diff options
44 files changed, 594 insertions, 151 deletions
@@ -97,6 +97,14 @@ valoq (https://github.com/valoq) | |||
97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
98 | - added wget profile | 98 | - added wget profile |
99 | - disable gnupg and systemd directories under /run/user | 99 | - disable gnupg and systemd directories under /run/user |
100 | SYN-cook (https://github.com/SYN-cook) | ||
101 | - keepass/keepassx browser fixes | ||
102 | thewisenerd (https://github.com/thewisenerd) | ||
103 | - appimage: pass commandline arguments | ||
104 | KOLANICH (https://github.com/KOLANICH) | ||
105 | - added symlink fixer | ||
106 | Jesse Smith (https://github.com/slicer69) | ||
107 | - added QupZilla profile | ||
100 | Lari Rauno (https://github.com/tuutti) | 108 | Lari Rauno (https://github.com/tuutti) |
101 | - qutebrowser profile fixes | 109 | - qutebrowser profile fixes |
102 | SpotComms (https://github.com/SpotComms) | 110 | SpotComms (https://github.com/SpotComms) |
@@ -117,6 +125,8 @@ curiosity-seeker (https://github.com/curiosity-seeker) | |||
117 | - cherrytree profile fixes | 125 | - cherrytree profile fixes |
118 | - added quiterss profile | 126 | - added quiterss profile |
119 | - added guayadeque profile | 127 | - added guayadeque profile |
128 | - added VirtualBox.profile | ||
129 | - various other profile fixes | ||
120 | Simon Peter (https://github.com/probonopd) | 130 | Simon Peter (https://github.com/probonopd) |
121 | - set $APPIMAGE and $APPDIR environment variables | 131 | - set $APPIMAGE and $APPDIR environment variables |
122 | - AppImage version detection | 132 | - AppImage version detection |
@@ -313,6 +323,7 @@ Peter Millerchip (https://github.com/pmillerchip) | |||
313 | - support for files and directories starting with ~ in blacklist option | 323 | - support for files and directories starting with ~ in blacklist option |
314 | - support for files and directories with spaces in blacklist option | 324 | - support for files and directories with spaces in blacklist option |
315 | - lots of other fixes | 325 | - lots of other fixes |
326 | - implement the --allow-private-blacklist option | ||
316 | sarneaud (https://github.com/sarneaud) | 327 | sarneaud (https://github.com/sarneaud) |
317 | - rewrite globbing code to fix various minor issues | 328 | - rewrite globbing code to fix various minor issues |
318 | - added noblacklist command for profile files | 329 | - added noblacklist command for profile files |
@@ -18,7 +18,7 @@ prefix your command with “firejail”: | |||
18 | 18 | ||
19 | ````` | 19 | ````` |
20 | $ firejail firefox # starting Mozilla Firefox | 20 | $ firejail firefox # starting Mozilla Firefox |
21 | $ firejail transmission-gtk # starting Transmission BitTorrent | 21 | $ firejail transmission-gtk # starting Transmission BitTorrent |
22 | $ firejail vlc # starting VideoLAN Client | 22 | $ firejail vlc # starting VideoLAN Client |
23 | $ sudo firejail /etc/init.d/nginx start | 23 | $ sudo firejail /etc/init.d/nginx start |
24 | ````` | 24 | ````` |
@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
81 | 81 | ||
82 | Example: | 82 | Example: |
83 | $ firejail --machine-id | 83 | $ firejail --machine-id |
84 | |||
85 | --allow-private-blacklist | ||
86 | Allow blacklisting files in private home directory. By default | ||
87 | these blacklists are disabled. | ||
88 | |||
89 | Example: | ||
90 | $ firejail --allow-private-blacklist --private=~/priv-dir | ||
91 | --blacklist=~/.mozilla | ||
92 | |||
84 | ````` | 93 | ````` |
85 | ## New Profiles | 94 | ## New Profiles |
86 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | 95 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, |
@@ -88,5 +97,6 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto | |||
88 | gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, | 97 | gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, |
89 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, | 98 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, |
90 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, | 99 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, |
91 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, | 100 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, |
92 | PDFSam, Pithos, Xonotic, wireshark | 101 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla |
102 | |||
@@ -13,12 +13,14 @@ firejail (0.9.45) baseline; urgency=low | |||
13 | * feature: private /opt directory (--private-opt, profile support) | 13 | * feature: private /opt directory (--private-opt, profile support) |
14 | * feature: private /srv directory (--private-srv, profile support) | 14 | * feature: private /srv directory (--private-srv, profile support) |
15 | * feature: spoof machine-id | 15 | * feature: spoof machine-id |
16 | * feature: config support for firejail prompt in terminal | 16 | * feature: config support for firejail prompt in terminals |
17 | * feature: pass command line arguments to appimages | ||
18 | * feature: --allow-private-blacklist option | ||
17 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 19 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
18 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 20 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
19 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 21 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
20 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, | 22 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, |
21 | * new profies: Xonotic, wireshark | 23 | * new profies: Xonotic, wireshark, keepassx2, QupZilla |
22 | * bugfixes | 24 | * bugfixes |
23 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | 25 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 |
24 | 26 | ||
@@ -32,7 +34,7 @@ firejail (0.9.44) baseline; urgency=low | |||
32 | * feature: support starting/joining sandbox is a single command | 34 | * feature: support starting/joining sandbox is a single command |
33 | (--join-or-start) | 35 | (--join-or-start) |
34 | * feature: X11 detection support for --audit | 36 | * feature: X11 detection support for --audit |
35 | * feature: assign a name to the interface connected to the bridge | 37 | * feature: assign a name to the interface connected to the bridge |
36 | (--veth-name) | 38 | (--veth-name) |
37 | * feature: all user home directories are visible (--allusers) | 39 | * feature: all user home directories are visible (--allusers) |
38 | * feature: add files to sandbox container (--put) | 40 | * feature: add files to sandbox container (--put) |
@@ -265,7 +267,7 @@ firejail (0.9.24) baseline; urgency=low | |||
265 | * two build patches from Reiner Herman (tickets 11, 12) | 267 | * two build patches from Reiner Herman (tickets 11, 12) |
266 | * man page patch from Reiner Herman (ticket 13) | 268 | * man page patch from Reiner Herman (ticket 13) |
267 | * output patch (ticket 15) from sshirokov | 269 | * output patch (ticket 15) from sshirokov |
268 | 270 | ||
269 | -- netblue30 <netblue30@yahoo.com> Sun, 5 Apr 2015 08:00:00 -0500 | 271 | -- netblue30 <netblue30@yahoo.com> Sun, 5 Apr 2015 08:00:00 -0500 |
