diff options
74 files changed, 1066 insertions, 391 deletions
@@ -274,6 +274,10 @@ jrabe (https://github.com/jrabe) | |||
274 | - Polari profile | 274 | - Polari profile |
275 | - qTox profile | 275 | - qTox profile |
276 | - X11 fixes | 276 | - X11 fixes |
277 | juan (https://github.com/nyancat18) | ||
278 | - fixed Kdenlive, Shotcut profiles | ||
279 | - new profiles for Cinelerra, Cliqz, Bluefish | ||
280 | - profile hardening | ||
277 | Kaan Genç (https://github.com/SeriousBug) | 281 | Kaan Genç (https://github.com/SeriousBug) |
278 | - dynamic allocation of noblacklist buffer | 282 | - dynamic allocation of noblacklist buffer |
279 | KellerFuchs (https://github.com/KellerFuchs) | 283 | KellerFuchs (https://github.com/KellerFuchs) |
@@ -355,6 +359,8 @@ Peter Hogg (https://github.com/pigmonkey) | |||
355 | - fixes for youtube-dl in mpv profile | 359 | - fixes for youtube-dl in mpv profile |
356 | Petter Reinholdtsen (pere@hungry.com) | 360 | Petter Reinholdtsen (pere@hungry.com) |
357 | - Opera profile patch | 361 | - Opera profile patch |
362 | PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) | ||
363 | - fix quiterss profile | ||
358 | pirate486743186 (https://github.com/pirate486743186) | 364 | pirate486743186 (https://github.com/pirate486743186) |
359 | - KMail profile | 365 | - KMail profile |
360 | Pixel Fairy (https://github.com/xahare) | 366 | Pixel Fairy (https://github.com/xahare) |
@@ -180,4 +180,5 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | |||
180 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | 180 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, |
181 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | 181 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, |
182 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, | 182 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, |
183 | conky, arch-audit, ffmpeg | 183 | conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool, |
184 | aosp | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * enhancement: support Firejail user config directory in firecfg | 3 | * enhancement: support Firejail user config directory in firecfg |
4 | * enhancement: disable DBus activation in firecfg | ||
4 | * feature: --writable-run-user | 5 | * feature: --writable-run-user |
5 | * feature: profile build tool (--build) | 6 | * feature: profile build tool (--build) |
6 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | 7 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 |
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 1e1953780..6be92e1c0 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio* | |||
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
12 | noblacklist ${HOME}/.jack-server | ||
13 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.java | 14 | noblacklist ${HOME}/.java |
13 | noblacklist ${HOME}/.local/share/JetBrains | 15 | noblacklist ${HOME}/.local/share/JetBrains |
14 | noblacklist ${HOME}/.ssh | 16 | noblacklist ${HOME}/.ssh |
diff --git a/etc/aosp.profile b/etc/aosp.profile new file mode 100644 index 000000000..5ceef9348 --- /dev/null +++ b/etc/aosp.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for aosp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/aosp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.android | ||
10 | noblacklist ${HOME}/.bash_history | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.gradle | ||
13 | noblacklist ${HOME}/.jack-server | ||
14 | noblacklist ${HOME}/.jack-settings | ||
15 | noblacklist ${HOME}/.java | ||
16 | noblacklist ${HOME}/.repo_.gitconfig.json | ||
17 | noblacklist ${HOME}/.repoconfig | ||
18 | noblacklist ${HOME}/.ssh | ||
19 | noblacklist ${HOME}/.tooling | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | ||
22 | include /etc/firejail/disable-passwdmgr.inc | ||
23 | include /etc/firejail/disable-programs.inc | ||
24 | |||
25 | include /etc/firejail/whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | #seccomp | ||
40 | shell none | ||
41 | |||
42 | private-tmp | ||
diff --git a/etc/ark.profile b/etc/ark.profile index 38bd5246e..ba9cb1134 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/atom.profile b/etc/atom.profile index 8629c3dd8..db3cbc687 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -23,7 +23,11 @@ notv | |||
23 | novideo | 23 | novideo |
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | seccomp | 25 | seccomp |
26 | # net none | ||
26 | shell none | 27 | shell none |
27 | 28 | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/atril.profile b/etc/atril.profile index 2e4af9086..052b41655 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | no3d | 19 | no3d |
18 | nodvd | 20 | nodvd |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 52e701821..7e2b91773 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nogroups | 20 | nogroups |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 9fbc2b16d..88aea243e 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | net none | 18 | net none |
17 | no3d | 19 | no3d |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 4e603971f..2c2d70c00 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | no3d | 23 | no3d |
22 | nodvd | 24 | nodvd |
@@ -29,8 +31,10 @@ novideo | |||
29 | protocol unix | 31 | protocol unix |
30 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 32 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
31 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 33 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
34 | shell none | ||
32 | x11 xorg | 35 | x11 xorg |
33 | 36 | ||
37 | private-bin baloo_file,baloo_file_extractor,kbuildsycoca4 | ||
34 | private-dev | 38 | private-dev |
35 | private-tmp | 39 | private-tmp |
36 | 40 | ||
diff --git a/etc/bluefish.profile b/etc/bluefish.profile new file mode 100644 index 000000000..f7e322838 --- /dev/null +++ b/etc/bluefish.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for bluefish | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/bluefish.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | shell none | ||
27 | tracelog | ||
28 | |||
29 | private-bin bluefish | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/calligra.profile b/etc/calligra.profile index e90c8efe8..d2b76d22c 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | 14 | ipc-namespace |
15 | net none | ||
15 | nodvd | 16 | nodvd |
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
@@ -25,5 +26,5 @@ shell none | |||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | 26 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch |
26 | private-dev | 27 | private-dev |
27 | 28 | ||
28 | noexec ${HOME} | 29 | #noexec ${HOME} |
29 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/cin.profile b/etc/cin.profile index eeeda476f..6b3e3888b 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -24,7 +24,7 @@ protocol unix | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | #private-bin cin | 27 | private-bin cin,ffmpeg |
28 | private-dev | 28 | private-dev |
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile new file mode 100644 index 000000000..e6a1941b5 --- /dev/null +++ b/etc/cinelerra.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/cin.profile | ||
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile index 1fc728206..f6861dfa1 100644 --- a/etc/clamdscan.profile +++ b/etc/clamdscan.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | 4 | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile index 1fc728206..f6861dfa1 100644 --- a/etc/clamdtop.profile +++ b/etc/clamdtop.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | 4 | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
diff --git a/etc/clamscan.profile b/etc/clamscan.profile index 1fc728206..f6861dfa1 100644 --- a/etc/clamscan.profile +++ b/etc/clamscan.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | 4 | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
diff --git a/etc/cliqz.profile b/etc/cliqz.profile new file mode 100644 index 000000000..a7c791a02 --- /dev/null +++ b/etc/cliqz.profile | |||
@@ -0,0 +1,83 @@ | |||
1 | # Firejail profile for cliqz | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cliqz.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ~/.cache/cliqz | ||
9 | noblacklist ~/.config/cliqz | ||
10 | noblacklist ~/.config/okularpartrc | ||
11 | noblacklist ~/.config/okularrc | ||
12 | noblacklist ~/.config/qpdfview | ||
13 | noblacklist ~/.kde/share/apps/okular | ||
14 | noblacklist ~/.kde/share/config/okularpartrc | ||
15 | noblacklist ~/.kde/share/config/okularrc | ||
16 | noblacklist ~/.kde4/share/apps/okular | ||
17 | noblacklist ~/.kde4/share/config/okularpartrc | ||
18 | noblacklist ~/.kde4/share/config/okularrc | ||
19 | noblacklist ~/.local/share/gnome-shell/extensions | ||
20 | noblacklist ~/.local/share/okular | ||
21 | noblacklist ~/.local/share/qpdfview | ||
22 | |||
23 | noblacklist ~/.pki | ||
24 | |||
25 | include /etc/firejail/disable-common.inc | ||
26 | include /etc/firejail/disable-devel.inc | ||
27 | include /etc/firejail/disable-programs.inc | ||
28 | |||
29 | mkdir ~/.cache/mozilla/firefox | ||
30 | mkdir ~/.mozilla | ||
31 | mkdir ~/.pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ~/.cache/gnome-mplayer/plugin | ||
34 | whitelist ~/.cache/mozilla/firefox | ||
