9 files changed, 191 insertions, 5 deletions
diff --git a/README b/README
index 42a1f580a..5dc50c9bf 100644
--- a/README
+++ b/README
@@ -97,6 +97,10 @@ valoq (https://github.com/valoq)
        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
        - added wget profile
        - disable gnupg and systemd directories under /run/user
+thewisenerd (https://github.com/thewisenerd)
+        - appimage: pass commandline arguments
+KOLANICH (https://github.com/KOLANICH)
+        - added symlink fixer
 Jesse Smith (https://github.com/slicer69)
        - added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
@@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip)
        - support for files and directories starting with ~ in blacklist option
        - support for files and directories with spaces in blacklist option
        - lots of other fixes
+        - implement the --allow-private-blacklist option
 sarneaud (https://github.com/sarneaud)
        - rewrite globbing code to fix various minor issues
        - added noblacklist command for profile files
diff --git a/README.md b/README.md
index a8722f810..9057a9a88 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
              Example:
              $ firejail --machine-id
+       --allow-private-blacklist
+              Allow  blacklisting  files in private home directory. By default
+              these blacklists are disabled.
+              Example:
+              $   firejail    --allow-private-blacklist   --private=~/priv-dir
+              --blacklist=~/.mozilla
+             
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
diff --git a/RELNOTES b/RELNOTES
index 7144b2bf3..2d57b1a88 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low
  * feature: private /opt directory (--private-opt, profile support)
  * feature: private /srv directory (--private-srv, profile support)
  * feature: spoof machine-id
-  * feature: config support for firejail prompt in terminal
+  * feature: config support for firejail prompt in terminals
+  * feature: pass command line arguments to appimages
+  * feature: --allow-private-blacklist option
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
diff --git a/etc/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py
index 705e46e46..705e46e46 100644
--- a/etc/fix_private-bin_for_symlinked_sh.py
+++ b/contrib/fix_private-bin_for_symlinked_sh.py
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 1131abe5f..9f4dfd44c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,8 +30,8 @@ void usage(void) {
        printf("Options:\n");
        printf("    -- - signal the end of options and disables further option processing.\n");
        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-        printf("    --allow-private-blacklist - allow blacklisting things in private\n");
+        printf("    --allow-private-blacklist - allow blacklisting files in private\n");
-        printf("\tdirectories.\n");
+        printf("\thome directories.\n");
        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
        printf("    --apparmor - enable AppArmor confinement.\n");
        printf("    --appimage - sandbox an AppImage application.\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 5b43b1ca5..60c21cbc1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -84,6 +84,15 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
+\fB\-\-allow-private-blacklist
+Allow blacklisting files in private home directory. By default these blacklists are disabled.
+.br
+.br
+Example:
+.br
+$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
+.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
new file mode 100755
index 000000000..93dba69ad
--- /dev/null
+++ b/test/appimage/appimage-args.exp
@@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "execvp argument 2"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "AppRun"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "appimage Leafpad"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "name=blablabla"
+}
+after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index db221ec8a..bb646e189 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
 ./appimage-v2.exp
 echo "TESTING: AppImage file name (test/appimage/filename.exp)";
-./filename.exp
-\ No newline at end of file
+./filename.exp
+echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
+./appimage-args.exp
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 5491be834..f85a939b1 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} {
        send -- "touch ~/.Xauthority\r"
 }
 after 100
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
 send -- "mkdir ~/_firejail_test_dir_\r"
 sleep 1
@@ -65,6 +67,64 @@ expect {
        "private directory should be owned by the current user"
 }
 sleep 1
+send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+after 100
+send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+sleep 1
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Not blacklist"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "test_dir_2"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find ~\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "testfile"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Disable"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "test_dir_2"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls ~/test_dir_2\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "cannot open directory"
+}
+after 100
+send "exit\r"
+sleep 1
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
-puts "all done\n"
+puts "\nall done\n"

