diff options
635 files changed, 4067 insertions, 2944 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 71791c000..57ac2e9c4 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,10 +1,10 @@ | |||
1 | 1 | ||
2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. |
3 | 3 | ||
4 | If you make a PR for new profiles or changeing profiles please do the following: | 4 | If you submit a PR for new profiles or changing profiles, please do the following: |
5 | - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 5 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). |
6 | > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository. | 6 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. |
7 | - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | 7 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). |
8 | The path to it depends on your distro: | 8 | The path to it depends on your distro: |
9 | 9 | ||
10 | | Distro | Path | | 10 | | Distro | Path | |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d974d650e..4476963b5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -7,7 +7,7 @@ name: "CodeQL" | |||
7 | 7 | ||
8 | on: | 8 | on: |
9 | push: | 9 | push: |
10 | branches: [master] | 10 | branches: [ master ] |
11 | paths-ignore: | 11 | paths-ignore: |
12 | - CONTRIBUTING.md | 12 | - CONTRIBUTING.md |
13 | - README | 13 | - README |
@@ -17,7 +17,7 @@ on: | |||
17 | - 'etc/**' | 17 | - 'etc/**' |
18 | pull_request: | 18 | pull_request: |
19 | # The branches below must be a subset of the branches above | 19 | # The branches below must be a subset of the branches above |
20 | branches: [master] | 20 | branches: [ master ] |
21 | paths-ignore: | 21 | paths-ignore: |
22 | - CONTRIBUTING.md | 22 | - CONTRIBUTING.md |
23 | - README | 23 | - README |
@@ -36,24 +36,14 @@ jobs: | |||
36 | strategy: | 36 | strategy: |
37 | fail-fast: false | 37 | fail-fast: false |
38 | matrix: | 38 | matrix: |
39 | # Override automatic language detection by changing the below list | 39 | language: [ 'cpp', 'python' ] |
40 | # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] | 40 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] |
41 | language: ['cpp', 'python'] | 41 | # Learn more: |
42 | # Learn more... | 42 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed |
43 | # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection | ||
44 | 43 | ||
45 | steps: | 44 | steps: |
46 | - name: Checkout repository | 45 | - name: Checkout repository |
47 | uses: actions/checkout@v2 | 46 | uses: actions/checkout@v2 |
48 | with: | ||
49 | # We must fetch at least the immediate parents so that if this is | ||
50 | # a pull request then we can checkout the head. | ||
51 | fetch-depth: 2 | ||
52 | |||
53 | # If this run was triggered by a pull request event, then checkout | ||
54 | # the head of the pull request instead of the merge commit. | ||
55 | - run: git checkout HEAD^2 | ||
56 | if: ${{ github.event_name == 'pull_request' }} | ||
57 | 47 | ||
58 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
59 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml index 3e717f162..f3ded0f22 100644 --- a/.github/workflows/sort.yml +++ b/.github/workflows/sort.yml | |||
@@ -5,10 +5,12 @@ on: | |||
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths: | 6 | paths: |
7 | - 'etc/**' | 7 | - 'etc/**' |
8 | - 'contrib/sort.py' | ||
8 | pull_request: | 9 | pull_request: |
9 | branches: [ master ] | 10 | branches: [ master ] |
10 | paths: | 11 | paths: |
11 | - 'etc/**' | 12 | - 'etc/**' |
13 | - 'contrib/sort.py' | ||
12 | 14 | ||
13 | jobs: | 15 | jobs: |
14 | profile-sort: | 16 | profile-sort: |
diff --git a/.gitignore b/.gitignore index 76ce6c7ec..cbb1b2e83 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -22,6 +22,7 @@ firejail-users.5 | |||
22 | firejail.1 | 22 | firejail.1 |
23 | firemon.1 | 23 | firemon.1 |
24 | firecfg.1 | 24 | firecfg.1 |
25 | jailtest.5 | ||
25 | mkdeb.sh | 26 | mkdeb.sh |
26 | src/firejail/firejail | 27 | src/firejail/firejail |
27 | src/firemon/firemon | 28 | src/firemon/firemon |
@@ -38,6 +39,9 @@ src/fcopy/fcopy | |||
38 | src/fldd/fldd | 39 | src/fldd/fldd |
39 | src/fbuilder/fbuilder | 40 | src/fbuilder/fbuilder |
40 | src/profstats/profstats | 41 | src/profstats/profstats |
42 | src/bash_completion/firejail.bash_completion | ||
43 | src/zsh_completion/_firejail | ||
44 | src/jailtest/jailtest | ||
41 | uids.h | 45 | uids.h |
42 | seccomp | 46 | seccomp |
43 | seccomp.debug | 47 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index ba2c479e1..f9422fc8b 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -21,13 +21,17 @@ MAN_TARGET = man | |||
21 | MAN_SRC = src/man | 21 | MAN_SRC = src/man |