270 | 272 | ||
271 | firejail (0.9.22) baseline; urgency=low | 273 | firejail (0.9.22) baseline; urgency=low |
@@ -330,7 +332,7 @@ firejail (0.9.16) baseline; urgency=low | |||
330 | -- netblue30 <netblue30@yahoo.com> Tue, 4 Nov 2014 10:00:00 -0500 | 332 | -- netblue30 <netblue30@yahoo.com> Tue, 4 Nov 2014 10:00:00 -0500 |
331 | 333 | ||
332 | firejail (0.9.14) baseline; urgency=low | 334 | firejail (0.9.14) baseline; urgency=low |
333 | * Linux capabilities and seccomp filters are automatically enabled in | 335 | * Linux capabilities and seccomp filters are automatically enabled in |
334 | chroot mode (--chroot option) if the sandbox is started as regular user | 336 | chroot mode (--chroot option) if the sandbox is started as regular user |
335 | * Added support for user defined seccomp blacklists | 337 | * Added support for user defined seccomp blacklists |
336 | * Added syscall trace support | 338 | * Added syscall trace support |
@@ -382,7 +384,7 @@ firejail (0.9.8.1) baseline; urgency=low | |||
382 | * FIxed a number of bugs introduced in 0.9.8 | 384 | * FIxed a number of bugs introduced in 0.9.8 |
383 | 385 | ||
384 | -- netblue30 <netblue30@yahoo.com> Fri, 25 Jul 2014 07:25:00 -0500 | 386 | -- netblue30 <netblue30@yahoo.com> Fri, 25 Jul 2014 07:25:00 -0500 |
385 | 387 | ||
386 | firejail (0.9.8) baseline; urgency=low | 388 | firejail (0.9.8) baseline; urgency=low |
387 | * Implemented nowrap mode for firejail --list command option | 389 | * Implemented nowrap mode for firejail --list command option |
388 | * Added --top option in both firejail and firemon | 390 | * Added --top option in both firejail and firemon |
@@ -391,7 +393,7 @@ firejail (0.9.8) baseline; urgency=low | |||
391 | * bugfixes | 393 | * bugfixes |
392 | 394 | ||
393 | -- netblue30 <netblue30@yahoo.com> Tue, 24 Jul 2014 08:51:00 -0500 | 395 | -- netblue30 <netblue30@yahoo.com> Tue, 24 Jul 2014 08:51:00 -0500 |
394 | 396 | ||
395 | firejail (0.9.6) baseline; urgency=low | 397 | firejail (0.9.6) baseline; urgency=low |
396 | 398 | ||
397 | * Mounting tmpfs on top of /var/log, required by several server programs | 399 | * Mounting tmpfs on top of /var/log, required by several server programs |
@@ -430,7 +432,7 @@ firejail (0.9.2) baseline; urgency=low | |||
430 | * Added an expect-based testing framework for the project | 432 | * Added an expect-based testing framework for the project |
431 | * Added bash completion support | 433 | * Added bash completion support |
432 | * Added support for multiple networks | 434 | * Added support for multiple networks |
433 | 435 | ||
434 | -- netblue30 <netblue30@yahoo.com> Fri, 25 Apr 2014 08:00:00 -0500 | 436 | -- netblue30 <netblue30@yahoo.com> Fri, 25 Apr 2014 08:00:00 -0500 |
435 | 437 | ||
436 | firejail (0.9) baseline; urgency=low | 438 | firejail (0.9) baseline; urgency=low |
diff --git a/contrib/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py new file mode 100644 index 000000000..705e46e46 --- /dev/null +++ b/contrib/fix_private-bin_for_symlinked_sh.py | |||
@@ -0,0 +1,68 @@ | |||
1 | #!/usr/bin/python3 | ||
2 | |||
3 | import sys, os, glob, re | ||
4 | |||
5 | privRx=re.compile("^(?:#\s*)?private-bin") | ||
6 | |||
7 | def fixSymlinkedBins(files, replMap): | ||
8 | rxs=dict() | ||
9 | for (old,new) in replMap.items(): | ||
10 | rxs[old]=re.compile("\\b"+old+"\\b") | ||
11 | rxs[new]=re.compile("\\b"+new+"\\b") | ||
12 | print(rxs) | ||
13 | |||
14 | for filename in files: | ||
15 | lines=None | ||
16 | with open(filename,"r") as file: | ||
17 | lines=file.readlines() | ||
18 | |||
19 | shouldUpdate=False | ||
20 | for (i,line) in enumerate(lines): | ||
21 | if privRx.search(line): | ||
22 | for (old,new) in replMap.items(): | ||
23 | if rxs[old].search(line) and not rxs[new].search(line): | ||
24 | lines[i]=rxs[old].sub(old+","+new, line) | ||
25 | shouldUpdate=True | ||
26 | print(lines[i]) | ||
27 | |||
28 | if shouldUpdate: | ||
29 | with open(filename,"w") as file: | ||
30 | file.writelines(lines) | ||
31 | pass | ||
32 | |||
33 | def createListOfBinaries(files): | ||
34 | s=set() | ||
35 | for filename in files: | ||
36 | lines=None | ||
37 | with open(filename,"r") as file: | ||
38 | for line in file: | ||
39 | if privRx.search(line): | ||
40 | bins=line.split(",") | ||
41 | bins[0]=bins[0].split(" ")[-1] | ||
42 | bins = [n.strip() for n in bins] | ||
43 | s=s|set(bins) | ||
44 | return s | ||
45 | |||
46 | def createSymlinkTable(binDirs, binariesSet): | ||
47 | m=dict() | ||
48 | for sh in binariesSet: | ||
49 | for bD in binDirs: | ||
50 | p=bD+os.path.sep+sh | ||
51 | if os.path.exists(p): | ||
52 | if os.path.islink(p): | ||
53 | m[sh]=os.readlink(p) | ||
54 | else: | ||
55 | pass | ||
56 | break | ||
57 | return m | ||
58 | |||
59 | |||
60 | sh="sh" | ||
61 | binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] | ||
62 | profilesPath="." | ||
63 | files=glob.glob(profilesPath+os.path.sep+"*.profile") | ||
64 | |||
65 | bins=createListOfBinaries(files) | ||
66 | stbl=createSymlinkTable(binDirs,bins) | ||
67 | print(stbl) | ||
68 | fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0}) | ||
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile new file mode 100644 index 000000000..ff0a4b6ef --- /dev/null +++ b/etc/VirtualBox.profile | |||
@@ -0,0 +1 @@ | |||
include /etc/firejail/virtualbox.profile | |||
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 481301420..f25bbd94d 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -29,14 +29,14 @@ whitelist ~/.config/gnome-mplayer | |||
29 | whitelist ~/.cache/gnome-mplayer/plugin | 29 | whitelist ~/.cache/gnome-mplayer/plugin |
30 | whitelist ~/.pki | 30 | whitelist ~/.pki |
31 | 31 | ||
32 | # lastpass, keepassx | 32 | # lastpass, keepass |
33 | whitelist ~/.keepassx | 33 | # for keepass we additionally need to whitelist our .kdbx password database |
34 | whitelist ~/.config/keepassx | 34 | whitelist ~/.keepass |
35 | whitelist ~/keepassx.kdbx | 35 | whitelist ~/.config/keepass |
36 | whitelist ~/.config/KeePass | ||
36 | whitelist ~/.lastpass | 37 | whitelist ~/.lastpass |
37 | whitelist ~/.config/lastpass | 38 | whitelist ~/.config/lastpass |
38 | 39 | ||
39 | |||
40 | #silverlight | 40 | #silverlight |
41 | whitelist ~/.wine-pipelight | 41 | whitelist ~/.wine-pipelight |
42 | whitelist ~/.wine-pipelight64 | 42 | whitelist ~/.wine-pipelight64 |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 4109af9a4..7610d9b26 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -18,10 +18,11 @@ whitelist ~/.cache/chromium | |||
18 | mkdir ~/.pki | 18 | mkdir ~/.pki |
19 | whitelist ~/.pki | 19 | whitelist ~/.pki |
20 | 20 | ||
21 | # lastpass, keepassx | 21 | # lastpass, keepass |
22 | whitelist ~/.keepassx | 22 | # for keepass we additionally need to whitelist our .kdbx password database |
23 | whitelist ~/.config/keepassx | 23 | whitelist ~/.keepass |
24 | whitelist ~/keepassx.kdbx | 24 | whitelist ~/.config/keepass |
25 | whitelist ~/.config/KeePass | ||
25 | whitelist ~/.lastpass | 26 | whitelist ~/.lastpass |
