167 | '--writable-var[/var directory is mounted read-write]' | 167 | '--writable-var[/var directory is mounted read-write]' |
@@ -255,8 +255,8 @@ _firejail_args=( | |||
255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
256 | #endif | 256 | #endif |
257 | 257 | ||
258 | '*--noallow=-[disable allow command for file or directory]: :_files' | 258 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
259 | '*--allow=-[allow file system access]: :_files' | 259 | '*--whitelist=-[whitelist directory or file]: :_files' |
260 | 260 | ||
261 | #ifdef HAVE_X11 | 261 | #ifdef HAVE_X11 |
262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index a9f06b60a..eb4e4702c 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -115,13 +115,6 @@ echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" | |||
115 | ./seccomp-numeric.exp | 115 | ./seccomp-numeric.exp |
116 | 116 | ||
117 | if [ "$(uname -m)" = "x86_64" ]; then | 117 | if [ "$(uname -m)" = "x86_64" ]; then |
118 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" | ||
119 | ./seccomp-dualfilter.exp | ||
120 | else | ||
121 | echo "TESTING SKIP: seccomp dual, not running on x86_64" | ||
122 | fi | ||
123 | |||
124 | if [ "$(uname -m)" = "x86_64" ]; then | ||
125 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" | 118 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" |
126 | ./seccomp-join.exp | 119 | ./seccomp-join.exp |
127 | else | 120 | else |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 59f812d6d..6becbff22 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
@@ -111,7 +111,7 @@ expect { | |||
111 | } | 111 | } |
112 | expect { | 112 | expect { |
113 | timeout {puts "TESTING ERROR 9.3\n";exit} | 113 | timeout {puts "TESTING ERROR 9.3\n";exit} |
114 | "ret KILL" | 114 | "ret ERRNO" |
115 | } | 115 | } |
116 | 116 | ||
117 | 117 | ||
diff --git a/test/filters/memwrexe b/test/filters/memwrexe index 669f0d320..1173cdc07 100755 --- a/test/filters/memwrexe +++ b/test/filters/memwrexe | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe-32 b/test/filters/memwrexe-32 index 70c98b796..bdf71dcb4 100755 --- a/test/filters/memwrexe-32 +++ b/test/filters/memwrexe-32 | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index 4fbf05f78..d8bf4edaa 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c | |||
@@ -42,6 +42,11 @@ int main(int argc, char **argv) { | |||
42 | } | 42 | } |
43 | 43 | ||
44 | void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); | 44 | void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); |
45 | if (p == MAP_FAILED) { | ||
46 | printf("mmap failed\n"); | ||
47 | return 0; | ||
48 | } | ||
49 | |||
45 | printf("mmap successful\n"); | 50 | printf("mmap successful\n"); |
46 | 51 | ||
47 | // wait for expect to timeout | 52 | // wait for expect to timeout |
@@ -70,7 +75,12 @@ int main(int argc, char **argv) { | |||
70 | return 1; | 75 | return 1; |
71 | } | 76 | } |
72 | 77 | ||
73 | mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC); | 78 | int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC); |
79 | if (rv) { | ||
80 | printf("mprotect failed\n"); | ||
81 | return 1; | ||
82 | } | ||
83 | |||
74 | printf("mprotect successful\n"); | 84 | printf("mprotect successful\n"); |
75 | 85 | ||
76 | // wait for expect to timeout | 86 | // wait for expect to timeout |
@@ -82,7 +92,7 @@ int main(int argc, char **argv) { | |||
82 | else if (strcmp(argv[1], "memfd_create") == 0) { | 92 | else if (strcmp(argv[1], "memfd_create") == 0) { |
83 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); | 93 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); |
84 | if (fd == -1) { | 94 | if (fd == -1) { |
85 | fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n"); | 95 | printf("memfd_create failed\n"); |
86 | return 1; | 96 | return 1; |
87 | } | 97 | } |
88 | printf("memfd_create successful\n"); | 98 | printf("memfd_create successful\n"); |
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 64f72f610..5fc16c47f 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -72,7 +72,7 @@ expect { | |||
