6 files changed, 156 insertions, 9 deletions
diff --git a/README b/README
index bf5fcf041..a4f8497e8 100644
--- a/README
+++ b/README
@@ -245,6 +245,8 @@ Ivan Kozik (https://github.com/ivan)
        - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
        - cpio profile
+James Elford (https://github.com/jelford)
+        - pass password manager support
 Jericho (https://github.com/attritionorg)
        - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -293,6 +295,9 @@ mahdi1234 (https://github.com/mahdi1234)
 Martin Carpenter (https://github.com/mcarpenter)
        - security audit and bug fixes
        - Centos 6.x support
+Martin Dosch (spam-debian@mdosch.de)
+        - support for gnome-shell integration addon in Firefox
+          (Bug-Debian: https://bugs.debian.org/872720)
 Matt Parnell (https://github.com/ilikenwf)
        - whitelisting for core firefox related functionality
 Mattias Wadman (https://github.com/wader)
diff --git a/README.md b/README.md
index 8372841a5..dd616f8a4 100644
--- a/README.md
+++ b/README.md
@@ -168,6 +168,12 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej
                 48 pts/0    00:00:00 ps
              $
+       --seccomp.block_secondary
+              Enable seccomp filter and filter system call  architectures  so
+              that  only  the native architecture is allowed. For example, on
+              amd64, i386 and x32 system calls are blocked as well as  chang‐
+              ing the execution domain with personality(2) system call.
 `````
 ## /etc/firejail/firejail.config
diff --git a/RELNOTES b/RELNOTES
index 56e9cce35..7b0f13737 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,18 +3,22 @@ firejail (0.9.49) baseline; urgency=low
  * modif: --output split in two commands, --output and --output-stderr
  * feature: per-profile disable-mnt (--disable-mnt)
  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
-  * feature: --memory-deny-write-execute seccomp feature
  * feature: private /lib directory (--private-lib)
  * feature: disable CDROM/DVD drive (--nodvd)
  * feature: disable DVB devices (--notv)
  * enhancement: print all seccomp filters under --debug
  * enhancement: /proc/sys mounting
-  * enhancement: default seccomp list update
  * enhancement: rework IP address assingment for --net options
  * enhancement: support for newer Xpra versions (2.1+) -
     set "xpra-attach yes" in /etc/firejail/firejail.config
  * enhancement: all profiles use a standard layout style
  * enhancement: create /usr/local for firecfg if the directory doesn't exist
+  * seccomp feature: --memory-deny-write-execute
+  * seccomp feature: seccomp post-exec
+  * seccomp feature: block secondary architecture (--seccomp.block_secondary)
+  * seccomp feature: seccomp syscall groups
+  * seccomp enhancement: print all seccomp filters under --debug
+  * seccomp enhancement: default seccomp list update
  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
diff --git a/test/filters/block-secondary.profile b/test/filters/block-secondary.profile
new file mode 100644
index 000000000..e32056c3d
--- /dev/null
+++ b/test/filters/block-secondary.profile
@@ -0,0 +1 @@
+seccomp.block-secondary
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 611580612..3ebb61419 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -54,8 +54,12 @@ fi
 echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
 ./seccomp-bad-empty.exp
-echo "TESTING: seccomp debug  (test/filters/seccomp-debug.exp)"
+if [ "$(uname -m)" = "x86_64" ]; then
-./seccomp-debug.exp
+        echo "TESTING: seccomp debug  (test/filters/seccomp-debug.exp)"
+        ./seccomp-debug.exp
+else
+        echo "TESTING SKIP: protocol, running only on x86_64"
+fi
 echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
 ./seccomp-errno.exp
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index a95f3bd23..7f03e45e8 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -7,25 +7,152 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --seccomp --debug\r"
+send --  "firejail --debug sleep 1; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "SECCOMP Filter"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
        "BLACKLIST"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "open_by_handle_at"
 }
 expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+after 100
+# amd64 architecture
+send --  "firejail --debug sleep 1; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
        "Child process initialized"
 }
-sleep 2
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "done"
+}
+after 100
-send -- "exit\r"
+# amd64 architecture - ignore seccomp
+send --  "firejail --debug --ignore=seccomp sleep 1; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "done"
+}
 after 100
+# amd64 architecture - ignore protocol
+send --  "firejail --debug --ignore=protocol sleep 1; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "done"
+}
+after 100
+# memory-deny-write-execute
+send --  "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "done"
+}
+# amd64 architecture - seccomp.block-secondary
+send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "done"
+}
+after 100
+# amd64 architecture - seccomp.block-secondary, profile
+send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 37\n";exit}
+        "done"
+}