35 | whitelist ~/.config/gnome-mplayer | ||
36 | whitelist ~/.config/okularpartrc | ||
37 | whitelist ~/.config/okularrc | ||
38 | whitelist ~/.config/pipelight-silverlight5.1 | ||
39 | whitelist ~/.config/pipelight-widevine | ||
40 | whitelist ~/.config/qpdfview | ||
41 | whitelist ~/.kde/share/apps/okular | ||
42 | whitelist ~/.kde/share/config/okularpartrc | ||
43 | whitelist ~/.kde/share/config/okularrc | ||
44 | whitelist ~/.kde4/share/apps/okular | ||
45 | whitelist ~/.kde4/share/config/okularpartrc | ||
46 | whitelist ~/.kde4/share/config/okularrc | ||
47 | whitelist ~/.keysnail.js | ||
48 | whitelist ~/.lastpass | ||
49 | whitelist ~/.local/share/gnome-shell/extensions | ||
50 | whitelist ~/.local/share/okular | ||
51 | whitelist ~/.local/share/qpdfview | ||
52 | whitelist ~/.mozilla | ||
53 | whitelist ~/.pentadactyl | ||
54 | whitelist ~/.pentadactylrc | ||
55 | whitelist ~/.pki | ||
56 | whitelist ~/.vimperator | ||
57 | whitelist ~/.vimperatorrc | ||
58 | whitelist ~/.wine-pipelight | ||
59 | whitelist ~/.wine-pipelight64 | ||
60 | whitelist ~/.zotero | ||
61 | whitelist ~/dwhelper | ||
62 | include /etc/firejail/whitelist-common.inc | ||
63 | include /etc/firejail/whitelist-var-common.inc | ||
64 | |||
65 | caps.drop all | ||
66 | netfilter | ||
67 | nodvd | ||
68 | nogroups | ||
69 | nonewprivs | ||
70 | noroot | ||
71 | notv | ||
72 | protocol unix,inet,inet6,netlink | ||
73 | seccomp | ||
74 | shell none | ||
75 | tracelog | ||
76 | |||
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
78 | private-dev | ||
79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
80 | private-tmp | ||
81 | |||
82 | noexec ${HOME} | ||
83 | noexec /tmp | ||
diff --git a/etc/dia.profile b/etc/dia.profile index abe83ac8c..800c3bbf1 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | net none |
17 | no3d | 17 | no3d |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index abce0fe57..d943950d4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -120,7 +120,8 @@ blacklist /var/lib/mysql/mysql.sock | |||
120 | blacklist /var/lib/mysqld/mysql.sock | 120 | blacklist /var/lib/mysqld/mysql.sock |
121 | blacklist /var/lib/pacman | 121 | blacklist /var/lib/pacman |
122 | blacklist /var/lib/upower | 122 | blacklist /var/lib/upower |
123 | blacklist /var/log | 123 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for |
124 | # every sandbox, unless --writeble-var-log switch is activated | ||
124 | blacklist /var/mail | 125 | blacklist /var/mail |
125 | blacklist /var/opt | 126 | blacklist /var/opt |
126 | blacklist /var/run/acpid.socket | 127 | blacklist /var/run/acpid.socket |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 615e28172..064e60294 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -81,6 +81,7 @@ blacklist ${HOME}/.config/chromium | |||
81 | blacklist ${HOME}/.config/chromium-dev | 81 | blacklist ${HOME}/.config/chromium-dev |
82 | blacklist ${HOME}/.config/chromium-flags.conf | 82 | blacklist ${HOME}/.config/chromium-flags.conf |
83 | blacklist ${HOME}/.config/clipit | 83 | blacklist ${HOME}/.config/clipit |
84 | blacklist ${HOME}/.config/cliqz | ||
84 | blacklist ${HOME}/.config/cmus | 85 | blacklist ${HOME}/.config/cmus |
85 | blacklist ${HOME}/.config/corebird | 86 | blacklist ${HOME}/.config/corebird |
86 | blacklist ${HOME}/.config/darktable | 87 | blacklist ${HOME}/.config/darktable |
@@ -142,6 +143,8 @@ blacklist ${HOME}/.config/opera-beta | |||
142 | blacklist ${HOME}/.config/orage | 143 | blacklist ${HOME}/.config/orage |
143 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 144 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
144 | blacklist ${HOME}/.config/pcmanfm | 145 | blacklist ${HOME}/.config/pcmanfm |
146 | blacklist ${HOME}/.config/pdfmod | ||
147 | blacklist ${HOME}/.config/Pinta | ||
145 | blacklist ${HOME}/.config/pix | 148 | blacklist ${HOME}/.config/pix |
146 | blacklist ${HOME}/.config/pluma | 149 | blacklist ${HOME}/.config/pluma |
147 | blacklist ${HOME}/.config/psi+ | 150 | blacklist ${HOME}/.config/psi+ |
@@ -220,6 +223,8 @@ blacklist ${HOME}/.hugin | |||
220 | blacklist ${HOME}/.icedove | 223 | blacklist ${HOME}/.icedove |
221 | blacklist ${HOME}/.imagej | 224 | blacklist ${HOME}/.imagej |
222 | blacklist ${HOME}/.inkscape | 225 | blacklist ${HOME}/.inkscape |
226 | blacklist ${HOME}/.jack-server | ||
227 | blacklist ${HOME}/.jack-settings | ||
223 | blacklist ${HOME}/.java | 228 | blacklist ${HOME}/.java |
224 | blacklist ${HOME}/.jitsi | 229 | blacklist ${HOME}/.jitsi |
225 | blacklist ${HOME}/.kde/share/apps/gwenview | 230 | blacklist ${HOME}/.kde/share/apps/gwenview |
@@ -360,6 +365,8 @@ blacklist ${HOME}/.pingus | |||
360 | blacklist ${HOME}/.purple | 365 | blacklist ${HOME}/.purple |
361 | blacklist ${HOME}/.qemu-launcher | 366 | blacklist ${HOME}/.qemu-launcher |
362 | blacklist ${HOME}/.remmina | 367 | blacklist ${HOME}/.remmina |
368 | blacklist ${HOME}/.repo_.gitconfig.json | ||
369 | blacklist ${HOME}/.repoconfig | ||
363 | blacklist ${HOME}/.retroshare | 370 | blacklist ${HOME}/.retroshare |
364 | blacklist ${HOME}/.scribus | 371 | blacklist ${HOME}/.scribus |
365 | blacklist ${HOME}/.scribusrc | 372 | blacklist ${HOME}/.scribusrc |
@@ -376,6 +383,7 @@ blacklist ${HOME}/.synfig | |||
376 | blacklist ${HOME}/.tconn | 383 | blacklist ${HOME}/.tconn |
377 | blacklist ${HOME}/.thunderbird | 384 | blacklist ${HOME}/.thunderbird |
378 | blacklist ${HOME}/.tooling | 385 | blacklist ${HOME}/.tooling |
386 | blacklist ${HOME}/.tor-browser-en | ||
379 | blacklist ${HOME}/.ts3client | 387 | blacklist ${HOME}/.ts3client |
380 | blacklist ${HOME}/.tuxguitar* | 388 | blacklist ${HOME}/.tuxguitar* |
381 | blacklist ${HOME}/.unknow-horizons | 389 | blacklist ${HOME}/.unknow-horizons |
@@ -408,6 +416,7 @@ blacklist ${HOME}/.cache/calibre | |||
408 | blacklist ${HOME}/.cache/champlain | 416 | blacklist ${HOME}/.cache/champlain |
409 | blacklist ${HOME}/.cache/chromium | 417 | blacklist ${HOME}/.cache/chromium |
410 | blacklist ${HOME}/.cache/chromium-dev | 418 | blacklist ${HOME}/.cache/chromium-dev |
419 | blacklist ${HOME}/.cache/cliqz | ||
411 | blacklist ${HOME}/.cache/darktable | 420 | blacklist ${HOME}/.cache/darktable |
412 | blacklist ${HOME}/.cache/epiphany | 421 | blacklist ${HOME}/.cache/epiphany |
413 | blacklist ${HOME}/.cache/evolution | 422 | blacklist ${HOME}/.cache/evolution |
@@ -427,6 +436,7 @@ blacklist ${HOME}/.cache/netsurf | |||
427 | blacklist ${HOME}/.cache/opera | 436 | blacklist ${HOME}/.cache/opera |
428 | blacklist ${HOME}/.cache/opera-beta | 437 | blacklist ${HOME}/.cache/opera-beta |
429 | blacklist ${HOME}/.cache/org.gnome.Books | 438 | blacklist ${HOME}/.cache/org.gnome.Books |
439 | blacklist ${HOME}/.cache/pdfmod | ||
430 | blacklist ${HOME}/.cache/peek | 440 | blacklist ${HOME}/.cache/peek |
431 | blacklist ${HOME}/.cache/qBittorrent | 441 | blacklist ${HOME}/.cache/qBittorrent |
432 | blacklist ${HOME}/.cache/qupzilla | 442 | blacklist ${HOME}/.cache/qupzilla |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 86af9c7b3..6d4f6349a 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -31,4 +30,4 @@ private | |||
31 | private-dev | 30 | private-dev |
32 | 31 | ||
33 | # mdwe can break modules/plugins | 32 | # mdwe can break modules/plugins |
34 | # memory-deny-write-execute | 33 | memory-deny-write-execute |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index d4cd0530e..2a1302adb 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 7bc5e7481..c198adba9 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | # net none - makes settings immutable | 17 | # net none - makes settings immutable |
16 | no3d | 18 | no3d |
diff --git a/etc/eog.profile b/etc/eog.profile index e5161b313..5ff926371 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
20 | no3d | 22 | no3d |
diff --git a/etc/eom.profile b/etc/eom.profile index 3fb1fcaf4..802578959 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
20 | no3d | 22 | no3d |
diff --git a/etc/evince.profile b/etc/evince.profile index f503b9a8e..466260c49 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include /etc/firejail/whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | # net none breaks AppArmor on Ubuntu systems | ||
18 | netfilter | 19 | netfilter |
19 | no3d | 20 | no3d |
20 | nodvd | 21 | nodvd |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index e098c95e3..5db39cf61 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for default | 1 | # Firejail profile for ffmpeg |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | no3d | 18 | no3d |
@@ -23,11 +25,11 @@ noroot | |||
23 | # protocol none - needs to be implemented! | 25 | # protocol none - needs to be implemented! |
24 | seccomp | 26 | seccomp |
25 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | 27 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom |
26 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
27 | shell none | 28 | shell none |
28 | tracelog | 29 | tracelog |
29 | 30 | ||
30 | private-tmp | ||
31 | private-dev | ||
32 | private-bin ffmpeg | 31 | private-bin ffmpeg |
33 | include /etc/firejail/whitelist-var-common.inc | 32 | private-dev |
33 | private-tmp | ||
34 | |||
35 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 8484aa162..01e689b9d 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | # net none - makes settings immutable | 17 | # net none - makes settings immutable |