26 | whitelist ~/.config/lastpass | 27 | whitelist ~/.config/lastpass |
27 | 28 | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 84021dab3..f722915f0 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -29,14 +29,14 @@ whitelist ~/.config/gnome-mplayer | |||
29 | whitelist ~/.cache/gnome-mplayer/plugin | 29 | whitelist ~/.cache/gnome-mplayer/plugin |
30 | whitelist ~/.pki | 30 | whitelist ~/.pki |
31 | 31 | ||
32 | # lastpass, keepassx | 32 | # lastpass, keepass |
33 | whitelist ~/.keepassx | 33 | # for keepass we additionally need to whitelist our .kdbx password database |
34 | whitelist ~/.config/keepassx | 34 | whitelist ~/.keepass |
35 | whitelist ~/keepassx.kdbx | 35 | whitelist ~/.config/keepass |
36 | whitelist ~/.config/KeePass | ||
36 | whitelist ~/.lastpass | 37 | whitelist ~/.lastpass |
37 | whitelist ~/.config/lastpass | 38 | whitelist ~/.config/lastpass |
38 | 39 | ||
39 | |||
40 | #silverlight | 40 | #silverlight |
41 | whitelist ~/.wine-pipelight | 41 | whitelist ~/.wine-pipelight |
42 | whitelist ~/.wine-pipelight64 | 42 | whitelist ~/.wine-pipelight64 |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b86c6f998..efe5c850d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -39,19 +39,19 @@ blacklist /usr/share/applications/veracrypt.* | |||
39 | blacklist /usr/share/pixmaps/veracrypt.* | 39 | blacklist /usr/share/pixmaps/veracrypt.* |
40 | blacklist ${HOME}/.VeraCrypt | 40 | blacklist ${HOME}/.VeraCrypt |
41 | 41 | ||
42 | # TrueCrypt | 42 | # TrueCrypt |
43 | blacklist ${PATH}/truecrypt | 43 | blacklist ${PATH}/truecrypt |
44 | blacklist ${PATH}/truecrypt-uninstall.sh | 44 | blacklist ${PATH}/truecrypt-uninstall.sh |
45 | blacklist /usr/share/truecrypt | 45 | blacklist /usr/share/truecrypt |
46 | blacklist /usr/share/applications/truecrypt.* | 46 | blacklist /usr/share/applications/truecrypt.* |
47 | blacklist /usr/share/pixmaps/truecrypt.* | 47 | blacklist /usr/share/pixmaps/truecrypt.* |
48 | blacklist ${HOME}/.TrueCrypt | 48 | blacklist ${HOME}/.TrueCrypt |
49 | 49 | ||
50 | # zuluCrypt | 50 | # zuluCrypt |
51 | blacklist ${HOME}/.zuluCrypt | 51 | blacklist ${HOME}/.zuluCrypt |
52 | blacklist ${HOME}/.zuluCrypt-socket | 52 | blacklist ${HOME}/.zuluCrypt-socket |
53 | blacklist ${PATH}/zuluCrypt-cli | 53 | blacklist ${PATH}/zuluCrypt-cli |
54 | blacklist ${PATH}/zuluMount-cli | 54 | blacklist ${PATH}/zuluMount-cli |
55 | 55 | ||
56 | # var | 56 | # var |
57 | blacklist /var/spool/cron | 57 | blacklist /var/spool/cron |
@@ -154,7 +154,7 @@ blacklist /etc/ssh | |||
154 | blacklist /var/backup | 154 | blacklist /var/backup |
155 | blacklist /home/.ecryptfs | 155 | blacklist /home/.ecryptfs |
156 | 156 | ||
157 | # system directories | 157 | # system directories |
158 | blacklist /sbin | 158 | blacklist /sbin |
159 | blacklist /usr/sbin | 159 | blacklist /usr/sbin |
160 | blacklist /usr/local/sbin | 160 | blacklist /usr/local/sbin |
@@ -191,6 +191,7 @@ blacklist ${PATH}/mount.ecryptfs_private | |||
191 | 191 | ||
192 | # other SUID binaries | 192 | # other SUID binaries |
193 | blacklist /usr/lib/virtualbox | 193 | blacklist /usr/lib/virtualbox |
194 | blacklist /usr/lib64/virtualbox | ||
194 | 195 | ||
195 | # prevent lxterminal connecting to an existing lxterminal session | 196 | # prevent lxterminal connecting to an existing lxterminal session |
196 | blacklist /tmp/.lxterminal-socket* | 197 | blacklist /tmp/.lxterminal-socket* |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a9ca487c5..e5eb4f857 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -20,6 +20,7 @@ blacklist ${HOME}/.cache/INRIA | |||
20 | blacklist ${HOME}/.cache/QuiteRss | 20 | blacklist ${HOME}/.cache/QuiteRss |
21 | blacklist ${HOME}/.cache/champlain | 21 | blacklist ${HOME}/.cache/champlain |
22 | blacklist ${HOME}/.cache/chromium | 22 | blacklist ${HOME}/.cache/chromium |
23 | blacklist ${HOME}/.cache/qupzilla | ||
23 | blacklist ${HOME}/.cache/chromium-dev | 24 | blacklist ${HOME}/.cache/chromium-dev |
24 | blacklist ${HOME}/.cache/darktable | 25 | blacklist ${HOME}/.cache/darktable |
25 | blacklist ${HOME}/.cache/epiphany | 26 | blacklist ${HOME}/.cache/epiphany |
@@ -80,6 +81,7 @@ blacklist ${HOME}/.config/brasero | |||
80 | blacklist ${HOME}/.config/brave | 81 | blacklist ${HOME}/.config/brave |
81 | blacklist ${HOME}/.config/cherrytree | 82 | blacklist ${HOME}/.config/cherrytree |
82 | blacklist ${HOME}/.config/chromium | 83 | blacklist ${HOME}/.config/chromium |
84 | blacklist ${HOME}/.config/qupzilla | ||
83 | blacklist ${HOME}/.config/chromium-dev | 85 | blacklist ${HOME}/.config/chromium-dev |
84 | blacklist ${HOME}/.config/chromium-flags.conf | 86 | blacklist ${HOME}/.config/chromium-flags.conf |
85 | blacklist ${HOME}/.config/cmus | 87 | blacklist ${HOME}/.config/cmus |
@@ -148,7 +150,7 @@ blacklist ${HOME}/.config/xreader | |||
148 | blacklist ${HOME}/.config/xviewer | 150 | blacklist ${HOME}/.config/xviewer |
149 | blacklist ${HOME}/.config/zathura | 151 | blacklist ${HOME}/.config/zathura |
150 | blacklist ${HOME}/.config/zoomus.conf | 152 | blacklist ${HOME}/.config/zoomus.conf |
151 | blacklist ${HOME}/.conkeror.mozdev.org | 153 | blacklist ${HOME}/.conkeror.mozdev.org |
152 | blacklist ${HOME}/.dillo | 154 | blacklist ${HOME}/.dillo |
153 | blacklist ${HOME}/.dosbox | 155 | blacklist ${HOME}/.dosbox |
154 | blacklist ${HOME}/.dropbox-dist | 156 | blacklist ${HOME}/.dropbox-dist |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 4f971f330..c3a9b2a62 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -35,14 +35,14 @@ whitelist ~/.config/qpdfview | |||
35 | whitelist ~/.local/share/qpdfview | 35 | whitelist ~/.local/share/qpdfview |
36 | whitelist ~/.kde/share/apps/okular | 36 | whitelist ~/.kde/share/apps/okular |
37 | 37 | ||
38 | # lastpass, keepassx | 38 | # lastpass, keepass |
39 | whitelist ~/.keepassx | 39 | # for keepass we additionally need to whitelist our .kdbx password database |
40 | whitelist ~/.config/keepassx | 40 | whitelist ~/.keepass |
41 | whitelist ~/keepassx.kdbx | 41 | whitelist ~/.config/keepass |
42 | whitelist ~/.config/KeePass | ||
42 | whitelist ~/.lastpass | 43 | whitelist ~/.lastpass |
43 | whitelist ~/.config/lastpass | 44 | whitelist ~/.config/lastpass |
44 | 45 | ||
45 | |||
46 | #silverlight | 46 | #silverlight |
47 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
48 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 7e0eb486b..3c23ff6f6 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -29,10 +29,11 @@ whitelist ~/.cache/slimjet | |||
29 | mkdir ~/.pki | 29 | mkdir ~/.pki |
30 | whitelist ~/.pki | 30 | whitelist ~/.pki |
31 | 31 | ||
32 | # lastpass, keepassx | 32 | # lastpass, keepass |
33 | whitelist ~/.keepassx | 33 | # for keepass we additionally need to whitelist our .kdbx password database |
34 | whitelist ~/.config/keepassx | 34 | whitelist ~/.keepass |
35 | whitelist ~/keepassx.kdbx | 35 | whitelist ~/.config/keepass |
36 | whitelist ~/.config/KeePass | ||
36 | whitelist ~/.lastpass | 37 | whitelist ~/.lastpass |
37 | whitelist ~/.config/lastpass | 38 | whitelist ~/.config/lastpass |
