aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/disable-programs.inc2
-rw-r--r--etc/masterpdfeditor.profile50
-rw-r--r--etc/masterpdfeditor4.profile12
-rw-r--r--etc/masterpdfeditor5.profile12
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firejail/bandwidth.c6
-rw-r--r--src/firejail/firejail.h27
-rw-r--r--src/firejail/fs_trace.c2
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/output.c6
-rw-r--r--src/firejail/preproc.c8
11 files changed, 116 insertions, 22 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 6122a7fec..5453ce376 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -52,6 +52,7 @@ blacklist ${HOME}/.config/Beaker Browser
52blacklist ${HOME}/.config/Brackets 52blacklist ${HOME}/.config/Brackets
53blacklist ${HOME}/.config/Clementine 53blacklist ${HOME}/.config/Clementine
54blacklist ${HOME}/.config/Code 54blacklist ${HOME}/.config/Code
55blacklist ${HOME}/.config/Code Industry
55blacklist ${HOME}/.config/Cryptocat 56blacklist ${HOME}/.config/Cryptocat
56blacklist ${HOME}/.config/Franz 57blacklist ${HOME}/.config/Franz
57blacklist ${HOME}/.config/FreeCAD 58blacklist ${HOME}/.config/FreeCAD
@@ -461,6 +462,7 @@ blacklist ${HOME}/.local/share/xplayer
461blacklist ${HOME}/.local/share/xreader 462blacklist ${HOME}/.local/share/xreader
462blacklist ${HOME}/.local/share/zathura 463blacklist ${HOME}/.local/share/zathura
463blacklist ${HOME}/.lv2 464blacklist ${HOME}/.lv2
465blacklist ${HOME}/.masterpdfeditor
464blacklist ${HOME}/.mcabber 466blacklist ${HOME}/.mcabber
465blacklist ${HOME}/.mcabberrc 467blacklist ${HOME}/.mcabberrc
466blacklist ${HOME}/.mediathek3 468blacklist ${HOME}/.mediathek3
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
new file mode 100644
index 000000000..cc80679fc
--- /dev/null
+++ b/etc/masterpdfeditor.profile
@@ -0,0 +1,50 @@
1# Firejail profile for masterpdfeditor
2# Description: A complete solution for creating and editing PDF files
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/masterpdfeditor.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.config/Code Industry
10noblacklist ${HOME}/.masterpdfeditor
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-interpreters.inc
15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc
17
18include /etc/firejail/whitelist-var-common.inc
19
20caps.drop all
21ipc-namespace
22machine-id
23net none
24no3d
25nodbus
26nodvd
27nogroups
28nonewprivs
29noroot
30nosound
31notv
32nou2f
33novideo
34protocol unix
35seccomp
36shell none
37tracelog
38
39# disable-mnt
40# private
41private-bin masterpdfeditor*
42private-cache
43private-dev
44private-etc fonts
45# private-lib
46private-tmp
47
48# memory-deny-write-execute
49noexec ${HOME}
50noexec /tmp
diff --git a/etc/masterpdfeditor4.profile b/etc/masterpdfeditor4.profile
new file mode 100644
index 000000000..7ab9c9421
--- /dev/null
+++ b/etc/masterpdfeditor4.profile
@@ -0,0 +1,12 @@
1# Firejail profile for masterpdfeditor4
2# Description: A complete solution for creating and editing PDF files
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/masterpdfeditor4.local
6# Persistent global definitions
7# added by included profile
8#include /etc/firejail/globals.local
9
10
11# Redirect
12include /etc/firejail/masterpdfeditor.profile
diff --git a/etc/masterpdfeditor5.profile b/etc/masterpdfeditor5.profile
new file mode 100644
index 000000000..86faf5da0
--- /dev/null
+++ b/etc/masterpdfeditor5.profile
@@ -0,0 +1,12 @@
1# Firejail profile for masterpdfeditor5
2# Description: A complete solution for creating and editing PDF files
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/masterpdfeditor5.local
6# Persistent global definitions
7# added by included profile
8#include /etc/firejail/globals.local
9
10
11# Redirect
12include /etc/firejail/masterpdfeditor.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d33ae32cc..dba078ca2 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -271,6 +271,8 @@ lximage-qt
271lxmusic 271lxmusic
272lynx 272lynx
273macrofusion 273macrofusion
274masterpdfeditor4
275masterpdfeditor5
274mate-calc 276mate-calc
275mate-calculator 277mate-calculator
276mate-color-select 278mate-color-select
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index d0487d49a..c3f2b3390 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -406,17 +406,17 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
406 if (devname) { 406 if (devname) {
407 if (strcmp(command, "set") == 0) { 407 if (strcmp(command, "set") == 0) {
408 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", 408 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d",