16 | no3d | 18 | no3d |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 3d7af1496..e17d94da0 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -5,9 +5,10 @@ include /etc/firejail/gedit.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
9 | 8 | ||
10 | noblacklist ~/.config/gedit | 9 | noblacklist ${HOME}/.config/enchant |
10 | noblacklist ${HOME}/.config/gedit | ||
11 | noblacklist ${HOME}/.gitconfig | ||
11 | 12 | ||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/gitter.profile b/etc/gitter.profile index 5a172fcc4..0a47bf888 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -25,6 +25,7 @@ protocol unix,inet,inet6,netlink | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin gitter | 28 | private-bin bash,env,gitter |
29 | private-opt Gitter | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 326222426..9e70a563a 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -28,10 +28,8 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | private | ||
32 | private-bin gnome-calculator | 31 | private-bin gnome-calculator |
33 | private-dev | 32 | private-dev |
34 | # private-etc fonts | ||
35 | private-tmp | 33 | private-tmp |
36 | 34 | ||
37 | memory-deny-write-execute | 35 | memory-deny-write-execute |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 7f1577afe..2b025e56c 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc | |||
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | ||
23 | |||
22 | caps.drop all | 24 | caps.drop all |
23 | nodvd | 25 | nodvd |
24 | nogroups | 26 | nogroups |
diff --git a/etc/hugin.profile b/etc/hugin.profile index ff88e0d5c..64b6e0c69 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | net none |
17 | nodvd | 17 | nodvd |
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 928ec7327..caec416e9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC* | |||
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
12 | noblacklist ${HOME}/.jack-server | ||
13 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.java | 14 | noblacklist ${HOME}/.java |
13 | noblacklist ${HOME}/.local/share/JetBrains | 15 | noblacklist ${HOME}/.local/share/JetBrains |
14 | noblacklist ${HOME}/.ssh | 16 | noblacklist ${HOME}/.ssh |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index c062ab8ef..04c1020ab 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -27,7 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | #private-bin inkscape | 30 | private-bin inkscape,potrace |
31 | private-dev | 31 | private-dev |
32 | private-tmp | 32 | private-tmp |
33 | 33 | ||
diff --git a/etc/inox.profile b/etc/inox.profile index 6273c4de6..de4d6205b 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -21,6 +21,10 @@ whitelist ~/.config/inox | |||
21 | whitelist ~/.pki | 21 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | 23 | ||
24 | caps.keep sys_chroot,sys_admin | ||
24 | netfilter | 25 | netfilter |
25 | nodvd | 26 | nodvd |
27 | nogroups | ||
28 | noroot | ||
26 | notv | 29 | notv |
30 | shell none | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index a1a5f957c..10c2909a0 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda | |||
26 | private-dev | 26 | private-dev |
27 | #private-etc fonts,alternatives,X11,pulse,passwd | 27 | #private-etc fonts,alternatives,X11,pulse,passwd |
28 | 28 | ||
29 | noexec ${HOME} | 29 | #noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 8ffc43487..7d09857ba 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | nodvd | 18 | nodvd |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c0b37df3c..e95bc23ca 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent | |||
31 | whitelist ~/.kde4/share/config/ktorrentrc | 31 | whitelist ~/.kde4/share/config/ktorrentrc |
32 | whitelist ~/.local/share/ktorrent | 32 | whitelist ~/.local/share/ktorrent |
33 | include /etc/firejail/whitelist-common.inc | 33 | include /etc/firejail/whitelist-common.inc |
34 | include /etc/firejail/whitelist-var-common.inc | ||
34 | 35 | ||
35 | caps.drop all | 36 | caps.drop all |
36 | netfilter | 37 | netfilter |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index caf3095a5..c59b2dcc7 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -12,8 +12,15 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | whitelist ${HOME}/.cache/mate-calc | ||
16 | whitelist ${HOME}/.config/caja | ||
17 | whitelist ${HOME}/.config/gtk-3.0 | ||
18 | whitelist ${HOME}/.config/dconf | ||
19 | whitelist ${HOME}./config/mate-menu | ||
20 | whitelist ${HOME}/.themes | ||
21 | |||
15 | caps.drop all | 22 | caps.drop all |
16 | netfilter | 23 | net none |
17 | no3d | 24 | no3d |
18 | nodvd | 25 | nodvd |
19 | nogroups | 26 | nogroups |
@@ -27,8 +34,12 @@ seccomp | |||
27 | shell none | 34 | shell none |
28 | 35 | ||
29 | disable-mnt | 36 | disable-mnt |
37 | private-bin mate-calc,mate-calculator | ||
38 | private-etc fonts | ||
30 | private-dev | 39 | private-dev |
40 | private-opt none | ||
31 | private-tmp | 41 | private-tmp |
32 | 42 | ||
43 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 44 | noexec ${HOME} |
34 | noexec /tmp | 45 | noexec /tmp |
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 26ce42fbf..7df7d7faa 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -11,6 +11,11 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | whitelist ${HOME}/.config/gtk-3.0 | ||
15 | whitelist ${HOME}/.fonts | ||
16 | whitelist ${HOME}/.icons | ||
17 | whitelist ${HOME}/.themes | ||
18 | |||
14 | caps.drop all | 19 | caps.drop all |
15 | netfilter | 20 | netfilter |
16 | no3d | 21 | no3d |
@@ -26,9 +31,11 @@ seccomp | |||
26 | shell none | 31 | shell none |
27 | 32 | ||
28 | disable-mnt | 33 | disable-mnt |
29 | private | 34 | private-bin mate-color-select |
35 | private-etc fonts | ||
30 | private-dev | 36 | private-dev |
31 | private-tmp | 37 | private-tmp |
32 | 38 | ||
39 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 40 | noexec ${HOME} |
34 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index f0de57e0d..3f85addaf 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -12,6 +12,12 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | whitelist ${HOME}/.config/mate/mate-dictionary | ||
16 | whitelist ${HOME}/.config/gtk-3.0 | ||
17 | whitelist ${HOME}/.fonts | ||
18 | whitelist ${HOME}/.icons | ||
19 | whitelist ${HOME}/.themes | ||
20 | |||
15 | caps.drop all | 21 | caps.drop all |
16 | netfilter | 22 | netfilter |
17 | no3d | 23 | no3d |
@@ -27,8 +33,12 @@ seccomp | |||
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | disable-mnt | 35 | disable-mnt |
36 | private-bin mate-dictionary | ||
37 | private-etc fonts,resolv.conf | ||
38 | private-opt mate-dictionary | ||
30 | private-dev | 39 | private-dev |
31 | private-tmp | 40 | private-tmp |
32 | 41 | ||
42 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 43 | noexec ${HOME} |
34 | noexec /tmp | 44 | noexec /tmp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 1cda5022d..dc9946794 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc | |||
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include /etc/firejail/disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
24 | caps.drop all | 26 | caps.drop all |
25 | netfilter | 27 | netfilter |
26 | nodvd | 28 | nodvd |
diff --git a/etc/musescore.profile b/etc/musescore.profile index b039d07b2..b3d04c08f 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | netfilter | 21 | netfilter |
20 | no3d | 22 | no3d |
diff --git a/etc/natron.profile b/etc/natron.profile index d77539d83..b76649605 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -26,6 +26,7 @@ notv | |||
26 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | net none | ||
29 | 30 | ||
30 | private-bin natron,Natron,NatronRenderer | 31 | private-bin natron,Natron,NatronRenderer |
31 | 32 | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 94736fbae..60390e4d8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin okular,kbuildsycoca4,lpr | 39 | # private-bin okular,kbuildsycoca4,kdeinit4,lpr |
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts,X11 | 41 | # private-etc fonts,X11 |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile new file mode 100644 index 000000000..cbd1f8fe8 --- /dev/null +++ b/etc/openshot-qt.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for openshot | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/openshot.profile | ||
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile new file mode 100644 index 000000000..8489e79a6 --- /dev/null +++ b/etc/pdfmod.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for pdfmod | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pdfmod.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.cache/pdfmod | ||
10 | noblacklist ${HOME}/.config/pdfmod | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/pinta.profile b/etc/pinta.profile new file mode 100644 index 000000000..cb6e05d35 --- /dev/null +++ b/etc/pinta.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for pinta | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pinta.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/Pinta | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index dd06fa59f..1b2d0c0b8 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -26,7 +26,10 @@ include /etc/firejail/disable-devel.inc | |||