72 | send -- "cat /proc/self/gid_map | wc -l\r" | 72 | send -- "cat /proc/self/gid_map | wc -l\r" |
73 | expect { | 73 | expect { |
74 | timeout {puts "TESTING ERROR 12\n";exit} | 74 | timeout {puts "TESTING ERROR 12\n";exit} |
75 | "5" | 75 | "9" |
76 | } | 76 | } |
77 | 77 | ||
78 | 78 | ||
@@ -104,7 +104,7 @@ expect { | |||
104 | send -- "cat /proc/self/gid_map | wc -l\r" | 104 | send -- "cat /proc/self/gid_map | wc -l\r" |
105 | expect { | 105 | expect { |
106 | timeout {puts "TESTING ERROR 17\n";exit} | 106 | timeout {puts "TESTING ERROR 17\n";exit} |
107 | "5" | 107 | "9" |
108 | } | 108 | } |
109 | 109 | ||
110 | # check seccomp disabled and all caps enabled | 110 | # check seccomp disabled and all caps enabled |
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 071460e4c..09c742378 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -7,179 +7,38 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" | 10 | send -- "firejail --noprofile --protocol=unix --debug\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | 13 | "0009: 20 00 00 00000000 ld data.syscall-number" |
14 | "Child process initialized" | ||
15 | } | 14 | } |
16 | expect { | 15 | expect { |
17 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
18 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | ||
19 | "socket AF_INET" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
23 | "Operation not supported" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
27 | "socket AF_INET6" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
31 | "Operation not supported" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
35 | "socket AF_NETLINK" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
39 | "Operation not supported" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
43 | "socket AF_UNIX" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 1.8\n";exit} | ||
47 | "socket AF_PACKETX" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 1.9\n";exit} | ||
51 | "Operation not supported" | ||
52 | } | ||
53 | sleep 1 | ||
54 | |||
55 | send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
58 | "Child process initialized" | 17 | "000a: 15 01 00 00000029 jeq socket 000c (false 000b)" |
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
62 | "socket AF_INET" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
66 | "Operation not supported" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 2.3\n";exit} | ||
70 | "socket AF_INET6" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 2.4\n";exit} | ||
74 | "socket AF_NETLINK" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 2.5\n";exit} | ||
78 | "Operation not supported" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 2.6\n";exit} | ||
82 | "socket AF_UNIX" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 2.7\n";exit} | ||
86 | "Operation not supported" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 2.8\n";exit} | ||
90 | "socket AF_PACKETX" | ||
91 | } | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 2.9\n";exit} | ||
94 | "after socket" | ||
95 | } | 18 | } |
96 | sleep 1 | ||
97 | |||
98 | # profile testing | ||
99 | send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" | ||
100 | expect { | 19 | expect { |
101 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
102 | "Child process initialized" | 21 | "000b: 06 00 00 7fff0000 ret ALLOW" |
103 | } | ||
104 | expect { | ||
105 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
106 | "socket AF_INET" | ||
107 | } | ||
108 | expect { | ||
109 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
110 | "Operation not supported" | ||
111 | } | ||
112 | expect { | ||
113 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
114 | "socket AF_INET6" | ||
115 | } | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
118 | "Operation not supported" | ||
119 | } | ||
120 | expect { | ||
121 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
122 | "socket AF_NETLINK" | ||
123 | } | ||