409 LIBDIR, command, devname, down, up) == -1) 409 RUN_FIREJAIL_LIB_DIR, command, devname, down, up) == -1)
410 errExit("asprintf"); 410 errExit("asprintf");
411 } 411 }
412 else { 412 else {
413 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s", 413 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s",
414 LIBDIR, command, devname) == -1) 414 RUN_FIREJAIL_LIB_DIR, command, devname) == -1)
415 errExit("asprintf"); 415 errExit("asprintf");
416 } 416 }
417 } 417 }
418 else { 418 else {
419 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", LIBDIR, command) == -1) 419 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", RUN_FIREJAIL_LIB_DIR, command) == -1)
420 errExit("asprintf"); 420 errExit("asprintf");
421 } 421 }
422 assert(cmd); 422 assert(cmd);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cae767667..63d71799a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,6 +32,7 @@
32#define RUN_FIREJAIL_DIR "/run/firejail" 32#define RUN_FIREJAIL_DIR "/run/firejail"
33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" 33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place 34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
35#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"
35#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" 36#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
36#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" 37#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
37#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" 38#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
@@ -62,11 +63,11 @@
62#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 63#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
63#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 64#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
64#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 65#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
65#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 66#define PATH_SECCOMP_DEFAULT (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp") // default filter built during make
66#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 67#define PATH_SECCOMP_DEFAULT_DEBUG (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.debug") // default filter built during make
67#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make 68#define PATH_SECCOMP_32 (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.32") // 32bit arch filter built during make
68#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make 69#define PATH_SECCOMP_MDWX (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
69#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make 70#define PATH_SECCOMP_BLOCK_SECONDARY (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
70 71
71 72
72#define RUN_DEV_DIR "/run/firejail/mnt/dev" 73#define RUN_DEV_DIR "/run/firejail/mnt/dev"
@@ -790,16 +791,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
790 791
791// sbox.c 792// sbox.c
792// programs 793// programs
793#define PATH_FNET (LIBDIR "/firejail/fnet") 794#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/firejail/fnet")
794#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") 795#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/firejail/fnetfilter")
795#define PATH_FIREMON (PREFIX "/bin/firemon") 796#define PATH_FIREMON (PREFIX "/bin/firemon")
796#define PATH_FIREJAIL (PREFIX "/bin/firejail") 797#define PATH_FIREJAIL (PREFIX "/bin/firejail")
797#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") 798#define PATH_FSECCOMP (RUN_FIREJAIL_LIB_DIR "/firejail/fseccomp")
798#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") 799#define PATH_FSEC_PRINT (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-print")
799#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") 800#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-optimize")
800#define PATH_FCOPY (LIBDIR "/firejail/fcopy") 801#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/firejail/fcopy")
801#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" 802#define SBOX_STDIN_FILE (RUN_MNT_DIR "/sbox_stdin")
802#define PATH_FLDD (LIBDIR "/firejail/fldd") 803#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/firejail/fldd")
803 804
804// bitmapped filters for sbox_run 805// bitmapped filters for sbox_run
805#define SBOX_ROOT (1 << 0) // run the sandbox as root 806#define SBOX_ROOT (1 << 0) // run the sandbox as root
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 38ab7e2f8..00c1e3d15 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -51,7 +51,7 @@ void fs_trace(void) {