26 | include /etc/firejail/disable-passwdmgr.inc | 26 | include /etc/firejail/disable-passwdmgr.inc |
27 | include /etc/firejail/disable-programs.inc | 27 | include /etc/firejail/disable-programs.inc |
28 | 28 | ||
29 | include /etc/firejail/whitelist-var-common.inc | ||
30 | |||
29 | caps.drop all | 31 | caps.drop all |
32 | net none | ||
30 | nodvd | 33 | nodvd |
31 | nogroups | 34 | nogroups |
32 | nonewprivs | 35 | nonewprivs |
diff --git a/etc/server.profile b/etc/server.profile index edd4666e1..860e0056d 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -13,7 +13,6 @@ blacklist /tmp/.X11-unix | |||
13 | 13 | ||
14 | noblacklist /sbin | 14 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | # noblacklist /var/log | ||
17 | # noblacklist /var/opt | 16 | # noblacklist /var/opt |
18 | 17 | ||
19 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
@@ -29,6 +28,8 @@ notv | |||
29 | novideo | 28 | novideo |
30 | seccomp | 29 | seccomp |
31 | 30 | ||
31 | # netfilter /etc/firejail/webserver.net | ||
32 | |||
32 | # disable-mnt | 33 | # disable-mnt |
33 | private | 34 | private |
34 | # private-bin program | 35 | # private-bin program |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e30bc1f46..4e8b1da05 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -27,5 +27,5 @@ shell none | |||
27 | #private-bin shotcut,melt,qmelt,nice | 27 | #private-bin shotcut,melt,qmelt,nice |
28 | private-dev | 28 | private-dev |
29 | 29 | ||
30 | noexec ${HOME} | 30 | #noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index b4b9ede70..33c082533 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -46,5 +46,6 @@ shell none | |||
46 | 46 | ||
47 | # private-dev should be commented for controllers | 47 | # private-dev should be commented for controllers |
48 | private-dev | 48 | private-dev |
49 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | 49 | # private-etc breaks some games |
50 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | ||
50 | private-tmp | 51 | private-tmp |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index b0014ace6..2617c0e51 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -14,7 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | net none |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
20 | nonewprivs | 20 | nonewprivs |
@@ -26,7 +26,7 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin synfigstudio | 29 | #private-bin synfigstudio,synfig,ffmpeg |
30 | private-dev | 30 | private-dev |
31 | private-tmp | 31 | private-tmp |
32 | 32 | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index fbc198cc3..30e2a619d 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | no3d | 20 | no3d |
diff --git a/etc/uefitool.profile b/etc/uefitool.profile new file mode 100644 index 000000000..138f69aa8 --- /dev/null +++ b/etc/uefitool.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for uefitool | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/uefitool.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 2a38aa7c6..d380b5698 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -31,4 +30,4 @@ private | |||
31 | private-dev | 30 | private-dev |
32 | 31 | ||
33 | # mdwe can break modules/plugins | 32 | # mdwe can break modules/plugins |
34 | # memory-deny-write-execute | 33 | memory-deny-write-execute |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 2322c1fae..67995f345 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -65,6 +65,7 @@ whitelist ~/.wine-pipelight64 | |||
65 | whitelist ~/.zotero | 65 | whitelist ~/.zotero |
66 | whitelist ~/dwhelper | 66 | whitelist ~/dwhelper |
67 | include /etc/firejail/whitelist-common.inc | 67 | include /etc/firejail/whitelist-common.inc |
68 | include /etc/firejail/whitelist-var-common.inc | ||
68 | 69 | ||
69 | caps.drop all | 70 | caps.drop all |
70 | netfilter | 71 | netfilter |
@@ -78,7 +79,8 @@ seccomp | |||
78 | shell none | 79 | shell none |
79 | tracelog | 80 | tracelog |
80 | 81 | ||
81 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env | 82 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
83 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash | ||
82 | private-dev | 84 | private-dev |
83 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 85 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse |
84 | private-tmp | 86 | private-tmp |
diff --git a/etc/xreader.profile b/etc/xreader.profile index c02b9a014..bebcb262f 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | no3d | 20 | no3d |
19 | nodvd | 21 | nodvd |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b9ff3948a..53f2a0c82 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
20 | no3d | 22 | no3d |
@@ -19,7 +19,7 @@ tar -xJvf $CODE_ARCHIVE | |||
19 | #mkdir -p $INSTALL_DIR | 19 | #mkdir -p $INSTALL_DIR |
20 | cd $CODE_DIR | 20 | cd $CODE_DIR |
21 | ./configure --prefix=/usr --enable-git-install | 21 | ./configure --prefix=/usr --enable-git-install |
22 | make | 22 | make -j2 |
23 | mkdir debian | 23 | mkdir debian |
24 | DESTDIR=debian make install-strip | 24 | DESTDIR=debian make install-strip |
25 | 25 | ||
@@ -43,7 +43,7 @@ cp platform/debian/conffiles $DEBIAN_CTRL_DIR/. | |||
43 | find $INSTALL_DIR -type d | xargs chmod 755 | 43 | find $INSTALL_DIR -type d | xargs chmod 755 |
44 | cd $CODE_DIR | 44 | cd $CODE_DIR |
45 | fakeroot dpkg-deb --build debian | 45 | fakeroot dpkg-deb --build debian |
46 | lintian debian.deb | 46 | lintian --no-tag-display-limit debian.deb |
47 | mv debian.deb ../firejail_$2_1_amd64.deb | 47 | mv debian.deb ../firejail_$2_1_amd64.deb |
48 | echo "if building a 32bit package, rename the deb file manually" | 48 | echo "if building a 32bit package, rename the deb file manually" |
49 | cd .. | 49 | cd .. |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 27623aee3..cee008786 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -358,4 +358,60 @@ | |||
358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
359 | /etc/firejail/itch.profile | 359 | /etc/firejail/itch.profile |
360 | /etc/firejail/whitelist-var-common.inc | 360 | /etc/firejail/whitelist-var-common.inc |
361 | /etc/firejail/ffmpeg | 361 | /etc/firejail/ffmpeg.profile |
362 | /etc/firejail/Natron.profile | ||
363 | /etc/firejail/Viber.profile | ||
364 | /etc/firejail/amule.profile | ||
365 | /etc/firejail/arch-audit.profile | ||
366 | /etc/firejail/ardour4.profile | ||
367 | /etc/firejail/ardour5.profile | ||
368 | /etc/firejail/bluefish.profile | ||
369 | /etc/firejail/brackets.profile | ||
370 | /etc/firejail/calligra.profile | ||
371 | /etc/firejail/calligraauthor.profile | ||
372 | /etc/firejail/calligraconverter.profile | ||
373 | /etc/firejail/calligraflow.profile | ||
374 | /etc/firejail/calligraplan.profile | ||
375 | /etc/firejail/calligraplanwork.profile | ||
376 | /etc/firejail/calligrasheets.profile | ||
377 | /etc/firejail/cin.profile | ||
378 | /etc/firejail/calligrastage.profile | ||
379 | /etc/firejail/calligrawords.profile | ||
380 | /etc/firejail/cinelerra.profile | ||
381 | /etc/firejail/clamav.profile | ||
382 | /etc/firejail/clamdscan.profile | ||
383 | /etc/firejail/clamdtop.profile | ||
384 | /etc/firejail/clamscan.profile | ||
385 | /etc/firejail/cliqz.profile | ||
386 | /etc/firejail/conky.profile | ||
387 | /etc/firejail/dooble-qt4.profile | ||
388 | /etc/firejail/dooble.profile | ||
389 | /etc/firejail/fetchmail.profile | ||
390 | /etc/firejail/freecad.profile | ||
391 | /etc/firejail/freecadcmd.profile | ||
392 | /etc/firejail/freshclam.profile | ||
393 | /etc/firejail/google-earth.profile | ||
394 | /etc/firejail/imagej.profile | ||
395 | /etc/firejail/karbon.profile | ||
396 | /etc/firejail/kdenlive.profile | ||
397 | /etc/firejail/krita.profile | ||
398 | /etc/firejail/linphone.profile | ||
399 | /etc/firejail/lmms.profile | ||
400 | /etc/firejail/macrofusion.profile | ||
401 | /etc/firejail/mpd.profile | ||
402 | /etc/firejail/natron.profile | ||
403 | /etc/firejail/openshot-qt.profile | ||
404 | /etc/firejail/pinta.profile | ||
405 | /etc/firejail/ricochet.profile | ||
406 | /etc/firejail/rocketchat.profile | ||
407 | /etc/firejail/shotcut.profile | ||
408 | /etc/firejail/smtube.profile | ||
409 | /etc/firejail/surf.profile | ||
410 | /etc/firejail/teamspeak3.profile | ||
411 | /etc/firejail/terasology.profile | ||
412 | /etc/firejail/tor-browser-en.profile | ||
413 | /etc/firejail/tor.profile | ||
414 | /etc/firejail/uefitool.profile | ||
415 | /etc/firejail/x-terminal-emulator.profile | ||
416 | /etc/firejail/xmr-stak-cpu.profile | ||
417 | /etc/firejail/zart.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 50f9f0512..13049f736 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -1,5 +1,5 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | VERSION="0.9.50" | 2 | VERSION="0.9.51" |
3 | rm -fr ~/rpmbuild | 3 | rm -fr ~/rpmbuild |
4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | rm -f firejail-$VERSION-1.x86_64.rpm |
5 | 5 | ||
@@ -33,6 +33,7 @@ install -m 755 /usr/lib/firejail/fnet firejail-$VERSION/usr/lib/firejail/. | |||
33 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. | 33 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. |
34 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | 34 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. |
