diff options
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
-rw-r--r-- | Makefile | 5 | ||||
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 39 | ||||
-rw-r--r-- | RELNOTES | 7 | ||||
-rw-r--r-- | config.sh.in | 8 | ||||
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | etc/profile-a-l/audacity.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/gdu.profile | 46 | ||||
-rw-r--r-- | etc/profile-m-z/makepkg.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/neomutt.profile | 20 | ||||
-rw-r--r-- | etc/profile-m-z/vmware.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 11 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 19 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
21 files changed, 159 insertions, 38 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4f8f7e4fc..e5e86d8e0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -53,7 +53,7 @@ jobs: | |||
53 | 53 | ||
54 | # Initializes the CodeQL tools for scanning. | 54 | # Initializes the CodeQL tools for scanning. |
55 | - name: Initialize CodeQL | 55 | - name: Initialize CodeQL |
56 | uses: github/codeql-action/init@0c670bbf0414f39666df6ce8e718ec5662c21e03 | 56 | uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 |
57 | with: | 57 | with: |
58 | languages: ${{ matrix.language }} | 58 | languages: ${{ matrix.language }} |
59 | # If you wish to specify custom queries, you can do so here or in a config file. | 59 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -64,7 +64,7 @@ jobs: | |||
64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
65 | # If this step fails, then you should remove it and run the build manually (see below) | 65 | # If this step fails, then you should remove it and run the build manually (see below) |
66 | - name: Autobuild | 66 | - name: Autobuild |
67 | uses: github/codeql-action/autobuild@0c670bbf0414f39666df6ce8e718ec5662c21e03 | 67 | uses: github/codeql-action/autobuild@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 |
68 | 68 | ||
69 | # ℹ️ Command-line programs to run using the OS shell. | 69 | # ℹ️ Command-line programs to run using the OS shell. |
70 | # 📚 https://git.io/JvXDl | 70 | # 📚 https://git.io/JvXDl |
@@ -78,4 +78,4 @@ jobs: | |||
78 | # make release | 78 | # make release |
79 | 79 | ||
80 | - name: Perform CodeQL Analysis | 80 | - name: Perform CodeQL Analysis |
81 | uses: github/codeql-action/analyze@0c670bbf0414f39666df6ce8e718ec5662c21e03 | 81 | uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 |
@@ -179,8 +179,8 @@ uninstall: config.mk | |||
179 | rm -f $(DESTDIR)$(bindir)/firejail | 179 | rm -f $(DESTDIR)$(bindir)/firejail |
180 | rm -f $(DESTDIR)$(bindir)/firemon | 180 | rm -f $(DESTDIR)$(bindir)/firemon |
181 | rm -f $(DESTDIR)$(bindir)/firecfg | 181 | rm -f $(DESTDIR)$(bindir)/firecfg |
182 | rm -f $(DESTDIR)$(bindir)/jailcheck | ||
182 | rm -fr $(DESTDIR)$(libdir)/firejail | 183 | rm -fr $(DESTDIR)$(libdir)/firejail |
183 | rm -fr $(DESTDIR)$(libdir)/jailcheck | ||
184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
185 | for man in $(MANPAGES); do \ | 185 | for man in $(MANPAGES); do \ |
186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
@@ -189,6 +189,9 @@ uninstall: config.mk | |||
189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
192 | rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail | ||
193 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim | ||
194 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim | ||
192 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 195 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
193 | 196 | ||
194 | DISTFILES = \ | 197 | DISTFILES = \ |
@@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr) | |||
182 | - added mcabber profile | 182 | - added mcabber profile |
183 | - fixed mpv profile | 183 | - fixed mpv profile |
184 | - various other fixes | 184 | - various other fixes |
185 | Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
186 | - add support for custom AppArmor profiles (--apparmor=) | ||
185 | backspac (https://github.com/backspac) | 187 | backspac (https://github.com/backspac) |
186 | - firecfg fixes | 188 | - firecfg fixes |
187 | - add steam-runtime alias | 189 | - add steam-runtime alias |
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 182 | ||