38 | 39 | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index fe870274f..3d483967c 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -19,9 +19,10 @@ mkdir ~/.pki | |||
19 | whitelist ~/.pki | 19 | whitelist ~/.pki |
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | 21 | ||
22 | # lastpass, keepassx | 22 | # lastpass, keepass |
23 | whitelist ~/.keepassx | 23 | # for keepass we additionally need to whitelist our .kdbx password database |
24 | whitelist ~/.config/keepassx | 24 | whitelist ~/.keepass |
25 | whitelist ~/keepassx.kdbx | 25 | whitelist ~/.config/keepass |
26 | whitelist ~/.config/KeePass | ||
26 | whitelist ~/.lastpass | 27 | whitelist ~/.lastpass |
27 | whitelist ~/.config/lastpass | 28 | whitelist ~/.config/lastpass |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index f6680ac2d..0189ce40b 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -19,9 +19,10 @@ mkdir ~/.pki | |||
19 | whitelist ~/.pki | 19 | whitelist ~/.pki |
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | 21 | ||
22 | # lastpass, keepassx | 22 | # lastpass, keepass |
23 | whitelist ~/.keepassx | 23 | # for keepass we additionally need to whitelist our .kdbx password database |
24 | whitelist ~/.config/keepassx | 24 | whitelist ~/.keepass |
25 | whitelist ~/keepassx.kdbx | 25 | whitelist ~/.config/keepass |
26 | whitelist ~/.config/KeePass | ||
26 | whitelist ~/.lastpass | 27 | whitelist ~/.lastpass |
27 | whitelist ~/.config/lastpass | 28 | whitelist ~/.config/lastpass |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index a9fcebe73..3083c2afd 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -19,10 +19,10 @@ mkdir ~/.pki | |||
19 | whitelist ~/.pki | 19 | whitelist ~/.pki |
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | 21 | ||
22 | # lastpass, keepassx | 22 | # lastpass, keepass |
23 | whitelist ~/.keepassx | 23 | # for keepass we additionally need to whitelist our .kdbx password database |
24 | whitelist ~/.config/keepassx | 24 | whitelist ~/.keepass |
25 | whitelist ~/keepassx.kdbx | 25 | whitelist ~/.config/keepass |
26 | whitelist ~/.config/KeePass | ||
26 | whitelist ~/.lastpass | 27 | whitelist ~/.lastpass |
27 | whitelist ~/.config/lastpass | 28 | whitelist ~/.config/lastpass |
28 | |||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 0348076da..038afc876 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -29,14 +29,14 @@ whitelist ~/.config/gnome-mplayer | |||
29 | whitelist ~/.cache/gnome-mplayer/plugin | 29 | whitelist ~/.cache/gnome-mplayer/plugin |
30 | whitelist ~/.pki | 30 | whitelist ~/.pki |
31 | 31 | ||
32 | # lastpass, keepassx | 32 | # lastpass, keepass |
33 | whitelist ~/.keepassx | 33 | # for keepass we additionally need to whitelist our .kdbx password database |
34 | whitelist ~/.config/keepassx | 34 | whitelist ~/.keepass |
35 | whitelist ~/keepassx.kdbx | 35 | whitelist ~/.config/keepass |
36 | whitelist ~/.config/KeePass | ||
36 | whitelist ~/.lastpass | 37 | whitelist ~/.lastpass |
37 | whitelist ~/.config/lastpass | 38 | whitelist ~/.config/lastpass |
38 | 39 | ||
39 | |||
40 | #silverlight | 40 | #silverlight |
41 | whitelist ~/.wine-pipelight | 41 | whitelist ~/.wine-pipelight |
42 | whitelist ~/.wine-pipelight64 | 42 | whitelist ~/.wine-pipelight64 |
diff --git a/etc/inox.profile b/etc/inox.profile index 49d2f2835..6f6d140e2 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -14,10 +14,11 @@ whitelist ~/.cache/inox | |||
14 | mkdir ~/.pki | 14 | mkdir ~/.pki |
15 | whitelist ~/.pki | 15 | whitelist ~/.pki |
16 | 16 | ||
17 | # lastpass, keepassx | 17 | # lastpass, keepass |
18 | whitelist ~/.keepassx | 18 | # for keepass we additionally need to whitelist our .kdbx password database |
19 | whitelist ~/.config/keepassx | 19 | whitelist ~/.keepass |
20 | whitelist ~/keepassx.kdbx | 20 | whitelist ~/.config/keepass |
21 | whitelist ~/.config/KeePass | ||
21 | whitelist ~/.lastpass | 22 | whitelist ~/.lastpass |
22 | whitelist ~/.config/lastpass | 23 | whitelist ~/.config/lastpass |
23 | 24 | ||
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile new file mode 100644 index 000000000..d8621773f --- /dev/null +++ b/etc/keepassx2.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # keepassx password manager profile | ||
2 | noblacklist ${HOME}/.config/keepassx | ||
3 | noblacklist ${HOME}/.keepassx | ||
4 | noblacklist ${HOME}/keepassx.kdbx | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | netfilter | ||
19 | shell none | ||
20 | |||
21 | private-tmp | ||
22 | private-dev | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 2071e5519..644a1605b 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -19,10 +19,11 @@ whitelist ~/.config/netsurf | |||
19 | mkdir ~/.cache/netsurf | 19 | mkdir ~/.cache/netsurf |
20 | whitelist ~/.cache/netsurf | 20 | whitelist ~/.cache/netsurf |
21 | 21 | ||
22 | # lastpass, keepassx | 22 | # lastpass, keepass |
23 | whitelist ~/.keepassx | 23 | # for keepass we additionally need to whitelist our .kdbx password database |
24 | whitelist ~/.config/keepassx | 24 | whitelist ~/.keepass |
25 | whitelist ~/keepassx.kdbx | 25 | whitelist ~/.config/keepass |
26 | whitelist ~/.config/KeePass | ||
26 | whitelist ~/.lastpass | 27 | whitelist ~/.lastpass |
27 | whitelist ~/.config/lastpass | 28 | whitelist ~/.config/lastpass |
28 | 29 | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 12c91c744..4cdb0a9eb 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -16,10 +16,10 @@ mkdir ~/.pki | |||
16 | whitelist ~/.pki | 16 | whitelist ~/.pki |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | 18 | ||
19 | # lastpass, keepassx | 19 | # lastpass, keepass |
20 | whitelist ~/.keepassx | 20 | # for keepass we additionally need to whitelist our .kdbx password database |
21 | whitelist ~/.config/keepassx | 21 | whitelist ~/.keepass |
22 | whitelist ~/keepassx.kdbx | 22 | whitelist ~/.config/keepass |
23 | whitelist ~/.config/KeePass | ||
23 | whitelist ~/.lastpass | 24 | whitelist ~/.lastpass |
24 | whitelist ~/.config/lastpass | 25 | whitelist ~/.config/lastpass |
25 | |||
diff --git a/etc/opera.profile b/etc/opera.profile index e0c89a195..a337ccc5b 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -19,10 +19,10 @@ mkdir ~/.pki | |||
19 | whitelist ~/.pki | 19 | whitelist ~/.pki |
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | 21 | ||
22 | # lastpass, keepassx | 22 | # lastpass, keepass |
23 | whitelist ~/.keepassx | 23 | # for keepass we additionally need to whitelist our .kdbx password database |
24 | whitelist ~/.config/keepassx | 24 | whitelist ~/.keepass |
25 | whitelist ~/keepassx.kdbx | 25 | whitelist ~/.config/keepass |
26 | whitelist ~/.config/KeePass | ||
26 | whitelist ~/.lastpass | 27 | whitelist ~/.lastpass |
27 | whitelist ~/.config/lastpass | 28 | whitelist ~/.config/lastpass |
28 | |||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 71deec6bc..1476369a1 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -44,11 +44,11 @@ private-tmp | |||
44 | #whitelist ~/.config/pipelight-widevine | 44 | #whitelist ~/.config/pipelight-widevine |