35 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | 35 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. |
36 | install -m 755 /usr/lib/firejail/fbuilder firejail-$VERSION/usr/lib/firejail/. | ||
36 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | 37 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. |
37 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 38 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. |
38 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. | 39 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. |
@@ -470,11 +471,66 @@ rm -rf %{buildroot} | |||
470 | %{_sysconfdir}/%{name}/itch.profile | 471 | %{_sysconfdir}/%{name}/itch.profile |
471 | %{_sysconfdir}/%{name}/minetest.profile | 472 | %{_sysconfdir}/%{name}/minetest.profile |
472 | %{_sysconfdir}/%{name}/yandex-browser.profile | 473 | %{_sysconfdir}/%{name}/yandex-browser.profile |
473 | 474 | # 0.9.51 | |
474 | 475 | %{_sysconfdir}/%{name}/Natron.profile | |
475 | 476 | %{_sysconfdir}/%{name}/Viber.profile | |
476 | 477 | %{_sysconfdir}/%{name}/amule.profile | |
477 | 478 | %{_sysconfdir}/%{name}/arch-audit.profile | |
479 | %{_sysconfdir}/%{name}/ardour4.profile | ||
480 | %{_sysconfdir}/%{name}/ardour5.profile | ||
481 | %{_sysconfdir}/%{name}/bluefish.profile | ||
482 | %{_sysconfdir}/%{name}/brackets.profile | ||
483 | %{_sysconfdir}/%{name}/calligra.profile | ||
484 | %{_sysconfdir}/%{name}/calligraauthor.profile | ||
485 | %{_sysconfdir}/%{name}/calligraconverter.profile | ||
486 | %{_sysconfdir}/%{name}/calligraflow.profile | ||
487 | %{_sysconfdir}/%{name}/calligraplan.profile | ||
488 | %{_sysconfdir}/%{name}/calligraplanwork.profile | ||
489 | %{_sysconfdir}/%{name}/calligrasheets.profile | ||
490 | %{_sysconfdir}/%{name}/calligrastage.profile | ||
491 | %{_sysconfdir}/%{name}/calligrawords.profile | ||
492 | %{_sysconfdir}/%{name}/cin.profile | ||
493 | %{_sysconfdir}/%{name}/cinelerra.profile | ||
494 | %{_sysconfdir}/%{name}/clamav.profile | ||
495 | %{_sysconfdir}/%{name}/clamdscan.profile | ||
496 | %{_sysconfdir}/%{name}/clamdtop.profile | ||
497 | %{_sysconfdir}/%{name}/clamscan.profile | ||
498 | %{_sysconfdir}/%{name}/cliqz.profile | ||
499 | %{_sysconfdir}/%{name}/conky.profile | ||
500 | %{_sysconfdir}/%{name}/dooble-qt4.profile | ||
501 | %{_sysconfdir}/%{name}/dooble.profile | ||
502 | %{_sysconfdir}/%{name}/fetchmail.profile | ||
503 | %{_sysconfdir}/%{name}/ffmpeg.profile | ||
504 | %{_sysconfdir}/%{name}/freecad.profile | ||
505 | %{_sysconfdir}/%{name}/freecadcmd.profile | ||
506 | %{_sysconfdir}/%{name}/freshclam.profile | ||
507 | %{_sysconfdir}/%{name}/google-earth.profile | ||
508 | %{_sysconfdir}/%{name}/imagej.profile | ||
509 | %{_sysconfdir}/%{name}/karbon.profile | ||
510 | %{_sysconfdir}/%{name}/kdenlive.profile | ||
511 | %{_sysconfdir}/%{name}/krita.profile | ||
512 | %{_sysconfdir}/%{name}/linphone.profile | ||
513 | %{_sysconfdir}/%{name}/lmms.profile | ||
514 | %{_sysconfdir}/%{name}/macrofusion.profile | ||
515 | %{_sysconfdir}/%{name}/mpd.profile | ||
516 | %{_sysconfdir}/%{name}/natron.profile | ||
517 | %{_sysconfdir}/%{name}/openshot-qt.profile | ||
518 | %{_sysconfdir}/%{name}/pinta.profile | ||
519 | %{_sysconfdir}/%{name}/ricochet.profile | ||
520 | %{_sysconfdir}/%{name}/rocketchat.profile | ||
521 | %{_sysconfdir}/%{name}/shotcut.profile | ||
522 | %{_sysconfdir}/%{name}/smtube.profile | ||
523 | %{_sysconfdir}/%{name}/surf.profile | ||
524 | %{_sysconfdir}/%{name}/teamspeak3.profile | ||
525 | %{_sysconfdir}/%{name}/terasology.profile | ||
526 | %{_sysconfdir}/%{name}/tor-browser-en.profile | ||
527 | %{_sysconfdir}/%{name}/tor.profile | ||
528 | %{_sysconfdir}/%{name}/uefitool.profile | ||
529 | %{_sysconfdir}/%{name}/whitelist-var-common.inc | ||
530 | %{_sysconfdir}/%{name}/x-terminal-emulator.profile | ||
531 | %{_sysconfdir}/%{name}/xmr-stak-cpu.profile | ||
532 | %{_sysconfdir}/%{name}/zart.profile | ||
533 | |||
478 | /usr/bin/firejail | 534 | /usr/bin/firejail |
479 | /usr/bin/firemon | 535 | /usr/bin/firemon |
480 | /usr/bin/firecfg | 536 | /usr/bin/firecfg |
@@ -484,6 +540,7 @@ rm -rf %{buildroot} | |||
484 | /usr/lib/firejail/libpostexecseccomp.so | 540 | /usr/lib/firejail/libpostexecseccomp.so |
485 | /usr/lib/firejail/faudit | 541 | /usr/lib/firejail/faudit |
486 | /usr/lib/firejail/ftee | 542 | /usr/lib/firejail/ftee |
543 | /usr/lib/firejail/fbuilder | ||
487 | /usr/lib/firejail/firecfg.config | 544 | /usr/lib/firejail/firecfg.config |
488 | /usr/lib/firejail/fshaper.sh | 545 | /usr/lib/firejail/fshaper.sh |
489 | /usr/lib/firejail/fcopy | 546 | /usr/lib/firejail/fcopy |
@@ -519,6 +576,8 @@ rm -rf %{buildroot} | |||
519 | chmod u+s /usr/bin/firejail | 576 | chmod u+s /usr/bin/firejail |
520 | 577 | ||
521 | %changelog | 578 | %changelog |
579 | * Sat Sep 23 2017 netblue30 <netblue30@yahoo.com> 0.9.51-1 | ||
580 | |||
522 | * Fri Sep 8 2017 netblue30 <netblue30@yahoo.com> 0.9.50-1 | 581 | * Fri Sep 8 2017 netblue30 <netblue30@yahoo.com> 0.9.50-1 |
523 | 582 | ||
524 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 | 583 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 |
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 7d0e2cb7c..31b6ba8e8 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -82,7 +82,11 @@ static void process_bin(const char *fname) { | |||
82 | if (!ptr2) | 82 | if (!ptr2) |
83 | continue; | 83 | continue; |
84 | *ptr2 = '\0'; | 84 | *ptr2 = '\0'; |
85 | 85 | ||
86 | // skip strace | ||
87 | if (strcmp(ptr, "strace") == 0) | ||
88 | continue; | ||
89 | |||
86 | bin_out = filedb_add(bin_out, ptr); | 90 | bin_out = filedb_add(bin_out, ptr); |
87 | } | 91 | } |
88 | 92 | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 3f5fe48ca..0f71fe7ad 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -75,7 +75,8 @@ void build_profile(int argc, char **argv, int index) { | |||
75 | int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 75 | int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
76 | if (arg_debug) | 76 | if (arg_debug) |
77 | printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); | 77 | printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); |
78 | char *cmd[len]; | 78 | char *cmd[len]; |
79 | cmd[0] = cmdlist[0]; // explicit assignemnt to clean scan-build error | ||
79 | 80 | ||
80 | // build command | 81 | // build command |
81 | int i = 0; | 82 | int i = 0; |
@@ -89,6 +90,7 @@ void build_profile(int argc, char **argv, int index) { | |||
89 | int i2 = index; | 90 | int i2 = index; |
90 | for (; i < (len - 1); i++, i2++) | 91 | for (; i < (len - 1); i++, i2++) |
91 | cmd[i] = argv[i2]; | 92 | cmd[i] = argv[i2]; |
93 | assert(i < len); | ||
92 | cmd[i] = NULL; | 94 | cmd[i] = NULL; |
93 | 95 | ||
94 | if (arg_debug) { | 96 | if (arg_debug) { |
@@ -101,7 +103,9 @@ void build_profile(int argc, char **argv, int index) { | |||
101 | if (child == -1) | 103 | if (child == -1) |
102 | errExit("fork"); | 104 | errExit("fork"); |
103 | if (child == 0) { | 105 | if (child == 0) { |
106 | assert(cmd[0]); | ||
104 | int rv = execvp(cmd[0], cmd); | 107 | int rv = execvp(cmd[0], cmd); |
108 | (void) rv; | ||
105 | errExit("execv"); | 109 | errExit("execv"); |
106 | } | 110 | } |
107 | 111 | ||
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c new file mode 100644 index 000000000..c1d456147 --- /dev/null +++ b/src/firecfg/desktop_files.c | |||
@@ -0,0 +1,295 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "firecfg.h" | ||
22 | #include <ctype.h> | ||
23 | |||
24 | static int check_profile(const char *name, const char *homedir) { | ||
25 | // build profile name | ||
26 | char *profname1; | ||
27 | char *profname2; | ||
28 | if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1) | ||
29 | errExit("asprintf"); | ||
30 | if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1) | ||
31 | errExit("asprintf"); | ||
32 | |||
33 | int rv = 0; | ||
34 | if (access(profname1, R_OK) == 0) { | ||
35 | if (arg_debug) | ||
36 | printf("found %s\n", profname1); | ||
37 | rv = 1; | ||
38 | } | ||
39 | else if (access(profname2, R_OK) == 0) { | ||
40 | if (arg_debug) | ||
41 | printf("found %s\n", profname2); | ||
42 | rv = 1; | ||
43 | } | ||
44 | |||
45 | free(profname1); | ||
46 | free(profname2); | ||
47 | return rv; | ||
48 | } | ||
49 | |||
50 | |||
51 | // look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory | ||
52 | static int have_profile(const char *filename, const char *homedir) { | ||
53 | assert(filename); | ||
54 | assert(homedir); | ||
55 | |||
56 | if (arg_debug) | ||
57 | printf("checking profile for %s\n", filename); | ||
58 | |||
59 | // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop, | ||
60 | // or io.github.Pithos.desktop; extract the word before .desktop | ||
61 | |||
62 | char *tmpfname = strdup(filename); | ||
63 | if (!tmpfname) | ||
64 | errExit("strdup"); | ||
65 | |||
66 | // check .desktop extension | ||
67 | int len = strlen(tmpfname); | ||
68 | if (len <= 8) | ||
69 | return 0; | ||
70 | if (strcmp(tmpfname + len - 8, ".desktop")) | ||
71 | return 0; | ||
72 | tmpfname[len - 8] = '\0'; | ||
73 | |||
74 | // extract last word | ||
75 | char *last_word = strrchr(tmpfname, '.'); | ||
76 | if (last_word) | ||
77 | last_word++; | ||
78 | else | ||
79 | last_word = tmpfname; | ||
80 | |||
81 | // try lowercase | ||