51 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); 51 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
52 if (!fp) 52 if (!fp)
53 errExit("fopen"); 53 errExit("fopen");
54 const char *prefix = LIBDIR "/firejail"; 54 const char *prefix = RUN_FIREJAIL_LIB_DIR "/firejail";
55 55
56 if (arg_trace) { 56 if (arg_trace) {
57 fprintf(fp, "%s/libtrace.so\n", prefix); 57 fprintf(fp, "%s/libtrace.so\n", prefix);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 315a7260a..a2287cb55 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -838,7 +838,7 @@ static void run_builder(int argc, char **argv) {
838 assert(getenv("LD_PRELOAD") == NULL); 838 assert(getenv("LD_PRELOAD") == NULL);
839 umask(orig_umask); 839 umask(orig_umask);
840 840
841 argv[0] = LIBDIR "/firejail/fbuilder"; 841 argv[0] = RUN_FIREJAIL_LIB_DIR "/firejail/fbuilder";
842 execvp(argv[0], argv); 842 execvp(argv[0], argv);
843 843
844 perror("execvp"); 844 perror("execvp");
@@ -878,6 +878,13 @@ int main(int argc, char **argv) {
878 EUID_ROOT(); 878 EUID_ROOT();
879 atexit(clear_atexit); 879 atexit(clear_atexit);
880 880
881 // make private copy of mount namespace so that mounts in firejail do not
882 // propagate up to host
883 if (unshare(CLONE_NEWNS) != 0)
884 errExit("unshare");
885 if (mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) != 0)
886 errExit("mount: make all mounts private");
887
881 // build /run/firejail directory structure 888 // build /run/firejail directory structure
882 preproc_build_firejail_dir(); 889 preproc_build_firejail_dir();
883 char *container_name = getenv("container"); 890 char *container_name = getenv("container");
@@ -2116,7 +2123,7 @@ int main(int argc, char **argv) {
2116 else if (strncmp(argv[i], "--timeout=", 10) == 0) 2123 else if (strncmp(argv[i], "--timeout=", 10) == 0)
2117 cfg.timeout = extract_timeout(argv[i] + 10); 2124 cfg.timeout = extract_timeout(argv[i] + 10);
2118 else if (strcmp(argv[i], "--audit") == 0) { 2125 else if (strcmp(argv[i], "--audit") == 0) {
2119 arg_audit_prog = LIBDIR "/firejail/faudit"; 2126 arg_audit_prog = RUN_FIREJAIL_LIB_DIR "/firejail/faudit";
2120 arg_audit = 1; 2127 arg_audit = 1;
2121 } 2128 }
2122 else if (strncmp(argv[i], "--audit=", 8) == 0) { 2129 else if (strncmp(argv[i], "--audit=", 8) == 0) {
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 61c89992d..b5329d2ec 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -76,7 +76,7 @@ void check_output(int argc, char **argv) {
76 for (i = 0; i < argc; i++) { 76 for (i = 0; i < argc; i++) {
77 len += strlen(argv[i]) + 1; // + ' ' 77 len += strlen(argv[i]) + 1; // + ' '
78 } 78 }
79 len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command 79 len += 100 + strlen(RUN_FIREJAIL_LIB_DIR) + strlen(outfile); // tee command
80 80
81 char *cmd = malloc(len + 1); // + '\0' 81 char *cmd = malloc(len + 1); // + '\0'
82 if (!cmd) 82 if (!cmd)
@@ -92,9 +92,9 @@ void check_output(int argc, char **argv) {
92 } 92 }
93 93
94 if (enable_stderr) 94 if (enable_stderr)
95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); 95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile);
96 else 96 else
97 sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile); 97 sprintf(ptr, " | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile);
98 98
99 // run command 99 // run command
100 char *a[4]; 100 char *a[4];
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index f519ed85f..cc72cfef9 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -62,12 +62,20 @@ void preproc_build_firejail_dir(void) {
62 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); 62 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
63 } 63 }
64 64
65 if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
66 create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
67 }
68
65 if (stat(RUN_MNT_DIR, &s)) { 69 if (stat(RUN_MNT_DIR, &s)) {
66 create_empty_dir_as_root(RUN_MNT_DIR, 0755); 70 create_empty_dir_as_root(RUN_MNT_DIR, 0755);
67 } 71 }
68 72
69 create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); 73 create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
70 create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); 74 create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
75
76 // bind-mount firejail binaries and helper programs
77 if (mount(LIBDIR, RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
78 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
71} 79}
72 80
73// build /run/firejail/mnt directory 81// build /run/firejail/mnt directory
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-30 23:57:28 +0000