diff --git a/README b/README index 42a1f580a..5dc50c9bf 100644 --- a/README +++ b/README
@@ -97,6 +97,10 @@ valoq (https://github.com/valoq)
97	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles	97	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
98	- added wget profile	98	- added wget profile
99	- disable gnupg and systemd directories under /run/user	99	- disable gnupg and systemd directories under /run/user
		100	thewisenerd (https://github.com/thewisenerd)
		101	- appimage: pass commandline arguments
		102	KOLANICH (https://github.com/KOLANICH)
		103	- added symlink fixer
100	Jesse Smith (https://github.com/slicer69)	104	Jesse Smith (https://github.com/slicer69)
101	- added QupZilla profile	105	- added QupZilla profile
102	Lari Rauno (https://github.com/tuutti)	106	Lari Rauno (https://github.com/tuutti)
@@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip)
317	- support for files and directories starting with ~ in blacklist option	321	- support for files and directories starting with ~ in blacklist option
318	- support for files and directories with spaces in blacklist option	322	- support for files and directories with spaces in blacklist option
319	- lots of other fixes	323	- lots of other fixes
		324	- implement the --allow-private-blacklist option
320	sarneaud (https://github.com/sarneaud)	325	sarneaud (https://github.com/sarneaud)
321	- rewrite globbing code to fix various minor issues	326	- rewrite globbing code to fix various minor issues
322	- added noblacklist command for profile files	327	- added noblacklist command for profile files


diff --git a/README.md b/README.md index a8722f810..9057a9a88 100644 --- a/README.md +++ b/README.md
@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
81		81
82	Example:	82	Example:
83	$ firejail --machine-id	83	$ firejail --machine-id
		84
		85	--allow-private-blacklist
		86	Allow blacklisting files in private home directory. By default
		87	these blacklists are disabled.
		88
		89	Example:
		90	$ firejail --allow-private-blacklist --private=~/priv-dir
		91	--blacklist=~/.mozilla
		92
84	`````	93	`````
85	## New Profiles	94	## New Profiles
86	xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,	95	xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,


diff --git a/RELNOTES b/RELNOTES index 7144b2bf3..2d57b1a88 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low
13	* feature: private /opt directory (--private-opt, profile support)	13	* feature: private /opt directory (--private-opt, profile support)
14	* feature: private /srv directory (--private-srv, profile support)	14	* feature: private /srv directory (--private-srv, profile support)
15	* feature: spoof machine-id	15	* feature: spoof machine-id
16	* feature: config support for firejail prompt in terminal	16	* feature: config support for firejail prompt in terminals
		17	* feature: pass command line arguments to appimages
		18	* feature: --allow-private-blacklist option
17	* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,	19	* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
18	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,	20	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
19	* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,	21	* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,


diff --git a/etc/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py index 705e46e46..705e46e46 100644 --- a/etc/fix_private-bin_for_symlinked_sh.py +++ b/contrib/fix_private-bin_for_symlinked_sh.py


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1131abe5f..9f4dfd44c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -30,8 +30,8 @@ void usage(void) {
30	printf("Options:\n");	30	printf("Options:\n");
31	printf(" -- - signal the end of options and disables further option processing.\n");	31	printf(" -- - signal the end of options and disables further option processing.\n");
32	printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");	32	printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
33	printf(" --allow-private-blacklist - allow blacklisting things in private\n");	33	printf(" --allow-private-blacklist - allow blacklisting files in private\n");
34	printf("\tdirectories.\n");	34	printf("\thome directories.\n");
35	printf(" --allusers - all user home directories are visible inside the sandbox.\n");	35	printf(" --allusers - all user home directories are visible inside the sandbox.\n");
36	printf(" --apparmor - enable AppArmor confinement.\n");	36	printf(" --apparmor - enable AppArmor confinement.\n");
37	printf(" --appimage - sandbox an AppImage application.\n");	37	printf(" --appimage - sandbox an AppImage application.\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5b43b1ca5..60c21cbc1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -84,6 +84,15 @@ Example:
84	.br	84	.br
85	$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox	85	$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
86	.TP	86	.TP
		87	\fB\-\-allow-private-blacklist
		88	Allow blacklisting files in private home directory. By default these blacklists are disabled.
		89	.br
		90
		91	.br
		92	Example:
		93	.br
		94	$ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
		95	.TP
87	\fB\-\-allusers	96	\fB\-\-allusers
88	All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.	97	All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
89	.br	98	.br


diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp new file mode 100755 index 000000000..93dba69ad --- /dev/null +++ b/test/appimage/appimage-args.exp
@@ -0,0 +1,97 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 1\n";exit}
		13	"execvp argument 2"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 2\n";exit}
		17	"AppRun"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 3\n";exit}
		21	"testfile"
		22	}
		23	expect {
		24	timeout {puts "TESTING ERROR 4\n";exit}
		25	"Child process initialized"
		26	}
		27	sleep 2
		28
		29	spawn $env(SHELL)
		30	send -- "firejail --list\r"
		31	expect {
		32	timeout {puts "TESTING ERROR 5\n";exit}
		33	":firejail"
		34	}
		35	expect {
		36	timeout {puts "TESTING ERROR 6\n";exit}
		37	"appimage Leafpad"
		38	}
		39	after 100
		40
		41	# grsecurity exit
		42	send -- "file /proc/sys/kernel/grsecurity\r"
		43	expect {
		44	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		45	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		46	"cannot open" {puts "grsecurity not present\n"}
		47	}
		48
		49
		50	send -- "firejail --name=blablabla\r"
		51	expect {
		52	timeout {puts "TESTING ERROR 7\n";exit}
		53	"Child process initialized"
		54	}
		55	sleep 2
		56
		57	spawn $env(SHELL)
		58	send -- "firemon --seccomp\r"
		59	expect {
		60	timeout {puts "TESTING ERROR 8\n";exit}
		61	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
		62	"appimage Leafpad"
		63	}
		64	expect {
		65	timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
		66	"Seccomp: 2"
		67	}
		68	expect {
		69	timeout {puts "TESTING ERROR 10\n";exit}
		70	"name=blablabla"
		71	}
		72	after 100
		73	send -- "firemon --caps\r"
		74	expect {
		75	timeout {puts "TESTING ERROR 11\n";exit}
		76	"appimage Leafpad"
		77	}
		78	expect {
		79	timeout {puts "TESTING ERROR 12\n";exit}
		80	"CapBnd:"
		81	}
		82	expect {
		83	timeout {puts "TESTING ERROR 13\n";exit}
		84	"0000000000000000"
		85	}
		86	expect {
		87	timeout {puts "TESTING ERROR 14\n";exit}
		88	"name=blablabla"
		89	}
		90	after 100
		91
		92	spawn $env(SHELL)
		93	send -- "firejail --shutdown=appimage-test\r"
		94	sleep 3
		95
		96	puts "\nall done\n"
		97


diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index db221ec8a..bb646e189 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh
@@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
13	./appimage-v2.exp	13	./appimage-v2.exp
14		14
15	echo "TESTING: AppImage file name (test/appimage/filename.exp)";	15	echo "TESTING: AppImage file name (test/appimage/filename.exp)";
16	./filename.exp \ No newline at end of file	16	./filename.exp
		17
		18	echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
		19	./appimage-args.exp
		20


diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 5491be834..f85a939b1 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp
@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} {
21	send -- "touch ~/.Xauthority\r"	21	send -- "touch ~/.Xauthority\r"
22	}	22	}
23	after 100	23	after 100
		24	send -- "rm -fr ~/_firejail_test_dir_\r"
		25	after 100
24	send -- "mkdir ~/_firejail_test_dir_\r"	26	send -- "mkdir ~/_firejail_test_dir_\r"
25	sleep 1	27	sleep 1
26		28
@@ -65,6 +67,64 @@ expect {
65	"private directory should be owned by the current user"	67	"private directory should be owned by the current user"
66	}	68	}
67	sleep 1	69	sleep 1
		70	send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
		71	after 100
		72	send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
		73	sleep 1
68		74
		75	send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
		76	expect {
		77	timeout {puts "TESTING ERROR 6\n";exit}
		78	"Not blacklist"
		79	}
		80	expect {
		81	timeout {puts "TESTING ERROR 7\n";exit}
		82	"test_dir_2"
		83	}
		84	expect {
		85	timeout {puts "TESTING ERROR 8\n";exit}
		86	"Child process initialized"
		87	}
		88
		89	sleep 1
		90
		91	send -- "find ~\r"
		92	expect {
		93	timeout {puts "TESTING ERROR 9\n";exit}
		94	"testfile"
		95	}
		96	after 100
		97
		98	send -- "exit\r"
		99	sleep 1
		100
		101	send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
		102	expect {
		103	timeout {puts "TESTING ERROR 10\n";exit}
		104	"Disable"
		105	}
		106	expect {
		107	timeout {puts "TESTING ERROR 11\n";exit}
		108	"test_dir_2"
		109	}
		110	expect {
		111	timeout {puts "TESTING ERROR 12\n";exit}
		112	"Child process initialized"
		113	}
		114
		115	sleep 1
		116
		117	send -- "ls ~/test_dir_2\r"
		118	expect {
		119	timeout {puts "TESTING ERROR 13\n";exit}
		120	"cannot open directory"
		121	}
		122	after 100
		123
		124	send "exit\r"
		125	sleep 1
		126
		127	send -- "rm -fr ~/_firejail_test_dir_\r"
		128	after 100
69		129
70	puts "all done\n"	130	puts "\nall done\n"