183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
184 | 184 | ||
185 | ### Restrict namespaces | ||
186 | |||
187 | ````` | ||
188 | --restrict-namespaces | ||
189 | Install a seccomp filter that blocks attempts to create new | ||
190 | cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
191 | |||
192 | Example: | ||
193 | $ firejail --restrict-namespaces | ||
194 | |||
195 | --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
196 | Install a seccomp filter that blocks attempts to create any of | ||
197 | the specified namespaces. The filter examines the arguments of | ||
198 | clone, unshare and setns system calls and returns error EPERM to | ||
199 | the process (or kills it or logs the attempt, see --seccomp-er‐ | ||
200 | ror-action below) if necessary. Note that the filter is not able | ||
201 | to examine the arguments of clone3 system calls, and always re‐ | ||
202 | sponds to these calls with error ENOSYS. | ||
203 | |||
204 | Example: | ||
205 | $ firejail --restrict-namespaces=user,net | ||
206 | ````` | ||
207 | |||
208 | #### Support for custom AppArmor profiles | ||
209 | |||
210 | ````` | ||
211 | --apparmor | ||
212 | Enable AppArmor confinement with the "firejail-default" AppArmor | ||
213 | profile. For more information, please see APPARMOR section be‐ | ||
214 | low. | ||
215 | |||
216 | --apparmor=profile_name | ||
217 | Enable AppArmor confinement with a custom AppArmor profile. | ||
218 | Note that profile in question must already be loaded into the | ||
219 | kernel. For more information, please see APPARMOR section be‐ | ||
220 | ````` | ||
221 | |||
185 | ### Profile Statistics | 222 | ### Profile Statistics |
186 | 223 | ||
187 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 224 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -221,4 +258,4 @@ Stats: | |||
221 | 258 | ||
222 | ### New profiles: | 259 | ### New profiles: |
223 | 260 | ||
224 | onionshare, onionshare-cli, opera-developer, songrec | 261 | onionshare, onionshare-cli, opera-developer, songrec, gdu |
@@ -1,7 +1,10 @@ | |||
1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.71) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * feat: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: restrict namespaces (--restrict-namespaces) inplemented as |
4 | * erroring out (#5240 #5242) | 4 | a seccomp filter for both 64 and 32 bit architectures |
5 | * feature: On failing to remount a fuse filesystem, give warning instead of | ||
6 | erroring out (#5240 #5242) | ||
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274) | ||
5 | * build: deduplicate configure-time vars into new config files (#5140) | 8 | * build: deduplicate configure-time vars into new config files (#5140) |
6 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 9 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
7 | * build: reduce autoconf input files from 32 to 2 (#5219) | 10 | * build: reduce autoconf input files from 32 to 2 (#5219) |
diff --git a/config.sh.in b/config.sh.in index 3d54ff189..155f2158e 100644 --- a/config.sh.in +++ b/config.sh.in | |||
@@ -1,3 +1,7 @@ | |||
1 | # @configure_input@ | 1 | # @configure_input@ |
2 | NAME=@PACKAGE_NAME@ | 2 | # |
3 | VERSION=@PACKAGE_VERSION@ | 3 | # shellcheck shell=sh |
4 | # shellcheck disable=SC2034 | ||
5 | |||
6 | NAME="@PACKAGE_NAME@" | ||
7 | VERSION="@PACKAGE_VERSION@" | ||
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 9099a0808..0c8ebdbd8 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
52 | 52 | ||
53 | " Commands grabbed from: src/firejail/profile.c | 53 | " Commands grabbed from: src/firejail/profile.c |
54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
55 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index b517620db..2831fec72 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -20,7 +20,8 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | 23 | ## Enabling App Armor appears to break some Fedora / Arch installs |
24 | #apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | net none | 26 | net none |
26 | no3d | 27 | no3d |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile new file mode 100644 index 000000000..783183bea --- /dev/null +++ b/etc/profile-a-l/gdu.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for gdu | ||