82 | last_word[0] = tolower(last_word[0]); | ||
83 | int rv = check_profile(last_word, homedir); | ||
84 | if (rv) { | ||
85 | free(tmpfname); | ||
86 | return rv; | ||
87 | } | ||
88 | |||
89 | // try uppercase | ||
90 | last_word[0] = toupper(last_word[0]); | ||
91 | rv = check_profile(last_word, homedir); | ||
92 | free(tmpfname); | ||
93 | return rv; | ||
94 | } | ||
95 | |||
96 | void fix_desktop_files(char *homedir) { | ||
97 | assert(homedir); | ||
98 | struct stat sb; | ||
99 | |||
100 | // check user | ||
101 | if (getuid() == 0) { | ||
102 | fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n"); | ||
103 | exit(1); | ||
104 | } | ||
105 | |||
106 | // destination | ||
107 | // create ~/.local/share/applications directory if necessary | ||
108 | char *user_apps_dir; | ||
109 | if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1) | ||
110 | errExit("asprintf"); | ||
111 | if (stat(user_apps_dir, &sb) == -1) { | ||
112 | int rv = mkdir(user_apps_dir, 0700); | ||
113 | if (rv) { | ||
114 | fprintf(stderr, "Error: cannot create ~/.local/application directory\n"); | ||
115 | perror("mkdir"); | ||
116 | exit(1); | ||
117 | } | ||
118 | rv = chmod(user_apps_dir, 0700); | ||
119 | (void) rv; | ||
120 | } | ||
121 | |||
122 | // source | ||
123 | DIR *dir = opendir("/usr/share/applications"); | ||
124 | if (!dir) { | ||
125 | perror("Error: cannot open /usr/share/applications directory"); | ||
126 | exit(1); | ||
127 | } | ||
128 | if (chdir("/usr/share/applications")) { | ||
129 | perror("Error: cannot chdir to /usr/share/applications"); | ||
130 | exit(1); | ||
131 | } | ||
132 | |||
133 | printf("\nFixing desktop files in %s\n", user_apps_dir); | ||
134 | // copy | ||
135 | struct dirent *entry; | ||
136 | while ((entry = readdir(dir)) != NULL) { | ||
137 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
138 | continue; | ||
139 | |||
140 | // skip if not regular file or link | ||
141 | // d_type is not available on some file systems | ||
142 | if (entry->d_type != DT_REG && entry->d_type != DT_LNK && entry->d_type != DT_UNKNOWN) | ||
143 | continue; | ||
144 | |||
145 | // skip if not .desktop file | ||
146 | if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8)) | ||
147 | continue; | ||
148 | |||
149 | char *filename = entry->d_name; | ||
150 | |||
151 | // skip links | ||
152 | if (is_link(filename)) | ||
153 | continue; | ||
154 | if (stat(filename, &sb) == -1) | ||
155 | errExit("stat"); | ||
156 | |||
157 | // no profile in /etc/firejail, no desktop file fixing | ||
158 | if (!have_profile(filename, homedir)) | ||
159 | continue; | ||
160 | |||
161 | //**************************************************** | ||
162 | // load the file in memory and do some basic checking | ||
163 | //**************************************************** | ||
164 | /* coverity[toctou] */ | ||
165 | int fd = open(filename, O_RDONLY); | ||
166 | if (fd == -1) { | ||
167 | fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename); | ||
168 | continue; | ||
169 | } | ||
170 | |||
171 | char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); | ||
172 | if (buf == MAP_FAILED) | ||
173 | errExit("mmap"); | ||
174 | close(fd); | ||
175 | |||
176 | // check format | ||
177 | if (strstr(buf, "[Desktop Entry]\n") == NULL) { | ||
178 | if (arg_debug) | ||
179 | printf(" %s - skipped: wrong format?\n", filename); | ||
180 | munmap(buf, sb.st_size + 1); | ||
181 | continue; | ||
182 | } | ||
183 | |||
184 | // get executable name | ||
185 | char *ptr = strstr(buf,"\nExec="); | ||
186 | if (!ptr || strlen(ptr) < 7) { | ||
187 | if (arg_debug) | ||
188 | printf(" %s - skipped: wrong format?\n", filename); | ||
189 | munmap(buf, sb.st_size + 1); | ||
190 | continue; | ||
191 | } | ||
192 | |||
193 | char *execname = ptr + 6; | ||
194 | // executable name can be quoted, this is rare and currently unsupported, TODO | ||
195 | if (execname[0] == '"') { | ||
196 | if (arg_debug) | ||
197 | printf(" %s - skipped: path quoting unsupported\n", filename); | ||
198 | munmap(buf, sb.st_size + 1); | ||
199 | continue; | ||
200 | } | ||
201 | |||
202 | // try to decide if we need to covert this file | ||
203 | char *change_exec = NULL; | ||
204 | int change_dbus = 0; | ||
205 | |||
206 | if (strstr(buf, "\nDBusActivatable=true")) | ||
207 | change_dbus = 1; | ||
208 | |||
209 | // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html | ||
210 | // The executable program can either be specified with its full path | ||
211 | // or with the name of the executable only | ||
212 | if (execname[0] == '/') { | ||
213 | // mark end of line | ||
214 | char *end = strchr(execname, '\n'); | ||
215 | if (end) | ||
216 | *end = '\0'; | ||
217 | end = strchr(execname, ' '); | ||
218 | if (end) | ||
219 | *end = '\0'; | ||
220 | char *start_name = strrchr(execname, '/'); | ||
221 | if (start_name) { | ||
222 | start_name++; | ||
223 | // check if we have the executable on the regular path | ||
224 | if (which(start_name)) { | ||
225 | change_exec = strdup(start_name); | ||
226 | if (!change_exec) | ||
227 | errExit("strdup"); | ||
228 | } | ||
229 | } | ||
230 | } | ||
231 | |||
232 | if (change_exec == NULL && change_dbus == 0) { | ||
233 | munmap(buf, sb.st_size + 1); | ||
234 | continue; | ||
235 | } | ||
236 | |||
237 | munmap(buf, sb.st_size + 1); | ||
238 | |||
239 | //**************************************************** | ||
240 | // generate output file | ||
241 | //**************************************************** | ||
242 | char *outname; | ||
243 | if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1) | ||
244 | errExit("asprintf"); | ||
245 | |||
246 | if (stat(outname, &sb) == 0) { | ||
247 | printf(" %s skipped: file exists\n", filename); | ||
248 | continue; | ||
249 | } | ||
250 | |||
251 | FILE *fpin = fopen(filename, "r"); | ||
252 | if (!fpin) { | ||
253 | fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename); | ||
254 | continue; | ||
255 | } | ||
256 | |||
257 | FILE *fpout = fopen(outname, "w"); | ||
258 | if (!fpout) { | ||
259 | fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname); | ||
260 | fclose(fpin); | ||
261 | continue; | ||
262 | } | ||
263 | fprintf(fpout, "# converted by firecfg\n"); | ||
264 | free(outname); | ||
265 | |||
266 | char fbuf[MAX_BUF]; | ||
267 | while (fgets(fbuf, MAX_BUF, fpin)) { | ||
268 | if (change_dbus && strcmp(fbuf, "DBusActivatable=true\n") == 0) | ||
269 | fprintf(fpout, "DBusActivatable=false\n"); | ||
270 | else if (change_exec && strncmp(fbuf, "Exec=", 5) == 0) { | ||
271 | char *start_params = strchr(fbuf + 5, ' '); | ||
272 | if (start_params) { | ||
273 | start_params++; | ||
274 | fprintf(fpout, "Exec=%s %s", change_exec, start_params); | ||
275 | } | ||
276 | else | ||
277 | fprintf(fpout, "Exec=%s\n", change_exec); | ||
278 | } | ||
279 | else | ||
280 | fprintf(fpout, "%s", fbuf); | ||
281 | } | ||
282 | |||
283 | if (change_exec) | ||
284 | free(change_exec); | ||
285 | fclose(fpin); | ||
286 | fclose(fpout); | ||
287 | printf(" %s created\n", filename); | ||
288 | |||
289 | } | ||
290 | |||
291 | closedir(dir); | ||
292 | free(user_apps_dir); | ||
293 | } | ||
294 | |||
295 | |||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5a36f5e3e..9baa6a6e4 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -40,6 +40,7 @@ bitlbee | |||
40 | bleachbit | 40 | bleachbit |
41 | blender | 41 | blender |
42 | bless | 42 | bless |
43 | bluefish | ||
43 | brackets | 44 | brackets |
44 | brasero | 45 | brasero |
45 | brave | 46 | brave |
@@ -58,12 +59,14 @@ cherrytree | |||
58 | chromium | 59 | chromium |
59 | chromium-browser | 60 | chromium-browser |
60 | cin | 61 | cin |
62 | cinelerra | ||
61 | clamdscan | 63 | clamdscan |
62 | clamdtop | 64 | clamdtop |
63 | clamscan | 65 | clamscan |
64 | claws-mail | 66 | claws-mail |
65 | clementine | 67 | clementine |
66 | clipit | 68 | clipit |
69 | cliqz | ||
67 | cmus | 70 | cmus |
68 | conkeror | 71 | conkeror |
69 | conky | 72 | conky |
@@ -241,17 +244,20 @@ odt2txt | |||
241 | okular | 244 | okular |
242 | open-invaders | 245 | open-invaders |
243 | openshot | 246 | openshot |
247 | openshot-qt | ||
244 | opera | 248 | opera |
245 | opera-beta | 249 | opera-beta |
246 | orage | 250 | orage |
247 | palemoon | 251 | palemoon |
248 | parole | 252 | parole |
253 | pdfmod | ||
249 | pdfsam | 254 | pdfsam |
250 | pdftotext | 255 | pdftotext |
251 | peek | 256 | peek |
252 | picard | 257 | picard |
253 | pidgin | 258 | pidgin |
254 | pingus | 259 | pingus |
260 | pinta | ||
255 | pithos | 261 | pithos |
256 | pix | 262 | pix |
257 | pluma | 263 | pluma |
@@ -314,6 +320,7 @@ transmission-qt | |||
314 | transmission-show | 320 | transmission-show |
315 | truecraft | 321 | truecraft |
316 | tuxguitar | 322 | tuxguitar |
323 | uefitool | ||
317 | uget-gtk | 324 | uget-gtk |
318 | unbound | 325 | unbound |
319 | unknown-horizons | 326 | unknown-horizons |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h new file mode 100644 index 000000000..c4640feb8 --- /dev/null +++ b/src/firecfg/firecfg.h | |||
@@ -0,0 +1,51 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #define _GNU_SOURCE | ||
21 | #include <stdio.h> | ||
22 | #include <sys/types.h> | ||
23 | #include <dirent.h> | ||
24 | #include <sys/types.h> | ||
25 | #include <sys/stat.h> | ||