22 | endif | 22 | endif |
23 | 23 | ||
24 | COMPLETIONDIRS = src/zsh_completion src/bash_completion | ||
25 | |||
26 | .PHONY: all | ||
24 | all: all_items mydirs $(MAN_TARGET) filters | 27 | all: all_items mydirs $(MAN_TARGET) filters |
25 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest |
26 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee | 29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee |
27 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
28 | MYDIRS = src/lib $(MAN_SRC) | 31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
29 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
30 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
34 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5 | ||
31 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 35 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
32 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 36 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
33 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 37 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
@@ -42,7 +46,6 @@ mydirs: $(MYDIRS) | |||
42 | $(MYDIRS): | 46 | $(MYDIRS): |
43 | $(MAKE) -C $@ | 47 | $(MAKE) -C $@ |
44 | 48 | ||
45 | |||
46 | $(MANPAGES): src/man | 49 | $(MANPAGES): src/man |
47 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ | 50 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ |
48 | 51 | ||
@@ -70,6 +73,7 @@ seccomp.mdwx: src/fseccomp/fseccomp | |||
70 | seccomp.mdwx.32: src/fseccomp/fseccomp | 73 | seccomp.mdwx.32: src/fseccomp/fseccomp |
71 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 74 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
72 | 75 | ||
76 | .PHONY: clean | ||
73 | clean: | 77 | clean: |
74 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 78 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
75 | $(MAKE) -C $$dir clean; \ | 79 | $(MAKE) -C $$dir clean; \ |
@@ -89,6 +93,7 @@ clean: | |||
89 | rm -f test/sysutils/firejail_t* | 93 | rm -f test/sysutils/firejail_t* |
90 | cd test/compile; ./compile.sh --clean; cd ../.. | 94 | cd test/compile; ./compile.sh --clean; cd ../.. |
91 | 95 | ||
96 | .PHONY: distclean | ||
92 | distclean: clean | 97 | distclean: clean |
93 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 98 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
94 | $(MAKE) -C $$dir distclean; \ | 99 | $(MAKE) -C $$dir distclean; \ |
@@ -107,6 +112,8 @@ endif | |||
107 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) | 112 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) |
108 | # firecfg executable | 113 | # firecfg executable |
109 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) | 114 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) |
115 | # jailtest executable | ||
116 | install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir) | ||
110 | # libraries and plugins | 117 | # libraries and plugins |
111 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 118 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
112 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 119 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
@@ -159,6 +166,9 @@ endif | |||
159 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 166 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
160 | install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 167 | install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
161 | install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 168 | install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
169 | # zsh completion | ||
170 | install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions | ||
171 | install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ | ||
162 | 172 | ||
163 | install: all | 173 | install: all |
164 | $(MAKE) realinstall | 174 | $(MAKE) realinstall |
@@ -172,6 +182,7 @@ uninstall: | |||
172 | rm -f $(DESTDIR)$(bindir)/firemon | 182 | rm -f $(DESTDIR)$(bindir)/firemon |
173 | rm -f $(DESTDIR)$(bindir)/firecfg | 183 | rm -f $(DESTDIR)$(bindir)/firecfg |
174 | rm -fr $(DESTDIR)$(libdir)/firejail | 184 | rm -fr $(DESTDIR)$(libdir)/firejail |
185 | rm -fr $(DESTDIR)$(libdir)/jailtest | ||
175 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 186 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
176 | for man in $(MANPAGES); do \ | 187 | for man in $(MANPAGES); do \ |
177 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 188 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
@@ -183,7 +194,7 @@ uninstall: | |||
183 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 194 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
184 | 195 | ||