124 | expect { | ||
125 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
126 | "Operation not supported" | ||
127 | } | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
130 | "socket AF_UNIX" | ||
131 | } | ||
132 | expect { | ||
133 | timeout {puts "TESTING ERROR 3.8\n";exit} | ||
134 | "socket AF_PACKETX" | ||
135 | } | 22 | } |
136 | expect { | 23 | expect { |
137 | timeout {puts "TESTING ERROR 3.9\n";exit} | ||
138 | "Operation not supported" | ||
139 | } | ||
140 | sleep 1 | ||
141 | |||
142 | send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" | ||
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 4\n";exit} | 24 | timeout {puts "TESTING ERROR 4\n";exit} |
145 | "Child process initialized" | 25 | "000c: 20 00 00 00000010 ld data.args" |
146 | } | ||
147 | expect { | ||
148 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
149 | "socket AF_INET" | ||
150 | } | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 4.2\n";exit} | ||
153 | "Operation not supported" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 4.3\n";exit} | ||
157 | "socket AF_INET6" | ||
158 | } | 26 | } |
159 | expect { | 27 | expect { |
160 | timeout {puts "TESTING ERROR 4.4\n";exit} | 28 | timeout {puts "TESTING ERROR 5\n";exit} |
161 | "socket AF_NETLINK" | 29 | "000d: 15 00 01 00000001 jeq 1 000e (false 000f)" |
162 | } | 30 | } |
163 | expect { | 31 | expect { |
164 | timeout {puts "TESTING ERROR 4.5\n";exit} | 32 | timeout {puts "TESTING ERROR 6\n";exit} |
165 | "Operation not supported" | 33 | "000e: 06 00 00 7fff0000 ret ALLOW" |
34 | "" | ||
166 | } | 35 | } |
167 | expect { | 36 | expect { |
168 | timeout {puts "TESTING ERROR 4.6\n";exit} | 37 | timeout {puts "TESTING ERROR 7\n";exit} |
169 | "socket AF_UNIX" | 38 | "000f: 06 00 00 0005005f ret ERRNO(95)" |
170 | } | 39 | } |
171 | expect { | ||
172 | timeout {puts "TESTING ERROR 4.7\n";exit} | ||
173 | "Operation not supported" | ||
174 | } | ||
175 | expect { | ||
176 | timeout {puts "TESTING ERROR 4.8\n";exit} | ||
177 | "socket AF_PACKETX" | ||
178 | } | ||
179 | expect { | ||
180 | timeout {puts "TESTING ERROR 4.9\n";exit} | ||
181 | "after socket" | ||
182 | } | ||
183 | after 100 | ||
184 | 40 | ||
41 | after 100 | ||
42 | send -- "exit\r" | ||
43 | after 100 | ||
185 | puts "\nall done\n" | 44 | puts "\nall done\n" |
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp deleted file mode 100755 index e655be848..000000000 --- a/test/filters/seccomp-dualfilter.exp +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 1 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./syscall_test\r" | ||
11 | expect { | ||
12 | timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit} | ||
13 | "Usage" | ||
14 | } | ||
15 | |||
16 | send -- "./syscall_test32\r" | ||
17 | expect { | ||
18 | timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit} | ||
19 | "Usage" | ||
20 | } | ||
21 | |||
22 | set timeout 10 | ||
23 | send -- "firejail ./syscall_test mount\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 0\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "before mount" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2\n";exit} | ||
34 | "after mount" {puts "TESTING ERROR 3\n";exit} | ||
35 | "Parent is shutting down" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "firejail ./syscall_test32 mount\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 4\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "before mount" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "after mount" {puts "TESTING ERROR 7\n";exit} | ||
51 | "Parent is shutting down" | ||
52 | } | ||
53 | |||
54 | after 100 | ||
55 | puts "\nall done\n" | ||
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp index 18263520a..fe0e40e60 100755 --- a/test/filters/seccomp-postexec.exp +++ b/test/filters/seccomp-postexec.exp | |||
@@ -14,20 +14,17 @@ expect { | |||
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "data.architecture" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "monitoring pid" | 17 | "monitoring pid" |