45 | #whitelist ~/.config/pipelight-silverlight5.1 | 45 | #whitelist ~/.config/pipelight-silverlight5.1 |
46 | 46 | ||
47 | 47 | # lastpass, keepass | |
48 | # lastpass, keepassx | 48 | # for keepass we additionally need to whitelist our .kdbx password database |
49 | whitelist ~/.keepassx | 49 | whitelist ~/.keepass |
50 | whitelist ~/.config/keepassx | 50 | whitelist ~/.config/keepass |
51 | whitelist ~/keepassx.kdbx | 51 | whitelist ~/.config/KeePass |
52 | whitelist ~/.lastpass | 52 | whitelist ~/.lastpass |
53 | whitelist ~/.config/lastpass | 53 | whitelist ~/.config/lastpass |
54 | 54 | ||
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile new file mode 100644 index 000000000..387ddeffa --- /dev/null +++ b/etc/qupzilla.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for Qupzilla web browser | ||
2 | noblacklist ${HOME}/.config/qupzilla | ||
3 | noblacklist ${HOME}/.cache/qupzilla | ||
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | caps.drop all | ||
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | ||
12 | tracelog | ||
13 | noroot | ||
14 | whitelist ${DOWNLOADS} | ||
15 | whitelist ~/.config/qupzilla | ||
16 | whitelist ~/.cache/qupzilla | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | # experimental features | ||
20 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
21 | |||
22 | |||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b981d9516..5d817acce 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -31,10 +31,11 @@ whitelist ~/.cache/gnome-mplayer/plugin | |||
31 | whitelist ~/.pki | 31 | whitelist ~/.pki |
32 | include /etc/firejail/whitelist-common.inc | 32 | include /etc/firejail/whitelist-common.inc |
33 | 33 | ||
34 | # lastpass, keepassx | 34 | # lastpass, keepass |
35 | whitelist ~/.keepassx | 35 | # for keepass we additionally need to whitelist our .kdbx password database |
36 | whitelist ~/.config/keepassx | 36 | whitelist ~/.keepass |
37 | whitelist ~/keepassx.kdbx | 37 | whitelist ~/.config/keepass |
38 | whitelist ~/.config/KeePass | ||
38 | whitelist ~/.lastpass | 39 | whitelist ~/.lastpass |
39 | whitelist ~/.config/lastpass | 40 | whitelist ~/.config/lastpass |
40 | 41 | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 4dcfa64d9..667b775c8 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -11,10 +11,10 @@ nonewprivs | |||
11 | noroot | 11 | noroot |
12 | nosound | 12 | nosound |
13 | shell none | 13 | shell none |
14 | #seccomp | 14 | seccomp |
15 | protocol unix,inet,inet6 | 15 | # protocol unix,inet,inet6 |
16 | 16 | ||
17 | private-bin skanlite | 17 | # private-bin skanlite |
18 | # private-dev | 18 | # private-dev |
19 | # private-tmp | 19 | # private-tmp |
20 | # private-etc | 20 | # private-etc |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 36a1e0704..1e765b89b 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -1,12 +1,22 @@ | |||
1 | # VirtualBox profile | 1 | # virtualbox profile |
2 | noblacklist ${HOME}/.VirtualBox | 2 | noblacklist ${HOME}/.VirtualBox |
3 | noblacklist ${HOME}/VirtualBox VMs | 3 | noblacklist ${HOME}/VirtualBox VMs |
4 | noblacklist ${HOME}/.config/VirtualBox | 4 | noblacklist ${HOME}/.config/VirtualBox |
5 | noblacklist /usr/bin/virtualbox | 5 | |
6 | mkdir ~/VirtualBox VMs | ||
7 | whitelist ~/VirtualBox VMs | ||
8 | mkdir ~/.config/VirtualBox | ||
9 | whitelist ~/.config/VirtualBox | ||
10 | |||
11 | # noblacklist /usr/bin/virtualbox | ||
12 | noblacklist /usr/lib/virtualbox | ||
13 | noblacklist /usr/lib64/virtualbox | ||
6 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/whitelist-common.inc | ||
9 | 18 | ||
10 | caps.drop all | 19 | caps.drop all |
20 | netfilter | ||
11 | 21 | ||
12 | 22 | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 08b046847..b3a096069 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -14,10 +14,10 @@ mkdir ~/.cache/vivaldi | |||
14 | whitelist ~/.cache/vivaldi | 14 | whitelist ~/.cache/vivaldi |
15 | include /etc/firejail/whitelist-common.inc | 15 | include /etc/firejail/whitelist-common.inc |
16 | 16 | ||
17 | # lastpass, keepassx | 17 | # lastpass, keepass |
18 | whitelist ~/.keepassx | 18 | # for keepass we additionally need to whitelist our .kdbx password database |
19 | whitelist ~/.config/keepassx | 19 | whitelist ~/.keepass |
20 | whitelist ~/keepassx.kdbx | 20 | whitelist ~/.config/keepass |
21 | whitelist ~/.config/KeePass | ||
21 | whitelist ~/.lastpass | 22 | whitelist ~/.lastpass |
22 | whitelist ~/.config/lastpass | 23 | whitelist ~/.config/lastpass |
23 | |||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 97e7cf884..9afe42be8 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -111,6 +111,7 @@ | |||
111 | /etc/firejail/keepass.profile | 111 | /etc/firejail/keepass.profile |
112 | /etc/firejail/keepass2.profile | 112 | /etc/firejail/keepass2.profile |
113 | /etc/firejail/keepassx.profile | 113 | /etc/firejail/keepassx.profile |
114 | /etc/firejail/keepassx2.profile | ||
114 | /etc/firejail/kmail.profile | 115 | /etc/firejail/kmail.profile |
115 | /etc/firejail/konversation.profile | 116 | /etc/firejail/konversation.profile |
116 | /etc/firejail/less.profile | 117 | /etc/firejail/less.profile |
@@ -237,3 +238,5 @@ | |||
237 | /etc/firejail/xonotic-glx.profile | 238 | /etc/firejail/xonotic-glx.profile |
238 | /etc/firejail/xonotic-sdl.profile | 239 | /etc/firejail/xonotic-sdl.profile |
239 | /etc/firejail/xonotic.profile | 240 | /etc/firejail/xonotic.profile |
241 | /etc/firejail/VirtualBox.profile | ||
242 | /etc/firejail/qupzilla.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c4f52e256..fe65a5077 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -190,6 +190,7 @@ ranger | |||
190 | keepass | 190 | keepass |
191 | keepass2 | 191 | keepass2 |
192 | keepassx | 192 | keepassx |
193 | keepassx2 | ||
193 | pluma | 194 | pluma |
194 | tracker | 195 | tracker |
195 | wireshark | 196 | wireshark |
@@ -204,4 +205,3 @@ gnome-weather | |||
204 | ark | 205 | ark |
205 | atool | 206 | atool |
206 | file-roller | 207 | file-roller |
207 | |||
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index cadf4795d..dcb0a5424 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -157,3 +157,47 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar | |||
157 | assert(*command_line); | 157 | assert(*command_line); |
158 | assert(*window_title); | 158 | assert(*window_title); |
159 | } | 159 | } |
160 | |||
161 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) { | ||
162 | // index == -1 could happen if we have --shell=none and no program was specified | ||
163 | // the program should exit with an error before entering this function | ||
164 | assert(index != -1); | ||
165 | |||
166 | unsigned argcount = argc - index; | ||
167 | |||
168 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes | ||
169 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage | ||
170 | int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun | ||
171 | int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun | ||
172 | |||
173 | if (len4 > ARG_MAX) { | ||
174 | errno = E2BIG; | ||
175 | errExit("cmdline_length"); | ||
176 | } | ||