185 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" | 196 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" |
186 | DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 197 | DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot" |
187 | 198 | ||
188 | dist: | 199 | dist: |
189 | mv config.status config.status.old | 200 | mv config.status config.status.old |
@@ -224,24 +235,23 @@ cppcheck: clean | |||
224 | scan-build: clean | 235 | scan-build: clean |
225 | NO_EXTRA_CFLAGS="yes" scan-build make | 236 | NO_EXTRA_CFLAGS="yes" scan-build make |
226 | 237 | ||
227 | |||
228 | # | 238 | # |
229 | # make test | 239 | # make test |
230 | # | 240 | # |
231 | 241 | ||
232 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter | 242 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter |
233 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) | 243 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) |
234 | 244 | ||
235 | $(TEST_TARGETS): | 245 | $(TEST_TARGETS): |
236 | $(MAKE) -C test $(subst test-,,$@) | 246 | $(MAKE) -C test $(subst test-,,$@) |
237 | 247 | ||
238 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 248 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
239 | echo "TEST COMPLETE" | 249 | echo "TEST COMPLETE" |
240 | 250 | ||
241 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 251 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
242 | echo "TEST COMPLETE" | 252 | echo "TEST COMPLETE" |
243 | 253 | ||
244 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments | 254 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment |
245 | echo "TEST COMPLETE" | 255 | echo "TEST COMPLETE" |
246 | 256 | ||
247 | ########################################## | 257 | ########################################## |
@@ -44,9 +44,10 @@ Committers | |||
44 | - Fred-Barclay (https://github.com/Fred-Barclay) | 44 | - Fred-Barclay (https://github.com/Fred-Barclay) |
45 | - Kelvin M. Klann (https://github.com/kmk3) | 45 | - Kelvin M. Klann (https://github.com/kmk3) |
46 | - Kristóf Marussy (https://github.com/kris7t) | 46 | - Kristóf Marussy (https://github.com/kris7t) |
47 | - Neo00001 (https://github.com/Neo00001) | ||
47 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) | 48 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
48 | - rusty-snake (https://github.com/rusty-snake) | 49 | - rusty-snake (https://github.com/rusty-snake) |
49 | - smithsohu (https://github.com/smitsohu) | 50 | - smitsohu (https://github.com/smitsohu) |
50 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 51 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
51 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) | 52 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) |
52 | - Topi Miettinen (https://github.com/topimiettinen) | 53 | - Topi Miettinen (https://github.com/topimiettinen) |
@@ -76,6 +77,9 @@ Aidan Gauland (https://github.com/aidalgol) | |||
76 | - whitelist Bohemia Interactive config dir for Steam | 77 | - whitelist Bohemia Interactive config dir for Steam |
77 | Akhil Hans Maulloo (https://github.com/kouul) | 78 | Akhil Hans Maulloo (https://github.com/kouul) |
78 | - xz profile | 79 | - xz profile |
80 | Albin Kauffmann (https://github.com/albinou) | ||
81 | - Firefox and Chromium profile fixes | ||
82 | - info to allow screen sharing in profiles | ||
79 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | 83 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) |
80 | - src/lib/libnetlink.c extracted from iproute2 software package | 84 | - src/lib/libnetlink.c extracted from iproute2 software package |
81 | Aleksey Manevich (https://github.com/manevich) | 85 | Aleksey Manevich (https://github.com/manevich) |
@@ -165,9 +169,12 @@ Barış Ekin Yıldırım (https://github.com/circuitshaker) | |||
165 | - removing net none from code.profile | 169 | - removing net none from code.profile |
166 | bbhtt (https://github.com/bbhtt) | 170 | bbhtt (https://github.com/bbhtt) |
167 | - improvements to balsa,fractal,gajim,trojita profiles | 171 | - improvements to balsa,fractal,gajim,trojita profiles |
168 | - improvements to nheko, spectral, feh, links, lynx profiles | 172 | - improvements to nheko, spectral, feh, links, lynx, smplayer profiles |
169 | - added alacartem com.github.bleakgrey.tootle, photoflare profiles | 173 | - added alacarte, com.github.bleakgrey.tootle, photoflare profiles |
170 | - add profiles for MS Edge dev build for Linux and Librewolf | 174 | - add profiles for MS Edge dev build for Linux and Librewolf |
175 | - fixes to cheese, authenticator, liferea | ||
176 | - add profile for straw-viewer | ||
177 | - email clients whitelisting and fixes | ||
171 | Benjamin Kampmann (https://github.com/ligthyear) | 178 | Benjamin Kampmann (https://github.com/ligthyear) |