2 | # Description: Fast disk usage analyzer with console interface | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gdu.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-exec.inc | ||
13 | |||
14 | apparmor | ||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | machine-id | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | noinput | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | # block the socket syscall to simulate an be empty protocol line, see #639 | ||
30 | seccomp socket | ||
31 | seccomp.block-secondary | ||
32 | x11 none | ||
33 | |||
34 | private-dev | ||
35 | |||
36 | dbus-user none | ||
37 | dbus-system none | ||
38 | |||
39 | memory-deny-write-execute | ||
40 | |||
41 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. | ||
42 | # Depending on workflow and use case the sandbox can be hardened by adding the | ||
43 | # lines below to your gdu.local if you don't need/want these functionalities. | ||
44 | #include disable-shell.inc | ||
45 | #private-bin gdu | ||
46 | #read-only ${HOME} | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index dd2f0b318..4ec6ef82e 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for makepkg | 1 | # Firejail profile for makepkg |
2 | # Description: A utility to automate the building of Arch Linux packages | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5d482adca..9000b7972 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -50,31 +50,11 @@ include disable-programs.inc | |||
50 | include disable-xdg.inc | 50 | include disable-xdg.inc |
51 | 51 | ||
52 | mkdir ${HOME}/.Mail | 52 | mkdir ${HOME}/.Mail |
53 | mkdir ${HOME}/.bogofilter | ||
54 | mkdir ${HOME}/.config/mutt | ||
55 | mkdir ${HOME}/.config/nano | ||
56 | mkdir ${HOME}/.config/neomutt | ||
57 | mkdir ${HOME}/.elinks | ||
58 | mkdir ${HOME}/.emacs.d | ||
59 | mkdir ${HOME}/.gnupg | ||
60 | mkdir ${HOME}/.mail | 53 | mkdir ${HOME}/.mail |
61 | mkdir ${HOME}/.mutt | ||
62 | mkdir ${HOME}/.neomutt | ||
63 | mkdir ${HOME}/.vim | ||
64 | mkdir ${HOME}/.w3m | ||
65 | mkdir ${HOME}/Mail | 54 | mkdir ${HOME}/Mail |
66 | mkdir ${HOME}/mail | 55 | mkdir ${HOME}/mail |
67 | mkdir ${HOME}/postponed | 56 | mkdir ${HOME}/postponed |
68 | mkdir ${HOME}/sent | 57 | mkdir ${HOME}/sent |
69 | mkfile ${HOME}/.emacs | ||
70 | mkfile ${HOME}/.mailcap | ||
71 | mkfile ${HOME}/.msmtprc | ||
72 | mkfile ${HOME}/.muttrc | ||
73 | mkfile ${HOME}/.nanorc | ||
74 | mkfile ${HOME}/.neomuttrc | ||
75 | mkfile ${HOME}/.signature | ||
76 | mkfile ${HOME}/.viminfo | ||
77 | mkfile ${HOME}/.vimrc | ||
78 | whitelist ${DOCUMENTS} | 58 | whitelist ${DOCUMENTS} |
79 | whitelist ${DOWNLOADS} | 59 | whitelist ${DOWNLOADS} |
80 | whitelist ${HOME}/.Mail | 60 | whitelist ${HOME}/.Mail |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 627bb57a8..74c951fe6 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -38,6 +38,6 @@ tracelog | |||
38 | #disable-mnt | 38 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 39 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 42 | dbus-user none |
43 | dbus-system none | 43 | dbus-system none |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 71cec5eaf..1e10258d5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -289,6 +289,7 @@ gapplication | |||
289 | gcalccmd | 289 | gcalccmd |
290 | gcloud | 290 | gcloud |
291 | gconf-editor | 291 | gconf-editor |
292 | gdu | ||
292 | geany | 293 | geany |
293 | geary | 294 | geary |
294 | gedit | 295 | gedit |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 167b6a843..0a4dffb75 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -338,6 +338,7 @@ extern int arg_writable_run_user; // writable /run/user | |||
338 | extern int arg_writable_var_log; // writable /var/log | 338 | extern int arg_writable_var_log; // writable /var/log |
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | ||
341 | extern int arg_allow_debuggers; // allow debuggers | 342 | extern int arg_allow_debuggers; // allow debuggers |
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extension | 344 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 55f623138..29c25dfc5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user | |||