177 | |||
178 | // save created apprun in cfg.command_line | ||
179 | char *tmp1 = strdup(*command_line); | ||
180 | if (!tmp1) | ||
181 | errExit("strdup"); | ||
182 | |||
183 | // TODO: deal with extra allocated memory. | ||
184 | char *command_line_tmp = malloc(len1 + len3 + 1); | ||
185 | if (!command_line_tmp) | ||
186 | errExit("malloc"); | ||
187 | *window_title = malloc(len1 + len3 + 1); | ||
188 | if (!*window_title) | ||
189 | errExit("malloc"); | ||
190 | |||
191 | // run default quote_cmdline | ||
192 | quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index); | ||
193 | |||
194 | assert(command_line_tmp); | ||
195 | assert(*window_title); | ||
196 | |||
197 | // 'fix' command_line now | ||
198 | if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1) | ||
199 | errExit("asprintf"); | ||
200 | |||
201 | // free strdup | ||
202 | free(tmp1); | ||
203 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8fede5a69..36cf47435 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -208,7 +208,7 @@ typedef struct config_t { | |||
208 | char *bin_private_keep; // keep list for private bin directory | 208 | char *bin_private_keep; // keep list for private bin directory |
209 | char *cwd; // current working directory | 209 | char *cwd; // current working directory |
210 | char *overlay_dir; | 210 | char *overlay_dir; |
211 | char *private_template; // template dir for tmpfs home | 211 | char *private_template; // template dir for tmpfs home |
212 | 212 | ||
213 | // networking | 213 | // networking |
214 | char *name; // sandbox name | 214 | char *name; // sandbox name |
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid); | |||
285 | 285 | ||
286 | extern int arg_private; // mount private /home | 286 | extern int arg_private; // mount private /home |
287 | extern int arg_private_template; // private /home template | 287 | extern int arg_private_template; // private /home template |
288 | extern int arg_allow_private_blacklist; // blacklist things in private directories | ||
288 | extern int arg_debug; // print debug messages | 289 | extern int arg_debug; // print debug messages |
289 | extern int arg_debug_check_filename; // print debug messages for filename checking | 290 | extern int arg_debug_check_filename; // print debug messages for filename checking |
290 | extern int arg_debug_blacklists; // print debug messages for blacklists | 291 | extern int arg_debug_blacklists; // print debug messages for blacklists |
@@ -564,6 +565,7 @@ void network_del_run_file(pid_t pid); | |||
564 | void network_set_run_file(pid_t pid); | 565 | void network_set_run_file(pid_t pid); |
565 | 566 | ||
566 | // fs_etc.c | 567 | // fs_etc.c |
568 | void fs_machineid(void); | ||
567 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); | 569 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
568 | 570 | ||
569 | // no_sandbox.c | 571 | // no_sandbox.c |
@@ -681,6 +683,7 @@ long unsigned int appimage2_size(const char *fname); | |||
681 | 683 | ||
682 | // cmdline.c | 684 | // cmdline.c |
683 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); | 685 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
686 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path); | ||
684 | 687 | ||
685 | // sbox.c | 688 | // sbox.c |
686 | // programs | 689 | // programs |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index adddf626b..e2fc09533 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
216 | exit(1); | 216 | exit(1); |
217 | } | 217 | } |
218 | } | 218 | } |
219 | |||
220 | // We don't usually need to blacklist things in private home directories | ||
221 | if (okay_to_blacklist | ||
222 | && cfg.homedir | ||
223 | && arg_private | ||
224 | && (!arg_allow_private_blacklist) | ||
225 | && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0)) | ||
226 | okay_to_blacklist = false; | ||
227 | |||
219 | if (okay_to_blacklist) | 228 | if (okay_to_blacklist) |
220 | disable_file(op, path); | 229 | disable_file(op, path); |
221 | else if (arg_debug) | 230 | else if (arg_debug) |
@@ -532,29 +541,35 @@ void fs_proc_sys_dev_boot(void) { | |||
532 | disable_file(BLACKLIST_FILE, "/dev/port"); | 541 | disable_file(BLACKLIST_FILE, "/dev/port"); |
533 | 542 | ||
534 | 543 | ||
535 | // disable various ipc sockets | ||
536 | struct stat s; | ||
537 | 544 | ||
538 | // disable /run/user/{uid}/gnupg | 545 | // disable various ipc sockets in /run/user |
539 | char *fnamegpg; | 546 | struct stat s; |
540 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 547 | |
541 | errExit("asprintf"); | 548 | char *fname; |
542 | if (stat(fnamegpg, &s) == -1) | 549 | if (asprintf(&fname, "/run/usr/%d", getuid()) == -1) |
543 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | ||
544 | if (stat(fnamegpg, &s) == 0) | ||
545 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
546 | free(fnamegpg); | ||
547 | |||
548 | // disable /run/user/{uid}/systemd | ||
549 | char *fnamesysd; | ||
550 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
551 | errExit("asprintf"); | 550 | errExit("asprintf"); |
552 | if (stat(fnamesysd, &s) == -1) | 551 | if (is_dir(fname)) { // older distros don't have this directory |
553 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | 552 | // disable /run/user/{uid}/gnupg |
554 | if (stat(fnamesysd, &s) == 0) | 553 | char *fnamegpg; |
555 | disable_file(BLACKLIST_FILE, fnamesysd); | 554 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
556 | free(fnamesysd); | 555 | errExit("asprintf"); |
557 | 556 | if (stat(fnamegpg, &s) == -1) | |
557 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | ||
558 | if (stat(fnamegpg, &s) == 0) | ||
559 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
560 | free(fnamegpg); | ||
561 | |||
562 | // disable /run/user/{uid}/systemd | ||
563 | char *fnamesysd; | ||
564 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
565 | errExit("asprintf"); | ||
566 | if (stat(fnamesysd, &s) == -1) | ||
567 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | ||
568 | if (stat(fnamesysd, &s) == 0) | ||
569 | disable_file(BLACKLIST_FILE, fnamesysd); | ||
570 | free(fnamesysd); | ||
571 | } | ||
572 | free(fname); | ||
558 | 573 | ||
559 | // todo: investigate | 574 | // todo: investigate |
560 | #if 0 | 575 | #if 0 |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index a27c0e41b..479383af2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <time.h> | ||
24 | #include <unistd.h> | 25 | #include <unistd.h> |
25 | 26 | ||
26 | // spoof /etc/machine_id | 27 | // spoof /etc/machine_id |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b25bad9f2..15820f7dd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -112,6 +112,7 @@ int arg_x11_block = 0; // block X11 | |||
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | 114 | int arg_machineid = 0; // preserve /etc/machine-id |
115 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | ||
115 | 116 | ||
116 | int login_shell = 0; | 117 | int login_shell = 0; |
117 | 118 | ||
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) { | |||