172 | - Forward exit code from child process | 179 | - Forward exit code from child process |
173 | bitfreak25 (https://github.com/bitfreak25) | 180 | bitfreak25 (https://github.com/bitfreak25) |
@@ -452,6 +459,8 @@ Impyy (https://github.com/Impyy) | |||
452 | - added mumble profile | 459 | - added mumble profile |
453 | intika (https://github.com/intika) | 460 | intika (https://github.com/intika) |
454 | - added musixmatch profile | 461 | - added musixmatch profile |
462 | irandms (https://github.com/irandms) | ||
463 | - man firecfg fixes | ||
455 | irregulator (https://github.com/irregulator) | 464 | irregulator (https://github.com/irregulator) |
456 | - thunderbird profile fixes for debian stretch | 465 | - thunderbird profile fixes for debian stretch |
457 | Irvine (https://github.com/Irvinehimself) | 466 | Irvine (https://github.com/Irvinehimself) |
@@ -798,7 +807,9 @@ Simon Peter (https://github.com/probonopd) | |||
798 | sinkuu (https://github.com/sinkuu) | 807 | sinkuu (https://github.com/sinkuu) |
799 | - blacklisting kwalletd | 808 | - blacklisting kwalletd |
800 | - fix symlink invocation for programs placing symlinks in $PATH | 809 | - fix symlink invocation for programs placing symlinks in $PATH |
801 | smithsohu (https://github.com/smitsohu) | 810 | Simo Piiroinen (https://github.com/spiiroin) |
811 | - Jolla/SailfishOS patches | ||
812 | smitsohu (https://github.com/smitsohu) | ||
802 | - read-only kde4 services directory | 813 | - read-only kde4 services directory |
803 | - enhanced mediathekview profile | 814 | - enhanced mediathekview profile |
804 | - added tuxguitar profile | 815 | - added tuxguitar profile |
@@ -913,6 +924,8 @@ Tom Mellor (https://github.com/kalegrill) | |||
913 | - mupen64plus profile | 924 | - mupen64plus profile |
914 | Tomasz Jan Góralczyk (https://github.com/tjg) | 925 | Tomasz Jan Góralczyk (https://github.com/tjg) |
915 | - fixed Steam profile | 926 | - fixed Steam profile |
927 | Tomi Leppänen (https://github.com/Tomin1) | ||
928 | - Jolla/SailfishOS patches | ||
916 | Topi Miettinen (https://github.com/topimiettinen) | 929 | Topi Miettinen (https://github.com/topimiettinen) |
917 | - improved seccomp printing | 930 | - improved seccomp printing |
918 | - improve mount handling, fix /run/user handling | 931 | - improve mount handling, fix /run/user handling |
@@ -1011,4 +1024,7 @@ Zack Weinberg (https://github.com/zackw) | |||
1011 | with firejail --x11 | 1024 | with firejail --x11 |
1012 | - support for xpra-extra-params in firejail.config | 1025 | - support for xpra-extra-params in firejail.config |
1013 | 1026 | ||
1014 | Copyright (C) 2014-2020 Firejail Authors | 1027 | zupatisc (https://github.com/zupatisc) |
1028 | - patch-util fix | ||
1029 | |||
1030 | Copyright (C) 2014-2021 Firejail Authors | ||
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
198 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 198 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
199 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | 199 | Release discussion: https://github.com/netblue30/firejail/issues/3696 |
200 | 200 | ||
201 | ### jailtest | ||
202 | ````` | ||
203 | JAILTEST(1) JAILTEST man page JAILTEST(1) | ||
204 | |||
205 | NAME | ||
206 | jailtest - Simple utility program to test running sandboxes | ||
207 | |||
208 | SYNOPSIS | ||
209 | sudo jailtest [OPTIONS] [directory] | ||
210 | |||
211 | DESCRIPTION | ||
212 | WORK IN PROGRESS! jailtest attaches itself to all sandboxes started by | ||
213 | the user and performs some basic tests on the sandbox filesystem: | ||
214 | |||
215 | 1. Virtual directories | ||
216 | jailtest extracts a list with the main virtual directories in‐ | ||
217 | stalled by the sandbox. These directories are build by firejail | ||
218 | at startup using --private* and --whitelist commands. | ||
219 | |||
220 | 2. Noexec test | ||
221 | jailtest inserts executable programs in /home/username, /tmp, | ||
222 | and /var/tmp directories and tries to run them form inside the | ||
223 | sandbox, thus testing if the directory is executable or not. | ||
224 | |||
225 | 3. Read access test | ||
226 | jailtest creates test files in the directories specified by the | ||
227 | user and tries to read them from inside the sandbox. | ||
228 | |||
229 | 4. AppArmor test | ||
230 | |||
231 | 5. Seccomp test | ||
232 | |||
233 | The program is started as root using sudo. | ||
234 | |||
235 | OPTIONS | ||
236 | --debug | ||
237 | Print debug messages | ||
238 | |||
239 | -?, --help | ||
240 | Print options end exit. | ||
241 | |||
242 | --version | ||
243 | Print program version and exit. | ||
201 | 244 | ||
245 | [directory] | ||