133 | int arg_writable_var_log = 0; // writable /var/log | 133 | int arg_writable_var_log = 0; // writable /var/log |
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | ||
136 | int arg_allow_debuggers = 0; // allow debuggers | 137 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 138 | int arg_x11_block = 0; // block X11 |
138 | int arg_x11_xorg = 0; // use X11 security extension | 139 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) { | |||
1287 | // filtering | 1288 | // filtering |
1288 | //************************************* | 1289 | //************************************* |
1289 | #ifdef HAVE_APPARMOR | 1290 | #ifdef HAVE_APPARMOR |
1290 | else if (strcmp(argv[i], "--apparmor") == 0) | 1291 | else if (strcmp(argv[i], "--apparmor") == 0) { |
1291 | arg_apparmor = 1; | 1292 | arg_apparmor = 1; |
1293 | apparmor_profile = "firejail-default"; | ||
1294 | } | ||
1295 | else if (strncmp(argv[i], "--apparmor=", 11) == 0) { | ||
1296 | arg_apparmor = 1; | ||
1297 | apparmor_profile = argv[i] + 11; | ||
1298 | } | ||
1292 | #endif | 1299 | #endif |
1293 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1300 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1294 | if (checkcfg(CFG_SECCOMP)) { | 1301 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dc1aff49a..82f8a393b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
939 | if (strcmp(ptr, "apparmor") == 0) { | 939 | if (strcmp(ptr, "apparmor") == 0) { |
940 | #ifdef HAVE_APPARMOR | 940 | #ifdef HAVE_APPARMOR |
941 | arg_apparmor = 1; | 941 | arg_apparmor = 1; |
942 | apparmor_profile = "firejail-default"; | ||
943 | #endif | ||
944 | return 0; | ||
945 | } | ||
946 | |||
947 | if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
948 | #ifdef HAVE_APPARMOR | ||
949 | arg_apparmor = 1; | ||
950 | apparmor_profile = strdup(ptr + 9); | ||
951 | if (!apparmor_profile) | ||
952 | errExit("strdup"); | ||
942 | #endif | 953 | #endif |
943 | return 0; | 954 | return 0; |
944 | } | 955 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b1b3407b4..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,7 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_change_onexec("firejail-default")) { | 133 | if (aa_stack_onexec(apparmor_profile)) { |
134 | fwarning("Cannot confine the application using AppArmor.\n" | 134 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c3c17393c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,7 +30,9 @@ static char *usage_str = | |||
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement with the default profile.\n" |
34 | " --apparmor=profile_name - enable AppArmor confinement with a\n" | ||
35 | "\tcustom profile.\n" | ||
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 37 | " --appimage - sandbox an AppImage application.\n" |
36 | #ifdef HAVE_NETWORK | 38 | #ifdef HAVE_NETWORK |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ecfcabb87..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal | |||
478 | #ifdef HAVE_APPARMOR | 478 | #ifdef HAVE_APPARMOR |
479 | .TP | 479 | .TP |
480 | \fBapparmor | 480 | \fBapparmor |
481 | Enable AppArmor confinement. | 481 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
482 | .TP | ||
483 | \fBapparmor profile_name | ||
484 | Enable AppArmor confinement with a custom AppArmor profile. | ||
485 | Note that the profile in question must already be loaded into the kernel. | ||
482 | #endif | 486 | #endif |
483 | .TP | 487 | .TP |
484 | \fBcaps | 488 | \fBcaps |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 029c9dd36..2d8adb0b7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 605000e31..2b67c2a00 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -171,7 +171,8 @@ _firejail_args=( | |||
171 | '--writable-var-log[use the real /var/log directory, not a clone]' | 171 | '--writable-var-log[use the real /var/log directory, not a clone]' |
172 | 172 | ||
173 | #ifdef HAVE_APPARMOR | 173 | #ifdef HAVE_APPARMOR |
174 | '--apparmor[enable AppArmor confinement]' | 174 | '--apparmor[enable AppArmor confinement with the default profile]' |
175 | '--apparmor=-[enable AppArmor confinement with a custom profile]: :' | ||
175 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' | 176 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' |
176 | #endif | 177 | #endif |
177 | 178 | ||