1463 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1464 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1464 | arg_machineid = 1; | 1465 | arg_machineid = 1; |
1465 | } | 1466 | } |
1467 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1468 | arg_allow_private_blacklist = 1; | ||
1469 | } | ||
1466 | else if (strcmp(argv[i], "--private") == 0) { | 1470 | else if (strcmp(argv[i], "--private") == 0) { |
1467 | arg_private = 1; | 1471 | arg_private = 1; |
1468 | } | 1472 | } |
@@ -2156,7 +2160,7 @@ int main(int argc, char **argv) { | |||
2156 | if (arg_debug) | 2160 | if (arg_debug) |
2157 | printf("Configuring appimage environment\n"); | 2161 | printf("Configuring appimage environment\n"); |
2158 | appimage_set(cfg.command_name); | 2162 | appimage_set(cfg.command_name); |
2159 | cfg.window_title = "appimage"; | 2163 | build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line); |
2160 | } | 2164 | } |
2161 | else { | 2165 | else { |
2162 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 2166 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index db3c25a5a..9f4dfd44c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,12 +30,14 @@ void usage(void) { | |||
30 | printf("Options:\n"); | 30 | printf("Options:\n"); |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | printf(" -- - signal the end of options and disables further option processing.\n"); |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); |
33 | printf(" --allow-private-blacklist - allow blacklisting files in private\n"); | ||
34 | printf("\thome directories.\n"); | ||
33 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
34 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
35 | printf(" --appimage - sandbox an AppImage application.\n"); | 37 | printf(" --appimage - sandbox an AppImage application.\n"); |
36 | printf(" --audit[=test-program] - audit the sandbox.\n"); | 38 | printf(" --audit[=test-program] - audit the sandbox.\n"); |
37 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
38 | printf(" --bandwidth=name|pid - set bandwidth limits\n"); | 40 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); |
39 | #endif | 41 | #endif |
40 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
41 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5b43b1ca5..60c21cbc1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -84,6 +84,15 @@ Example: | |||
84 | .br | 84 | .br |
85 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 85 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
86 | .TP | 86 | .TP |
87 | \fB\-\-allow-private-blacklist | ||
88 | Allow blacklisting files in private home directory. By default these blacklists are disabled. | ||
89 | .br | ||
90 | |||
91 | .br | ||
92 | Example: | ||
93 | .br | ||
94 | $ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla | ||
95 | .TP | ||
87 | \fB\-\-allusers | 96 | \fB\-\-allusers |
88 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 97 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
89 | .br | 98 | .br |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp new file mode 100755 index 000000000..93dba69ad --- /dev/null +++ b/test/appimage/appimage-args.exp | |||
@@ -0,0 +1,97 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "execvp argument 2" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "AppRun" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3\n";exit} | ||
21 | "testfile" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 4\n";exit} | ||
25 | "Child process initialized" | ||
26 | } | ||
27 | sleep 2 | ||
28 | |||
29 | spawn $env(SHELL) | ||
30 | send -- "firejail --list\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | ":firejail" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 6\n";exit} | ||
37 | "appimage Leafpad" | ||
38 | } | ||
39 | after 100 | ||
40 | |||
41 | # grsecurity exit | ||
42 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
45 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
46 | "cannot open" {puts "grsecurity not present\n"} | ||
47 | } | ||
48 | |||
49 | |||
50 | send -- "firejail --name=blablabla\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 7\n";exit} | ||
53 | "Child process initialized" | ||
54 | } | ||
55 | sleep 2 | ||
56 | |||
57 | spawn $env(SHELL) | ||
58 | send -- "firemon --seccomp\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
61 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
62 | "appimage Leafpad" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 9 (seccomp)\n";exit} | ||
66 | "Seccomp: 2" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 10\n";exit} | ||
70 | "name=blablabla" | ||
71 | } | ||
72 | after 100 | ||
73 | send -- "firemon --caps\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 11\n";exit} | ||
76 | "appimage Leafpad" | ||
77 | } | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 12\n";exit} | ||
80 | "CapBnd:" | ||
81 | } | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 13\n";exit} | ||
84 | "0000000000000000" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 14\n";exit} | ||
88 | "name=blablabla" | ||
89 | } | ||
90 | after 100 | ||
91 | |||
92 | spawn $env(SHELL) | ||
93 | send -- "firejail --shutdown=appimage-test\r" | ||
94 | sleep 3 | ||
95 | |||
96 | puts "\nall done\n" | ||
97 | |||
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index db221ec8a..bb646e189 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" | |||
13 | ./appimage-v2.exp | 13 | ./appimage-v2.exp |
14 | 14 | ||
15 | echo "TESTING: AppImage file name (test/appimage/filename.exp)"; | 15 | echo "TESTING: AppImage file name (test/appimage/filename.exp)"; |
16 | ./filename.exp \ No newline at end of file | 16 | ./filename.exp |
17 | |||
18 | echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" | ||
19 | ./appimage-args.exp | ||
20 | |||
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index 00b0204ae..dc8c80569 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp | |||
@@ -21,30 +21,58 @@ expect { | |||
21 | timeout {puts "TESTING ERROR 0\n";exit} | 21 | timeout {puts "TESTING ERROR 0\n";exit} |
22 | "dest/" | 22 | "dest/" |
23 | } | 23 | } |
24 | after 100 | ||
25 | |||
26 | send -- "find dest\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 0\n";exit} | ||
29 | "dest/" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | send -- "find dest\r" | ||
24 | expect { | 34 | expect { |
25 | timeout {puts "TESTING ERROR 1\n";exit} | 35 | timeout {puts "TESTING ERROR 1\n";exit} |
26 | "dest/a" | 36 | "dest/a" |
27 | } | 37 | } |
38 | after 100 | ||
39 | |||
40 | send -- "find dest\r" | ||
28 | expect { | 41 | expect { |
29 | timeout {puts "TESTING ERROR 2\n";exit} | 42 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "dest/a/b" | 43 | "dest/a/b" |
31 | } | 44 | } |
45 | after 100 | ||
46 | |||
47 | send -- "find dest\r" | ||
32 | expect { | 48 | expect { |
33 | timeout {puts "TESTING ERROR 3\n";exit} | 49 | timeout {puts "TESTING ERROR 3\n";exit} |
34 | "dest/a/b/file4" | 50 | "dest/a/b/file4" |
35 | } | 51 | } |
52 | after 100 | ||
53 | |||
54 | send -- "find dest\r" | ||
36 | expect { | 55 | expect { |