246 | One or more directories in user home to test for read access. | ||
247 | ~/.ssh and ~/.gnupg are tested by default. | ||
248 | |||
249 | OUTPUT | ||
250 | For each sandbox detected we print the following line: | ||
251 | |||
252 | PID:USER:Sandbox Name:Command | ||
253 | |||
254 | It is followed by relevant sandbox information, such as the virtual di‐ | ||
255 | rectories and various warnings. | ||
256 | |||
257 | EXAMPLE | ||
258 | $ sudo jailtest | ||
259 | 2014:netblue::firejail /usr/bin/gimp | ||
260 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
261 | Warning: I can run programs in /home/netblue | ||
262 | |||
263 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
264 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
265 | Warning: I can read ~/.ssh | ||
266 | |||
267 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ | ||
268 | pimage | ||
269 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
270 | |||
271 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
272 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
273 | /run/user/1000, | ||
274 | |||
275 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
276 | Warning: AppArmor not enabled | ||
277 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
278 | /usr/share, /run/user/1000, | ||
279 | Warning: I can run programs in /home/netblue | ||
280 | |||
281 | LICENSE | ||
282 | This program is free software; you can redistribute it and/or modify it | ||
283 | under the terms of the GNU General Public License as published by the | ||
284 | Free Software Foundation; either version 2 of the License, or (at your | ||
285 | option) any later version. | ||
286 | |||
287 | Homepage: https://firejail.wordpress.com | ||
288 | |||
289 | SEE ALSO | ||
290 | firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ | ||
291 | gin(5), firejail-users(5), | ||
292 | |||
293 | 0.9.65 Feb 2021 JAILTEST(1) | ||
294 | ````` | ||
202 | 295 | ||
203 | ### Profile Statistics | 296 | ### Profile Statistics |
204 | 297 | ||
@@ -210,31 +303,33 @@ $ ./profstats *.profile | |||
210 | Warning: multiple caps in transmission-daemon.profile | 303 | Warning: multiple caps in transmission-daemon.profile |
211 | 304 | ||
212 | Stats: | 305 | Stats: |
213 | profiles 1064 | 306 | profiles 1077 |
214 | include local profile 1064 (include profile-name.local) | 307 | include local profile 1077 (include profile-name.local) |
215 | include globals 1064 (include globals.local) | 308 | include globals 1077 (include globals.local) |
216 | blacklist ~/.ssh 959 (include disable-common.inc) | 309 | blacklist ~/.ssh 971 (include disable-common.inc) |
217 | seccomp 975 | 310 | seccomp 988 |
218 | capabilities 1063 | 311 | capabilities 1076 |
219 | noexec 944 (include disable-exec.inc) | 312 | noexec 960 (include disable-exec.inc) |
220 | memory-deny-write-execute 229 | 313 | memory-deny-write-execute 231 |
221 | apparmor 605 | 314 | apparmor 621 |
222 | private-bin 564 | 315 | private-bin 571 |
223 | private-dev 932 | 316 | private-dev 949 |
224 | private-etc 462 | 317 | private-etc 470 |
225 | private-tmp 823 | 318 | private-tmp 835 |
226 | whitelist home directory 502 | 319 | whitelist home directory 508 |
227 | whitelist var 744 (include whitelist-var-common.inc) | 320 | whitelist var 758 (include whitelist-var-common.inc) |
228 | whitelist run/user 461 (include whitelist-runuser-common.inc | 321 | whitelist run/user 539 (include whitelist-runuser-common.inc |
229 | or blacklist ${RUNUSER}) | 322 | or blacklist ${RUNUSER}) |
230 | whitelist usr/share 451 (include whitelist-usr-share-common.inc | 323 | whitelist usr/share 526 (include whitelist-usr-share-common.inc |
231 | net none 345 | 324 | net none 354 |
232 | dbus-user none 564 | 325 | dbus-user none 573 |
233 | dbus-user filter 85 | 326 | dbus-user filter 86 |
234 | dbus-system none 696 | 327 | dbus-system none 706 |
235 | dbus-system filter 7 | 328 | dbus-system filter 7 |
236 | ``` | 329 | ``` |
237 | 330 | ||
238 | ### New profiles: | 331 | ### New profiles: |
239 | 332 | ||
240 | vmware-view, display-im6.q16 | 333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, | ||
335 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2 | ||
@@ -1,6 +1,22 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * filtering environment variables | 2 | * filtering environment variables |
3 | * new profiles: vmware-view, display-im6.q16 | 3 | * zsh completion |
4 | * command line: --mkdir, --mkfile | ||
5 | * --protocol now accumulates | ||
6 | * Jolla/SailfishOS patches | ||
7 | * private-lib rework | ||
8 | * jailtest utility for testing running sandboxes | ||
9 | * removed --audit options, relpaced by jailtest | ||