26 | #include <fcntl.h> | ||
27 | #include <unistd.h> | ||
28 | #include <grp.h> | ||
29 | #include <string.h> | ||
30 | #include <errno.h> | ||
31 | #include <sys/mman.h> | ||
32 | #include <pwd.h> | ||
33 | #include <dirent.h> | ||
34 | |||
35 | #include "../include/common.h" | ||
36 | #define MAX_BUF 4096 | ||
37 | |||
38 | |||
39 | // main.c | ||
40 | extern int arg_debug; | ||
41 | |||
42 | // util.c | ||
43 | int which(const char *program); | ||
44 | int is_link(const char *fname); | ||
45 | |||
46 | // sound.c | ||
47 | void sound(void); | ||
48 | |||
49 | // desktop_files.c | ||
50 | void fix_desktop_files(char *homedir); | ||
51 | |||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 5928b9ae5..1cdd39c1f 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -18,24 +18,8 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #define _GNU_SOURCE | 21 | #include "firecfg.h" |
22 | #include <stdio.h> | 22 | int arg_debug = 0; |
23 | #include <sys/types.h> | ||
24 | #include <dirent.h> | ||
25 | #include <sys/types.h> | ||
26 | #include <sys/stat.h> | ||
27 | #include <fcntl.h> | ||
28 | #include <unistd.h> | ||
29 | #include <grp.h> | ||
30 | #include <string.h> | ||
31 | #include <errno.h> | ||
32 | #include <sys/mman.h> | ||
33 | #include <pwd.h> | ||
34 | #include <dirent.h> | ||
35 | |||
36 | #include "../include/common.h" | ||
37 | static int arg_debug = 0; | ||
38 | #define MAX_BUF 1024 | ||
39 | 23 | ||
40 | static void usage(void) { | 24 | static void usage(void) { |
41 | printf("firecfg - version %s\n\n", VERSION); | 25 | printf("firecfg - version %s\n\n", VERSION); |
@@ -71,113 +55,6 @@ static void usage(void) { | |||
71 | printf("Homepage: http://firejail.wordpress.com\n\n"); | 55 | printf("Homepage: http://firejail.wordpress.com\n\n"); |
72 | } | 56 | } |
73 | 57 | ||
74 | static void sound(void) { | ||
75 | struct passwd *pw = getpwuid(getuid()); | ||
76 | if (!pw) { | ||
77 | goto errexit; | ||
78 | } | ||
79 | char *home = pw->pw_dir; | ||
80 | if (!home) { | ||
81 | goto errexit; | ||
82 | } | ||
83 | |||
84 | // the input file is /etc/pulse/client.conf | ||
85 | FILE *fpin = fopen("/etc/pulse/client.conf", "r"); | ||
86 | if (!fpin) { | ||
87 | fprintf(stderr, "PulseAudio is not available on this platform, there is nothing to fix...\n"); | ||
88 | return; | ||
89 | } | ||
90 | |||
91 | // the dest is PulseAudio user config file | ||
92 | char *fname; | ||
93 | if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1) | ||
94 | errExit("asprintf"); | ||
95 | FILE *fpout = fopen(fname, "w"); | ||
96 | free(fname); | ||
97 | if (!fpout) | ||
98 | goto errexit; | ||
99 | |||
100 | // copy default config | ||
101 | char buf[MAX_BUF]; | ||
102 | while (fgets(buf, MAX_BUF, fpin)) | ||
103 | fputs(buf, fpout); | ||
104 | |||
105 | // disable shm | ||
106 | fprintf(fpout, "\nenable-shm = no\n"); | ||
107 | fclose(fpin); | ||
108 | fclose(fpout); | ||
109 | printf("PulseAudio configured, please logout and login back again\n"); | ||
110 | return; | ||
111 | |||
112 | errexit: | ||
113 | fprintf(stderr, "Error: cannot configure sound file\n"); | ||
114 | exit(1); | ||
115 | } | ||
116 | |||
117 | // return 1 if the program is found | ||
118 | static int find(const char *program, const char *directory) { | ||
119 | int retval = 0; | ||
120 | |||
121 | char *fname; | ||
122 | if (asprintf(&fname, "/%s/%s", directory, program) == -1) | ||
123 | errExit("asprintf"); | ||
124 | |||
125 | struct stat s; | ||
126 | if (stat(fname, &s) == 0) { | ||
127 | if (arg_debug) | ||
128 | printf("found %s in directory %s\n", program, directory); | ||
129 | retval = 1; | ||
130 | } | ||
131 | |||
132 | free(fname); | ||
133 | return retval; | ||
134 | } | ||
135 | |||
136 | |||
137 | // return 1 if program is installed on the system | ||
138 | static int which(const char *program) { | ||
139 | // check some well-known paths | ||
140 | if (find(program, "/bin") || find(program, "/usr/bin") || | ||
141 | find(program, "/sbin") || find(program, "/usr/sbin") || | ||
142 | find(program, "/usr/games")) | ||
143 | return 1; | ||
144 | |||
145 | // check environment | ||
146 | char *path1 = getenv("PATH"); | ||
147 | if (path1) { | ||
148 | char *path2 = strdup(path1); | ||
149 | if (!path2) | ||
150 | errExit("strdup"); | ||
151 | |||
152 | // use path2 to count the entries | ||
153 | char *ptr = strtok(path2, ":"); | ||
154 | while (ptr) { | ||
155 | if (find(program, ptr)) { | ||
156 | free(path2); | ||
157 | return 1; | ||
158 | } | ||
159 | ptr = strtok(NULL, ":"); | ||
160 | } | ||
161 | free(path2); | ||
162 | } | ||
163 | |||
164 | return 0; | ||
165 | } | ||
166 | |||
167 | // return 1 if the file is a link | ||
168 | static int is_link(const char *fname) { | ||
169 | assert(fname); | ||
170 | if (*fname == '\0') | ||
171 | return 0; | ||
172 | |||
173 | struct stat s; | ||
174 | if (lstat(fname, &s) == 0) { | ||
175 | if (S_ISLNK(s.st_mode)) | ||
176 | return 1; | ||
177 | } | ||
178 | |||
179 | return 0; | ||
180 | } | ||
181 | 58 | ||
182 | static void list(void) { | 59 | static void list(void) { |
183 | DIR *dir = opendir("/usr/local/bin"); | 60 | DIR *dir = opendir("/usr/local/bin"); |
@@ -388,221 +265,6 @@ static void set_links_homedir(const char *homedir) { | |||
388 | free(firejail_exec); | 265 | free(firejail_exec); |
389 | } | 266 | } |
390 | 267 | ||
391 | // look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory | ||
392 | static int have_profile(const char *filename, const char *homedir) { | ||
393 | assert(filename); | ||
394 | assert(homedir); | ||
395 | |||
396 | if (arg_debug) | ||
397 | printf("checking profile for %s\n", filename); | ||
398 | |||
399 | // remove .desktop extension | ||
400 | char *f1 = strdup(filename); | ||
401 | if (!f1) | ||
402 | errExit("strdup"); | ||
403 | f1[strlen(filename) - 8] = '\0'; | ||
404 | |||
405 | // build profile name | ||
406 | char *profname1; | ||
407 | char *profname2; | ||
408 | if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1) | ||
409 | errExit("asprintf"); | ||
410 | if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, f1) == -1) | ||
411 | errExit("asprintf"); | ||
412 | |||
413 | int rv = 0; | ||
414 | if (access(profname1, R_OK) == 0) { | ||
415 | if (arg_debug) | ||
416 | printf("found %s\n", profname1); | ||
417 | rv = 1; | ||
418 | } | ||
419 | else if (access(profname2, R_OK) == 0) { | ||
420 | if (arg_debug) | ||
421 | printf("found %s\n", profname2); | ||
422 | rv = 1; | ||
423 | } | ||
424 | |||
425 | free(f1); | ||
426 | free(profname1); | ||
427 | free(profname2); | ||
428 | return rv; | ||
429 | } | ||
430 | |||
431 | static void fix_desktop_files(char *homedir) { | ||
432 | assert(homedir); | ||
433 | struct stat sb; | ||
434 | |||
435 | // check user | ||
436 | if (getuid() == 0) { | ||
437 | fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n"); | ||
438 | exit(1); | ||
439 | } | ||
440 | |||
441 | // destination | ||
442 | // create ~/.local/share/applications directory if necessary | ||
443 | char *user_apps_dir; | ||
444 | if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1) | ||
445 | errExit("asprintf"); | ||
446 | if (stat(user_apps_dir, &sb) == -1) { | ||
447 | int rv = mkdir(user_apps_dir, 0700); | ||
448 | if (rv) { | ||
449 | fprintf(stderr, "Error: cannot create ~/.local/application directory\n"); | ||
450 | perror("mkdir"); | ||
451 | exit(1); | ||
452 | } | ||
453 | rv = chmod(user_apps_dir, 0700); | ||
454 | (void) rv; | ||
455 | } | ||
456 | |||
457 | // source | ||
458 | DIR *dir = opendir("/usr/share/applications"); | ||
459 | if (!dir) { | ||
460 | perror("Error: cannot open /usr/share/applications directory"); | ||
461 | exit(1); | ||
462 | } | ||
463 | if (chdir("/usr/share/applications")) { | ||
464 | perror("Error: cannot chdir to /usr/share/applications"); | ||
465 | exit(1); | ||
466 | } | ||
467 | |||
468 | printf("\nFixing desktop files in %s\n", user_apps_dir); | ||
469 | // copy | ||
470 | struct dirent *entry; | ||
471 | while ((entry = readdir(dir)) != NULL) { | ||
472 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
473 | continue; | ||
474 | |||
475 | // skip if not regular file or link | ||
476 | // d_type is not available on some file systems | ||
477 | if (entry->d_type != DT_REG && entry->d_type != DT_LNK && entry->d_type != DT_UNKNOWN) | ||
478 | continue; | ||
479 | |||
480 | // skip if not .desktop file | ||
481 | if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8)) | ||
482 | continue; | ||
483 | |||
484 | char *filename = entry->d_name; | ||
485 | |||
486 | // skip links | ||
487 | if (is_link(filename)) | ||
488 | continue; | ||
489 | if (stat(filename, &sb) == -1) | ||
490 | errExit("stat"); | ||
491 | |||
492 | // no profile in /etc/firejail, no desktop file fixing | ||
493 | if (!have_profile(filename, homedir)) | ||
494 | continue; | ||
495 | |||
496 | /* coverity[toctou] */ | ||
497 | int fd = open(filename, O_RDONLY); | ||
498 | if (fd == -1) | ||
499 | errExit("open"); | ||
500 | |||
501 | char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); | ||
502 | if (buf == MAP_FAILED) | ||
503 | errExit("mmap"); | ||
504 | |||
505 | close(fd); | ||
506 | |||
507 | // check format | ||
508 | if (strstr(buf, "[Desktop Entry]\n") == NULL) { | ||
509 | if (arg_debug) | ||