37 | timeout {puts "TESTING ERROR 4\n";exit} | 56 | timeout {puts "TESTING ERROR 4\n";exit} |
38 | "dest/a/file3" | 57 | "dest/a/file3" |
39 | } | 58 | } |
59 | after 100 | ||
60 | |||
61 | send -- "find dest\r" | ||
40 | expect { | 62 | expect { |
41 | timeout {puts "TESTING ERROR 5\n";exit} | 63 | timeout {puts "TESTING ERROR 5\n";exit} |
42 | "dest/dircopy.exp" | 64 | "dest/dircopy.exp" |
43 | } | 65 | } |
66 | after 100 | ||
67 | |||
68 | send -- "find dest\r" | ||
44 | expect { | 69 | expect { |
45 | timeout {puts "TESTING ERROR 6\n";exit} | 70 | timeout {puts "TESTING ERROR 6\n";exit} |
46 | "dest/file2" | 71 | "dest/file2" |
47 | } | 72 | } |
73 | after 100 | ||
74 | |||
75 | send -- "find dest\r" | ||
48 | expect { | 76 | expect { |
49 | timeout {puts "TESTING ERROR 7\n";exit} | 77 | timeout {puts "TESTING ERROR 7\n";exit} |
50 | "dest/file1" | 78 | "dest/file1" |
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 5491be834..f85a939b1 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp | |||
@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} { | |||
21 | send -- "touch ~/.Xauthority\r" | 21 | send -- "touch ~/.Xauthority\r" |
22 | } | 22 | } |
23 | after 100 | 23 | after 100 |
24 | send -- "rm -fr ~/_firejail_test_dir_\r" | ||
25 | after 100 | ||
24 | send -- "mkdir ~/_firejail_test_dir_\r" | 26 | send -- "mkdir ~/_firejail_test_dir_\r" |
25 | sleep 1 | 27 | sleep 1 |
26 | 28 | ||
@@ -65,6 +67,64 @@ expect { | |||
65 | "private directory should be owned by the current user" | 67 | "private directory should be owned by the current user" |
66 | } | 68 | } |
67 | sleep 1 | 69 | sleep 1 |
70 | send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" | ||
71 | after 100 | ||
72 | send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r" | ||
73 | sleep 1 | ||
68 | 74 | ||
75 | send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6\n";exit} | ||
78 | "Not blacklist" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 7\n";exit} | ||
82 | "test_dir_2" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 8\n";exit} | ||
86 | "Child process initialized" | ||
87 | } | ||
88 | |||
89 | sleep 1 | ||
90 | |||
91 | send -- "find ~\r" | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 9\n";exit} | ||
94 | "testfile" | ||
95 | } | ||
96 | after 100 | ||
97 | |||
98 | send -- "exit\r" | ||
99 | sleep 1 | ||
100 | |||
101 | send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 10\n";exit} | ||
104 | "Disable" | ||
105 | } | ||
106 | expect { | ||
107 | timeout {puts "TESTING ERROR 11\n";exit} | ||
108 | "test_dir_2" | ||
109 | } | ||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 12\n";exit} | ||
112 | "Child process initialized" | ||
113 | } | ||
114 | |||
115 | sleep 1 | ||
116 | |||
117 | send -- "ls ~/test_dir_2\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 13\n";exit} | ||
120 | "cannot open directory" | ||
121 | } | ||
122 | after 100 | ||
123 | |||
124 | send "exit\r" | ||
125 | sleep 1 | ||
126 | |||
127 | send -- "rm -fr ~/_firejail_test_dir_\r" | ||
128 | after 100 | ||
69 | 129 | ||
70 | puts "all done\n" | 130 | puts "\nall done\n" |
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index 4dadeacb1..6a1ad535c 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp | |||
@@ -34,6 +34,7 @@ expect { | |||
34 | "3" {puts "3\n"} | 34 | "3" {puts "3\n"} |
35 | "4" {puts "4\n"} | 35 | "4" {puts "4\n"} |
36 | "5" {puts "5\n"} | 36 | "5" {puts "5\n"} |
37 | "6" {puts "6\n"} | ||
37 | } | 38 | } |
38 | 39 | ||
39 | sleep 1 | 40 | sleep 1 |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index a19d5cedf..a2002bc0a 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -14,7 +14,7 @@ expect { | |||
14 | } | 14 | } |
15 | sleep 1 | 15 | sleep 1 |
16 | 16 | ||
17 | send -- "ls -l /dev | find /dev | wc -l\r" | 17 | send -- "find /dev | wc -l\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "2" | 20 | "2" |
@@ -23,17 +23,17 @@ after 100 | |||
23 | send -- "exit\r" | 23 | send -- "exit\r" |
24 | sleep 1 | 24 | sleep 1 |
25 | 25 | ||
26 | send -- "firejail --whitelist=/var/tmp --debug\r" | 26 | send -- "firejail --private-dev --debug\r" |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 0\n";exit} | 28 | timeout {puts "TESTING ERROR 2\n";exit} |
29 | "Child process initialized" | 29 | "Child process initialized" |
30 | } | 30 | } |
31 | sleep 1 | 31 | sleep 1 |
32 | 32 | ||
33 | send -- "ls -l /dev | find /dev | wc -l\r" | 33 | send -- "ls -l /dev | wc -l\r" |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 1\n";exit} | 35 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "2" | 36 | "13" |
37 | } | 37 | } |
38 | after 100 | 38 | after 100 |
39 | send -- "exit\r" | 39 | send -- "exit\r" |
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index ca2e57313..0a6f46102 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp | |||
@@ -7,18 +7,34 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --cpu=1,2\r" | 10 | send -- "firejail --name=test --cpu=0\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 13 | "Child process initialized" |
14 | } | 14 | } |
15 | sleep 2 | 15 | sleep 1 |
16 | send -- "cat /proc/self/status | grep Cpus\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "Cpus_allowed_list: 0" | ||
20 | } | ||
21 | after 100 | ||
22 | send -- "exit\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | send -- "firejail --name=test --cpu=1\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 1\n";exit} | ||
29 | "Child process initialized" | ||
30 | } | ||
31 | sleep 1 | ||
16 | 32 | ||
17 | spawn $env(SHELL) | 33 | spawn $env(SHELL) |
18 | send -- "firejail --cpu.print=test\r" | 34 | send -- "firejail --cpu.print=test\r" |
19 | expect { | 35 | expect { |
20 | timeout {puts "TESTING ERROR 1\n";exit} | 36 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "Cpus_allowed_list: 1-2" | 37 | "Cpus_allowed_list: 1" |
22 | } | 38 | } |
23 | after 100 | 39 | after 100 |
24 | puts "\nall done\n" | 40 | puts "\nall done\n" |
diff --git a/test/utils/trace.exp b/test/utils/trace.exp index 78a04b273..eedc0f23f 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp | |||
@@ -53,15 +53,15 @@ expect { | |||
53 | sleep 1 | 53 | sleep 1 |
54 | 54 | ||
55 | send -- "firejail --trace wget -q debian.org\r" | 55 | send -- "firejail --trace wget -q debian.org\r" |
56 | expect { | 56 | #expect { |
57 | timeout {puts "TESTING ERROR 8.1\n";exit} | 57 | # timeout {puts "TESTING ERROR 8.1\n";exit} |
58 | "Child process initialized" | 58 | # "Child process initialized" |
59 | } | 59 | #} |
60 | expect { | 60 | #expect { |
61 | timeout {puts "TESTING ERROR 8.2\n";exit} | 61 | # timeout {puts "TESTING ERROR 8.2\n";exit} |
62 | "bash:open /dev/tty" {puts "OK\n";} | 62 | # "bash:open /dev/tty" {puts "OK\n";} |
63 | "bash:open64 /dev/tty" {puts "OK\n";} | 63 | # "bash:open64 /dev/tty" {puts "OK\n";} |
64 | } | 64 | #} |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 8.3\n";exit} | 66 | timeout {puts "TESTING ERROR 8.3\n";exit} |
67 | "wget:fopen64 /etc/wgetrc" {puts "OK\n";} | 67 | "wget:fopen64 /etc/wgetrc" {puts "OK\n";} |