10 | * capabilities list update | ||
11 | * faccessat2 syscall support | ||
12 | * compile time: --enable-force-nonewprivs | ||
13 | * compile time: --disable-output | ||
14 | * compile time: --enable-lts | ||
15 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng | ||
16 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | ||
17 | * avidemux, calligragemini, vmware-player, vmware-workstation | ||
18 | * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr | ||
19 | * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2 | ||
4 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 20 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
5 | 21 | ||
6 | firejail (0.9.64.4) baseline; urgency=low | 22 | firejail (0.9.64.4) baseline; urgency=low |
@@ -627,7 +627,8 @@ LIBOBJS | |||
627 | EGREP | 627 | EGREP |
628 | GREP | 628 | GREP |
629 | CPP | 629 | CPP |
630 | HAVE_SELINUX | 630 | HAVE_LTS |
631 | HAVE_FORCE_NONEWPRIVS | ||
631 | HAVE_CONTRIB_INSTALL | 632 | HAVE_CONTRIB_INSTALL |
632 | HAVE_GCOV | 633 | HAVE_GCOV |
633 | BUSYBOX_WORKAROUND | 634 | BUSYBOX_WORKAROUND |
@@ -645,10 +646,12 @@ HAVE_FIRETUNNEL | |||
645 | HAVE_GAWK | 646 | HAVE_GAWK |
646 | HAVE_MAN | 647 | HAVE_MAN |
647 | HAVE_USERTMPFS | 648 | HAVE_USERTMPFS |
649 | HAVE_OUTPUT | ||
648 | HAVE_OVERLAYFS | 650 | HAVE_OVERLAYFS |
649 | HAVE_DBUSPROXY | 651 | HAVE_DBUSPROXY |
650 | EXTRA_LDFLAGS | 652 | EXTRA_LDFLAGS |
651 | EXTRA_CFLAGS | 653 | EXTRA_CFLAGS |
654 | HAVE_SELINUX | ||
652 | HAVE_APPARMOR | 655 | HAVE_APPARMOR |
653 | AA_LIBS | 656 | AA_LIBS |
654 | AA_CFLAGS | 657 | AA_CFLAGS |
@@ -710,7 +713,9 @@ ac_user_opts=' | |||
710 | enable_option_checking | 713 | enable_option_checking |
711 | enable_analyzer | 714 | enable_analyzer |
712 | enable_apparmor | 715 | enable_apparmor |
716 | enable_selinux | ||
713 | enable_dbusproxy | 717 | enable_dbusproxy |
718 | enable_output | ||
714 | enable_usertmpfs | 719 | enable_usertmpfs |
715 | enable_man | 720 | enable_man |
716 | enable_firetunnel | 721 | enable_firetunnel |
@@ -727,7 +732,8 @@ enable_fatal_warnings | |||
727 | enable_busybox_workaround | 732 | enable_busybox_workaround |
728 | enable_gcov | 733 | enable_gcov |
729 | enable_contrib_install | 734 | enable_contrib_install |
730 | enable_selinux | 735 | enable_force_nonewprivs |
736 | enable_lts | ||
731 | ' | 737 | ' |
732 | ac_precious_vars='build_alias | 738 | ac_precious_vars='build_alias |
733 | host_alias | 739 | host_alias |
@@ -1365,7 +1371,9 @@ Optional Features: | |||
1365 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1371 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1366 | --enable-analyzer enable GCC 10 static analyzer | 1372 | --enable-analyzer enable GCC 10 static analyzer |
1367 | --enable-apparmor enable apparmor | 1373 | --enable-apparmor enable apparmor |
1374 | --enable-selinux SELinux labeling support | ||
1368 | --disable-dbusproxy disable dbus proxy | 1375 | --disable-dbusproxy disable dbus proxy |
1376 | --disable-output disable --output logging | ||
1369 | --disable-usertmpfs disable tmpfs as regular user | 1377 | --disable-usertmpfs disable tmpfs as regular user |
1370 | --disable-man disable man pages | 1378 | --disable-man disable man pages |
1371 | --disable-firetunnel disable firetunnel | 1379 | --disable-firetunnel disable firetunnel |
@@ -1385,7 +1393,9 @@ Optional Features: | |||
1385 | --enable-gcov Gcov instrumentation | 1393 | --enable-gcov Gcov instrumentation |
1386 | --enable-contrib-install | 1394 | --enable-contrib-install |
1387 | install contrib scripts | 1395 | install contrib scripts |
1388 | --enable-selinux SELinux labeling support | 1396 | --enable-force-nonewprivs |
1397 | enable force nonewprivs | ||
1398 | --enable-lts enable long-term support software version (LTS) | ||
1389 | 1399 | ||
1390 | Some influential environment variables: | 1400 | Some influential environment variables: |
1391 | CC C compiler command | 1401 | CC C compiler command |
@@ -3511,6 +3521,20 @@ fi | |||
3511 | 3521 | ||
3512 | fi | 3522 | fi |
3513 | 3523 | ||
3524 | HAVE_SELINUX="" | ||
3525 | # Check whether --enable-selinux was given. | ||
3526 | if test "${enable_selinux+set}" = set; then : | ||
3527 | enableval=$enable_selinux; | ||
3528 | fi | ||
3529 | |||
3530 | if test "x$enable_selinux" = "xyes"; then : | ||
3531 | |||
3532 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
3533 | EXTRA_LDFLAGS+=" -lselinux " | ||
3534 | |||
3535 | |||
3536 | fi | ||
3537 | |||
3514 | 3538 | ||
3515 | 3539 | ||
3516 | 3540 | ||
@@ -3539,6 +3563,19 @@ HAVE_OVERLAYFS="" | |||
3539 | # AC_SUBST(HAVE_OVERLAYFS) | 3563 | # AC_SUBST(HAVE_OVERLAYFS) |
3540 | #]) | 3564 | #]) |
3541 | 3565 | ||
3566 | HAVE_OUTPUT="" | ||