510 | printf(" %s - SKIPPED: wrong format?\n", filename); | ||
511 | munmap(buf, sb.st_size + 1); | ||
512 | continue; | ||
513 | } | ||
514 | |||
515 | // get executable name | ||
516 | char *ptr1 = strstr(buf,"\nExec="); | ||
517 | if (!ptr1 || strlen(ptr1) < 7) { | ||
518 | if (arg_debug) | ||
519 | printf(" %s - SKIPPED: wrong format?\n", filename); | ||
520 | munmap(buf, sb.st_size + 1); | ||
521 | continue; | ||
522 | } | ||
523 | |||
524 | char *execname = ptr1 + 6; | ||
525 | // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html | ||
526 | // The executable program can either be specified with its full path | ||
527 | // or with the name of the executable only | ||
528 | if (execname[0] != '/') { | ||
529 | if (arg_debug) | ||
530 | printf(" %s - already OK\n", filename); | ||
531 | continue; | ||
532 | } | ||
533 | // executable name can be quoted, this is rare and currently unsupported, TODO | ||
534 | if (execname[0] == '"') { | ||
535 | if (arg_debug) | ||
536 | printf(" %s - skipped: path quoting unsupported\n", filename); | ||
537 | continue; | ||
538 | } | ||
539 | |||
540 | // put '\0' at end of filename | ||
541 | char *tail = NULL; | ||
542 | char endchar = ' '; | ||
543 | if (execname[0] == '/') { | ||
544 | char *ptr2 = index(execname, ' '); | ||
545 | char *ptr3 = index(execname, '\n'); | ||
546 | if (ptr2 && (!ptr3 || (ptr2 < ptr3))) { | ||
547 | endchar = ptr2[0]; | ||
548 | ptr2[0] = '\0'; | ||
549 | tail = ptr2 + 1; | ||
550 | } else if (ptr3 && (!ptr2 || (ptr3 < ptr2))) { | ||
551 | endchar = ptr3[0]; | ||
552 | ptr3[0] = '\0'; | ||
553 | tail = ptr3 + 1; | ||
554 | } | ||
555 | ptr1[5] = '\0'; | ||
556 | } | ||
557 | |||
558 | char *bname = basename(execname); | ||
559 | assert(bname); | ||
560 | |||
561 | // check if basename in PATH | ||
562 | if (!which(bname)) { | ||
563 | printf(" %s - skipped, %s not in PATH\n", filename, bname); | ||
564 | continue; | ||
565 | } | ||
566 | |||
567 | char *outname; | ||
568 | if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1) | ||
569 | errExit("asprintf"); | ||
570 | |||
571 | int fd1 = open(outname, O_CREAT | O_WRONLY | O_EXCL, S_IRUSR | S_IWUSR); | ||
572 | free(outname); | ||
573 | |||
574 | if (fd1 == -1) { | ||
575 | printf(" %s skipped: %s\n", filename, strerror(errno)); | ||
576 | munmap(buf, sb.st_size + 1); | ||
577 | continue; | ||
578 | } | ||
579 | |||
580 | FILE *outfile = fdopen(fd1, "w"); | ||
581 | if (!outfile) { | ||
582 | printf(" %s skipped: %s\n", filename, strerror(errno)); | ||
583 | munmap(buf, sb.st_size + 1); | ||
584 | close(fd1); | ||
585 | continue; | ||
586 | } | ||
587 | |||
588 | if (fprintf(outfile,\ | ||
589 | "# Converted by firecfg --fix from /usr/share/applications/%s\n\n%s=%s%c%s",\ | ||
590 | filename, buf, bname, endchar, tail) < 0) { | ||
591 | fprintf(stderr, "Unable to write %s/%s: %s\n", user_apps_dir, filename, strerror(errno)); | ||
592 | munmap(buf, sb.st_size + 1); | ||
593 | fclose(outfile); | ||
594 | continue; | ||
595 | } | ||
596 | |||
597 | fclose(outfile); | ||
598 | munmap(buf, sb.st_size + 1); | ||
599 | |||
600 | printf(" %s created\n", filename); | ||
601 | } | ||
602 | |||
603 | closedir(dir); | ||
604 | free(user_apps_dir); | ||
605 | } | ||
606 | 268 | ||
607 | int main(int argc, char **argv) { | 269 | int main(int argc, char **argv) { |
608 | int i; | 270 | int i; |
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c new file mode 100644 index 000000000..9dfb305cd --- /dev/null +++ b/src/firecfg/sound.c | |||
@@ -0,0 +1,65 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "firecfg.h" | ||
22 | |||
23 | void sound(void) { | ||
24 | struct passwd *pw = getpwuid(getuid()); | ||
25 | if (!pw) { | ||
26 | goto errexit; | ||
27 | } | ||
28 | char *home = pw->pw_dir; | ||
29 | if (!home) { | ||
30 | goto errexit; | ||
31 | } | ||
32 | |||
33 | // the input file is /etc/pulse/client.conf | ||
34 | FILE *fpin = fopen("/etc/pulse/client.conf", "r"); | ||
35 | if (!fpin) { | ||
36 | fprintf(stderr, "PulseAudio is not available on this platform, there is nothing to fix...\n"); | ||
37 | return; | ||
38 | } | ||
39 | |||
40 | // the dest is PulseAudio user config file | ||
41 | char *fname; | ||
42 | if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1) | ||
43 | errExit("asprintf"); | ||
44 | FILE *fpout = fopen(fname, "w"); | ||
45 | free(fname); | ||
46 | if (!fpout) | ||
47 | goto errexit; | ||
48 | |||
49 | // copy default config | ||
50 | char buf[MAX_BUF]; | ||
51 | while (fgets(buf, MAX_BUF, fpin)) | ||
52 | fputs(buf, fpout); | ||
53 | |||
54 | // disable shm | ||
55 | fprintf(fpout, "\nenable-shm = no\n"); | ||
56 | fclose(fpin); | ||
57 | fclose(fpout); | ||
58 | printf("PulseAudio configured, please logout and login back again\n"); | ||
59 | return; | ||
60 | |||
61 | errexit: | ||
62 | fprintf(stderr, "Error: cannot configure sound file\n"); | ||
63 | exit(1); | ||
64 | } | ||
65 | |||
diff --git a/src/firecfg/util.c b/src/firecfg/util.c new file mode 100644 index 000000000..4520e75e8 --- /dev/null +++ b/src/firecfg/util.c | |||
@@ -0,0 +1,86 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "firecfg.h" | ||
22 | |||
23 | // return 1 if the program is found | ||
24 | static int find(const char *program, const char *directory) { | ||
25 | int retval = 0; | ||
26 | |||
27 | char *fname; | ||
28 | if (asprintf(&fname, "/%s/%s", directory, program) == -1) | ||
29 | errExit("asprintf"); | ||
30 | |||
31 | struct stat s; | ||
32 | if (stat(fname, &s) == 0) { | ||
33 | if (arg_debug) | ||
34 | printf("found %s in directory %s\n", program, directory); | ||
35 | retval = 1; | ||
36 | } | ||
37 | |||
38 | free(fname); | ||
39 | return retval; | ||
40 | } | ||
41 | |||
42 | |||
43 | // return 1 if program is installed on the system | ||
44 | int which(const char *program) { | ||
45 | // check some well-known paths | ||
46 | if (find(program, "/bin") || find(program, "/usr/bin") || | ||
47 | find(program, "/sbin") || find(program, "/usr/sbin") || | ||
48 | find(program, "/usr/games")) | ||
49 | return 1; | ||
50 | |||
51 | // check environment | ||
52 | char *path1 = getenv("PATH"); | ||
53 | if (path1) { | ||
54 | char *path2 = strdup(path1); | ||
55 | if (!path2) | ||
56 | errExit("strdup"); | ||
57 | |||
58 | // use path2 to count the entries | ||
59 | char *ptr = strtok(path2, ":"); | ||
60 | while (ptr) { | ||
61 | if (find(program, ptr)) { | ||
62 | free(path2); | ||
63 | return 1; | ||
64 | } | ||
65 | ptr = strtok(NULL, ":"); | ||
66 | } | ||
67 | free(path2); | ||
68 | } | ||
69 | |||
70 | return 0; | ||
71 | } | ||
72 | |||
73 | // return 1 if the file is a link | ||
74 | int is_link(const char *fname) { | ||
75 | assert(fname); | ||
76 | if (*fname == '\0') | ||
77 | return 0; | ||
78 | |||
79 | struct stat s; | ||
80 | if (lstat(fname, &s) == 0) { | ||
81 | if (S_ISLNK(s.st_mode)) | ||
82 | return 1; | ||
83 | } | ||
84 | |||
85 | return 0; | ||
86 | } | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0ea71e6ba..0a6f40959 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1111,10 +1111,20 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1111 | exit(1); | 1111 | exit(1); |
1112 | } | 1112 | } |
1113 | } | 1113 | } |
1114 | if (is_link(name)) { | 1114 | else { |
1115 | fprintf(stderr, "Error: invalid %s file\n", name); | 1115 | fprintf(stderr, "Error: chroot /etc/resolv.conf not found\n"); |
1116 | exit(1); | 1116 | exit(1); |
1117 | } | 1117 | } |
1118 | // on Arch /etc/resolv.conf could be a symlink to /run/systemd/resolve/resolv.conf | ||
1119 | // on Ubuntu 17.04 /etc/resolv.conf could be a symlink to /run/resolveconf/resolv.conf | ||
1120 | if (is_link(name)) { | ||
1121 | // check the link points in chroot | ||
1122 | char *rname = realpath(name, NULL); | ||
1123 | if (!rname || strncmp(rname, rootdir, strlen(rootdir)) != 0) { | ||
1124 | fprintf(stderr, "Error: chroot /etc/resolv.conf is pointing outside chroot\n"); | ||
1125 | exit(1); | ||
1126 | } | ||
1127 | } | ||
1118 | free(name); | 1128 | free(name); |
1119 | 1129 | ||
1120 | // check x11 socket directory | 1130 | // check x11 socket directory |
@@ -1186,17 +1196,11 @@ void fs_chroot(const char *rootdir) { | |||
1186 | errExit("mount bind"); | 1196 | errExit("mount bind"); |
1187 | 1197 | ||
1188 | // copy /etc/resolv.conf in chroot directory | 1198 | // copy /etc/resolv.conf in chroot directory |
1189 | // if resolv.conf in chroot is a symbolic link, this will fail | ||
1190 | // no exit on error, let the user deal with the problem | ||
1191 | char *fname; | 1199 | char *fname; |
1192 | if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) | 1200 | if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) |
1193 | errExit("asprintf"); | 1201 | errExit("asprintf"); |
1194 | if (arg_debug) | 1202 | if (arg_debug) |
1195 | printf("Updating /etc/resolv.conf in %s\n", fname); | 1203 | printf("Updating /etc/resolv.conf in %s\n", fname); |
1196 | if (is_link(fname)) { | ||
1197 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
1198 | exit(1); | ||
1199 | } | ||
1200 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed | 1204 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed |
1201 | fwarning("/etc/resolv.conf not initialized\n"); | 1205 | fwarning("/etc/resolv.conf not initialized\n"); |
1202 | } | 1206 | } |