+after 100
 puts "all done\n"

diff --git a/README b/README index bf5fcf041..a4f8497e8 100644 --- a/README +++ b/README
@@ -245,6 +245,8 @@ Ivan Kozik (https://github.com/ivan)
245	- speed up sandbox exit	245	- speed up sandbox exit
246	Jaykishan Mutkawoa (https://github.com/jmutkawoa)	246	Jaykishan Mutkawoa (https://github.com/jmutkawoa)
247	- cpio profile	247	- cpio profile
		248	James Elford (https://github.com/jelford)
		249	- pass password manager support
248	Jericho (https://github.com/attritionorg)	250	Jericho (https://github.com/attritionorg)
249	- spelling	251	- spelling
250	Jesse Smith (https://github.com/slicer69)	252	Jesse Smith (https://github.com/slicer69)
@@ -293,6 +295,9 @@ mahdi1234 (https://github.com/mahdi1234)
293	Martin Carpenter (https://github.com/mcarpenter)	295	Martin Carpenter (https://github.com/mcarpenter)
294	- security audit and bug fixes	296	- security audit and bug fixes
295	- Centos 6.x support	297	- Centos 6.x support
		298	Martin Dosch (spam-debian@mdosch.de)
		299	- support for gnome-shell integration addon in Firefox
		300	(Bug-Debian: https://bugs.debian.org/872720)
296	Matt Parnell (https://github.com/ilikenwf)	301	Matt Parnell (https://github.com/ilikenwf)
297	- whitelisting for core firefox related functionality	302	- whitelisting for core firefox related functionality
298	Mattias Wadman (https://github.com/wader)	303	Mattias Wadman (https://github.com/wader)


diff --git a/README.md b/README.md index 8372841a5..dd616f8a4 100644 --- a/README.md +++ b/README.md
@@ -168,6 +168,12 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej
168	48 pts/0 00:00:00 ps	168	48 pts/0 00:00:00 ps
169	$	169	$
170		170
		171	--seccomp.block_secondary
		172	Enable seccomp filter and filter system call architectures so
		173	that only the native architecture is allowed. For example, on
		174	amd64, i386 and x32 system calls are blocked as well as chang‐
		175	ing the execution domain with personality(2) system call.
		176
171	`````	177	`````
172		178
173	## /etc/firejail/firejail.config	179	## /etc/firejail/firejail.config


diff --git a/RELNOTES b/RELNOTES index 56e9cce35..7b0f13737 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,18 +3,22 @@ firejail (0.9.49) baseline; urgency=low
3	* modif: --output split in two commands, --output and --output-stderr	3	* modif: --output split in two commands, --output and --output-stderr
4	* feature: per-profile disable-mnt (--disable-mnt)	4	* feature: per-profile disable-mnt (--disable-mnt)
5	* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)	5	* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
6	* feature: --memory-deny-write-execute seccomp feature
7	* feature: private /lib directory (--private-lib)	6	* feature: private /lib directory (--private-lib)
8	* feature: disable CDROM/DVD drive (--nodvd)	7	* feature: disable CDROM/DVD drive (--nodvd)
9	* feature: disable DVB devices (--notv)	8	* feature: disable DVB devices (--notv)
10	* enhancement: print all seccomp filters under --debug	9	* enhancement: print all seccomp filters under --debug
11	* enhancement: /proc/sys mounting	10	* enhancement: /proc/sys mounting
12	* enhancement: default seccomp list update
13	* enhancement: rework IP address assingment for --net options	11	* enhancement: rework IP address assingment for --net options
14	* enhancement: support for newer Xpra versions (2.1+) -	12	* enhancement: support for newer Xpra versions (2.1+) -
15	set "xpra-attach yes" in /etc/firejail/firejail.config	13	set "xpra-attach yes" in /etc/firejail/firejail.config
16	* enhancement: all profiles use a standard layout style	14	* enhancement: all profiles use a standard layout style
17	* enhancement: create /usr/local for firecfg if the directory doesn't exist	15	* enhancement: create /usr/local for firecfg if the directory doesn't exist
		16	* seccomp feature: --memory-deny-write-execute
		17	* seccomp feature: seccomp post-exec
		18	* seccomp feature: block secondary architecture (--seccomp.block_secondary)
		19	* seccomp feature: seccomp syscall groups
		20	* seccomp enhancement: print all seccomp filters under --debug
		21	* seccomp enhancement: default seccomp list update
18	* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,	22	* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
19	* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,	23	* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
20	* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,	24	* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,


diff --git a/test/filters/block-secondary.profile b/test/filters/block-secondary.profile new file mode 100644 index 000000000..e32056c3d --- /dev/null +++ b/test/filters/block-secondary.profile
@@ -0,0 +1 @@
			seccomp.block-secondary


diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 611580612..3ebb61419 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh
@@ -54,8 +54,12 @@ fi
54	echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"	54	echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
55	./seccomp-bad-empty.exp	55	./seccomp-bad-empty.exp
56		56
57	echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)"	57	if [ "$(uname -m)" = "x86_64" ]; then
58	./seccomp-debug.exp	58	echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)"
		59	./seccomp-debug.exp