3567 | # Check whether --enable-output was given. | ||
3568 | if test "${enable_output+set}" = set; then : | ||
3569 | enableval=$enable_output; | ||
3570 | fi | ||
3571 | |||
3572 | if test "x$enable_output" != "xno"; then : | ||
3573 | |||
3574 | HAVE_OUTPUT="-DHAVE_OUTPUT" | ||
3575 | |||
3576 | |||
3577 | fi | ||
3578 | |||
3542 | HAVE_USERTMPFS="" | 3579 | HAVE_USERTMPFS="" |
3543 | # Check whether --enable-usertmpfs was given. | 3580 | # Check whether --enable-usertmpfs was given. |
3544 | if test "${enable_usertmpfs+set}" = set; then : | 3581 | if test "${enable_usertmpfs+set}" = set; then : |
@@ -3792,20 +3829,80 @@ else | |||
3792 | fi | 3829 | fi |
3793 | 3830 | ||
3794 | 3831 | ||
3795 | HAVE_SELINUX="" | 3832 | HAVE_FORCE_NONEWPRIVS="" |
3796 | # Check whether --enable-selinux was given. | 3833 | # Check whether --enable-force-nonewprivs was given. |
3797 | if test "${enable_selinux+set}" = set; then : | 3834 | if test "${enable_force_nonewprivs+set}" = set; then : |
3798 | enableval=$enable_selinux; | 3835 | enableval=$enable_force_nonewprivs; |
3799 | fi | 3836 | fi |
3800 | 3837 | ||
3801 | if test "x$enable_selinux" = "xyes"; then : | 3838 | if test "x$enable_force_nonewprivs" = "xyes"; then : |
3802 | 3839 | ||
3803 | HAVE_SELINUX="-DHAVE_SELINUX" | 3840 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" |
3804 | EXTRA_LDFLAGS+=" -lselinux " | ||
3805 | 3841 | ||
3806 | 3842 | ||
3807 | fi | 3843 | fi |
3808 | 3844 | ||
3845 | HAVE_LTS="" | ||
3846 | # Check whether --enable-lts was given. | ||
3847 | if test "${enable_lts+set}" = set; then : | ||
3848 | enableval=$enable_lts; | ||
3849 | fi | ||
3850 | |||
3851 | if test "x$enable_lts" = "xyes"; then : | ||
3852 | |||
3853 | HAVE_LTS="-DHAVE_LTS" | ||
3854 | |||
3855 | |||
3856 | HAVE_DBUSPROXY="" | ||
3857 | |||
3858 | |||
3859 | HAVE_OVERLAYFS="" | ||
3860 | |||
3861 | |||
3862 | HAVE_OUTPUT="" | ||
3863 | |||
3864 | |||
3865 | HAVE_USERTMPFS="" | ||
3866 | |||
3867 | |||
3868 | HAVE_MAN="-DHAVE_MAN" | ||
3869 | |||
3870 | |||
3871 | HAVE_FIRETUNNEL="" | ||
3872 | |||
3873 | |||
3874 | HAVE_PRIVATEHOME="" | ||
3875 | |||
3876 | |||
3877 | HAVE_CHROOT="" | ||
3878 | |||
3879 | |||
3880 | HAVE_GLOBALCFG="" | ||
3881 | |||
3882 | |||
3883 | HAVE_USERNS="" | ||
3884 | |||
3885 | |||
3886 | HAVE_X11="" | ||
3887 | |||
3888 | |||
3889 | HAVE_FILE_TRANSFER="" | ||
3890 | |||
3891 | |||
3892 | HAVE_SUID="yes" | ||
3893 | |||
3894 | |||
3895 | BUSYBOX_WORKAROUND="no" | ||
3896 | |||
3897 | |||
3898 | HAVE_CONTRIB_INSTALL="no", | ||
3899 | |||
3900 | |||
3901 | fi | ||
3902 | |||
3903 | |||
3904 | |||
3905 | |||
3809 | # checking pthread library | 3906 | # checking pthread library |
3810 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3907 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
3811 | $as_echo_n "checking for main in -lpthread... " >&6; } | 3908 | $as_echo_n "checking for main in -lpthread... " >&6; } |
@@ -4269,7 +4366,7 @@ fi | |||
4269 | 4366 | ||
4270 | ac_config_files="$ac_config_files mkdeb.sh" | 4367 | ac_config_files="$ac_config_files mkdeb.sh" |
4271 | 4368 | ||
4272 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile test/Makefile" | 4369 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile" |
4273 | 4370 | ||
4274 | cat >confcache <<\_ACEOF | 4371 | cat >confcache <<\_ACEOF |
4275 | # This file is a shell script that caches the results of configure | 4372 | # This file is a shell script that caches the results of configure |
@@ -4993,14 +5090,16 @@ do | |||
4993 | "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; | 5090 | "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; |
4994 | "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; | 5091 | "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; |
4995 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 5092 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4996 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | ||
4997 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; | 5093 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; |
4998 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; | 5094 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; |
4999 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; | 5095 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; |
5000 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 5096 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
5001 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | 5097 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; |
5002 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; | 5098 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; |