22 | } | 18 | } |
19 | sleep 1 | ||
20 | |||
21 | send -- "ls\r" | ||
23 | expect { | 22 | expect { |
24 | timeout {puts "TESTING ERROR 3\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
25 | "Sandbox monitor: waitpid" | 24 | "not permitted" |
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "Parent is shutting down" | ||
30 | } | 25 | } |
31 | sleep 1 | ||
32 | 26 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | after 100 | ||
33 | puts "all done\n" | 30 | puts "all done\n" |
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index ec8ab615c..05fd6eabb 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp | |||
@@ -17,8 +17,7 @@ sleep 2 | |||
17 | send -- "strace ls\r" | 17 | send -- "strace ls\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "Bad system call" {puts "version 1\n";} | 20 | "not permitted" |
21 | " unexpected signal 31" {puts "version 2\n"} | ||
22 | } | 21 | } |
23 | 22 | ||
24 | send -- "exit\r" | 23 | send -- "exit\r" |
diff --git a/test/filters/syscall_test b/test/filters/syscall_test deleted file mode 100755 index bf29c5b99..000000000 --- a/test/filters/syscall_test +++ /dev/null | |||
Binary files differ | |||
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c deleted file mode 100644 index 55ee31afb..000000000 --- a/test/filters/syscall_test.c +++ /dev/null | |||
@@ -1,82 +0,0 @@ | |||
1 | // This file is part of Firejail project | ||
2 | // Copyright (C) 2014-2021 Firejail Authors | ||
3 | // License GPL v2 | ||
4 | |||
5 | #include <stdlib.h> | ||
6 | #include <stdio.h> | ||
7 | #include <unistd.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <sys/socket.h> | ||
10 | #include <linux/netlink.h> | ||
11 | #include <net/ethernet.h> | ||
12 | #include <sys/mount.h> | ||
13 | |||
14 | int main(int argc, char **argv) { | ||
15 | if (argc != 2) { | ||
16 | printf("Usage: test [sleep|socket|mkdir|mount]\n"); | ||
17 | return 1; | ||
18 | } | ||
19 | |||
20 | if (strcmp(argv[1], "sleep") == 0) { | ||
21 | printf("before sleep\n"); | ||
22 | sleep(1); | ||
23 | printf("after sleep\n"); | ||
24 | } | ||
25 | else if (strcmp(argv[1], "socket") == 0) { | ||
26 | int sock; | ||
27 | |||
28 | printf("testing socket AF_INET\n"); | ||
29 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { | ||
30 | perror("socket"); | ||
31 | } | ||
32 | else | ||
33 | close(sock); | ||
34 | |||
35 | printf("testing socket AF_INET6\n"); | ||
36 | if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { | ||
37 | perror("socket"); | ||
38 | } | ||
39 | else | ||
40 | close(sock); | ||
41 | |||
42 | printf("testing socket AF_NETLINK\n"); | ||
43 | if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { | ||
44 | perror("socket"); | ||
45 | } | ||
46 | else | ||
47 | close(sock); | ||
48 | |||
49 | printf("testing socket AF_UNIX\n"); | ||
50 | if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { | ||
51 | perror("socket"); | ||
52 | } | ||
53 | else | ||
54 | close(sock); | ||
55 | |||
56 | // root needed to be able to handle this | ||
57 | printf("testing socket AF_PACKETX\n"); | ||
58 | if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { | ||
59 | perror("socket"); | ||
60 | } | ||
61 | else | ||
62 | close(sock); | ||
63 | printf("after socket\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[1], "mkdir") == 0) { | ||
66 | printf("before mkdir\n"); | ||
67 | mkdir("tmp", 0777); | ||
68 | printf("after mkdir\n"); | ||
69 | } | ||
70 | else if (strcmp(argv[1], "mount") == 0) { | ||
71 | printf("before mount\n"); | ||
72 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) { | ||
73 | perror("mount"); | ||
74 | } | ||
75 | printf("after mount\n"); | ||
76 | } | ||
77 | else { | ||
78 | fprintf(stderr, "Error: invalid argument\n"); | ||
79 | return 1; | ||
80 | } | ||
81 | return 0; | ||
82 | } | ||
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32 deleted file mode 100755 index 8d72f58c4..000000000 --- a/test/filters/syscall_test32 +++ /dev/null | |||
Binary files differ | |||