		60	else
		61	echo "TESTING SKIP: protocol, running only on x86_64"
		62	fi
59		63
60	echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"	64	echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
61	./seccomp-errno.exp	65	./seccomp-errno.exp


diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index a95f3bd23..7f03e45e8 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp
@@ -7,25 +7,152 @@ set timeout 10
7	spawn $env(SHELL)	7	spawn $env(SHELL)
8	match_max 100000	8	match_max 100000
9		9
10	send -- "firejail --seccomp --debug\r"	10	send -- "firejail --debug sleep 1; echo done\r"
11	expect {	11	expect {
12	timeout {puts "TESTING ERROR 0\n";exit}	12	timeout {puts "TESTING ERROR 0\n";exit}
13	"SECCOMP Filter"	13	"SECCOMP Filter"
14	}	14	}
15	expect {	15	expect {
16	timeout {puts "TESTING ERROR 2\n";exit}	16	timeout {puts "TESTING ERROR 1\n";exit}
17	"BLACKLIST"	17	"BLACKLIST"
18	}	18	}
19	expect {	19	expect {
20	timeout {puts "TESTING ERROR 3\n";exit}	20	timeout {puts "TESTING ERROR 2\n";exit}
21	"open_by_handle_at"	21	"open_by_handle_at"
22	}	22	}
23	expect {	23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	"Child process initialized"
		26	}
		27	expect {
24	timeout {puts "TESTING ERROR 4\n";exit}	28	timeout {puts "TESTING ERROR 4\n";exit}
		29	"done"
		30	}
		31	after 100
		32
		33
		34	# amd64 architecture
		35	send -- "firejail --debug sleep 1; echo done\r"
		36	expect {
		37	timeout {puts "TESTING ERROR 5\n";exit}
25	"Child process initialized"	38	"Child process initialized"
26	}	39	}
27	sleep 2	40	expect {
		41	timeout {puts "TESTING ERROR 6\n";exit}
		42	"Installing /run/firejail/mnt/seccomp seccomp filter"
		43	}
		44	expect {
		45	timeout {puts "TESTING ERROR 7\n";exit}
		46	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter"
		47	}
		48	expect {
		49	timeout {puts "TESTING ERROR 8\n";exit}
		50	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		51	}
		52	expect {
		53	timeout {puts "TESTING ERROR 9\n";exit}
		54	"done"
		55	}
		56	after 100
28		57
29	send -- "exit\r"	58	# amd64 architecture - ignore seccomp
		59	send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
		60	expect {
		61	timeout {puts "TESTING ERROR 10\n";exit}
		62	"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
		63	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit}
		64	"Child process initialized"
		65	}
		66	expect {
		67	timeout {puts "TESTING ERROR 13\n";exit}
		68	"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
		69	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit}
		70	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		71	}
		72	expect {
		73	timeout {puts "TESTING ERROR 16\n";exit}
		74	"done"
		75	}
30	after 100	76	after 100
		77
		78	# amd64 architecture - ignore protocol
		79	send -- "firejail --debug --ignore=protocol sleep 1; echo done\r"
		80	expect {
		81	timeout {puts "TESTING ERROR 17\n";exit}
		82	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
		83	"Child process initialized"
		84	}
		85	expect {
		86	timeout {puts "TESTING ERROR 19\n";exit}
		87	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
		88	"Installing /run/firejail/mnt/seccomp seccomp filter"
		89	}
		90	expect {
		91	timeout {puts "TESTING ERROR 21\n";exit}
		92	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
		93	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter"
		94	}
		95	expect {
		96	timeout {puts "TESTING ERROR 23\n";exit}
		97	"done"
		98	}
		99	after 100
		100
		101	# memory-deny-write-execute
		102	send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
		103	expect {
		104	timeout {puts "TESTING ERROR 24\n";exit}
		105	"Child process initialized"
		106	}
		107	expect {
		108	timeout {puts "TESTING ERROR 25\n";exit}
		109	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		110	}
		111	expect {
		112	timeout {puts "TESTING ERROR 26\n";exit}
		113	"done"
		114	}
		115
		116
		117	# amd64 architecture - seccomp.block-secondary
		118	send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
		119	expect {
		120	timeout {puts "TESTING ERROR 27\n";exit}
		121	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit}
		122	"Child process initialized"
		123	}
		124	expect {
		125	timeout {puts "TESTING ERROR 29\n";exit}
		126	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit}
		127	"Installing /run/firejail/mnt/seccomp seccomp filter"
		128	}
		129	expect {
		130	timeout {puts "TESTING ERROR 31\n";exit}
		131	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit}
		132	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		133	}
		134	expect {
		135	timeout {puts "TESTING ERROR 33\n";exit}
		136	"done"
		137	}
		138	after 100
		139
		140	# amd64 architecture - seccomp.block-secondary, profile
		141	send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
		142	expect {
		143	timeout {puts "TESTING ERROR 33\n";exit}
		144	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit}
		145	"Child process initialized"
		146	}
		147	expect {
		148	timeout {puts "TESTING ERROR 35\n";exit}
		149	"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit}
		150	"Installing /run/firejail/mnt/seccomp seccomp filter"
		151	}
		152	expect {
		153	timeout {puts "TESTING ERROR 37\n";exit}
		154	"done"
		155	}
		156	after 100
		157
31	puts "all done\n"	158	puts "all done\n"