5099 | "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;; | ||
5100 | "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;; | ||
5003 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; | 5101 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; |
5102 | "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;; | ||
5004 | 5103 | ||
5005 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 5104 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
5006 | esac | 5105 | esac |
@@ -5466,6 +5565,7 @@ echo "Configuration options:" | |||
5466 | echo " prefix: $prefix" | 5565 | echo " prefix: $prefix" |
5467 | echo " sysconfdir: $sysconfdir" | 5566 | echo " sysconfdir: $sysconfdir" |
5468 | echo " apparmor: $HAVE_APPARMOR" | 5567 | echo " apparmor: $HAVE_APPARMOR" |
5568 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5469 | echo " global config: $HAVE_GLOBALCFG" | 5569 | echo " global config: $HAVE_GLOBALCFG" |
5470 | echo " chroot: $HAVE_CHROOT" | 5570 | echo " chroot: $HAVE_CHROOT" |
5471 | echo " network: $HAVE_NETWORK" | 5571 | echo " network: $HAVE_NETWORK" |
@@ -5477,6 +5577,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
5477 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5577 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5478 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | 5578 | echo " DBUS proxy support: $HAVE_DBUSPROXY" |
5479 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | 5579 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" |
5580 | echo " enable --ouput logging: $HAVE_OUTPUT" | ||
5480 | echo " Manpage support: $HAVE_MAN" | 5581 | echo " Manpage support: $HAVE_MAN" |
5481 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 5582 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
5482 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5583 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
@@ -5486,6 +5587,20 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
5486 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 5587 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
5487 | echo " Gcov instrumentation: $HAVE_GCOV" | 5588 | echo " Gcov instrumentation: $HAVE_GCOV" |
5488 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 5589 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
5489 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5490 | echo " Install as a SUID executable: $HAVE_SUID" | 5590 | echo " Install as a SUID executable: $HAVE_SUID" |
5591 | echo " LTS: $HAVE_LTS" | ||
5592 | echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" | ||
5491 | echo | 5593 | echo |
5594 | |||
5595 | |||
5596 | if test "$HAVE_LTS" = -DHAVE_LTS; then | ||
5597 | echo | ||
5598 | echo | ||
5599 | echo "*********************************************************" | ||
5600 | echo "* Warning: Long-term support (LTS) was enabled! *" | ||
5601 | echo "* Most compile-time options have bean rewritten! *" | ||
5602 | echo "*********************************************************" | ||
5603 | echo | ||
5604 | echo | ||
5605 | fi | ||
5606 | |||
diff --git a/configure.ac b/configure.ac index f5e3347ea..e8bd6fb80 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ | |||
54 | AC_SUBST(HAVE_APPARMOR) | 54 | AC_SUBST(HAVE_APPARMOR) |
55 | ]) | 55 | ]) |
56 | 56 | ||
57 | HAVE_SELINUX="" | ||
58 | AC_ARG_ENABLE([selinux], | ||
59 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | ||
60 | AS_IF([test "x$enable_selinux" = "xyes"], [ | ||
61 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
62 | EXTRA_LDFLAGS+=" -lselinux " | ||
63 | AC_SUBST(HAVE_SELINUX) | ||
64 | ]) | ||
65 | |||
57 | AC_SUBST([EXTRA_CFLAGS]) | 66 | AC_SUBST([EXTRA_CFLAGS]) |
58 | AC_SUBST([EXTRA_LDFLAGS]) | 67 | AC_SUBST([EXTRA_LDFLAGS]) |
59 | 68 | ||
@@ -77,6 +86,14 @@ AC_SUBST(HAVE_OVERLAYFS) | |||
77 | # AC_SUBST(HAVE_OVERLAYFS) | 86 | # AC_SUBST(HAVE_OVERLAYFS) |
78 | #]) | 87 | #]) |
79 | 88 | ||
89 | HAVE_OUTPUT="" | ||
90 | AC_ARG_ENABLE([output], | ||
91 | AS_HELP_STRING([--disable-output], [disable --output logging])) | ||
92 | AS_IF([test "x$enable_output" != "xno"], [ | ||
93 | HAVE_OUTPUT="-DHAVE_OUTPUT" | ||
94 | AC_SUBST(HAVE_OUTPUT) | ||
95 | ]) | ||
96 | |||
80 | HAVE_USERTMPFS="" | 97 | HAVE_USERTMPFS="" |
81 | AC_ARG_ENABLE([usertmpfs], | 98 | AC_ARG_ENABLE([usertmpfs], |
82 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) | 99 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) |
@@ -211,15 +228,70 @@ AS_IF([test "x$enable_contrib_install" = "xno"], | |||
211 | ) | 228 | ) |
212 | AC_SUBST(HAVE_CONTRIB_INSTALL) | 229 | AC_SUBST(HAVE_CONTRIB_INSTALL) |
213 | 230 | ||
214 | HAVE_SELINUX="" | 231 | HAVE_FORCE_NONEWPRIVS="" |
215 | AC_ARG_ENABLE([selinux], | 232 | AC_ARG_ENABLE([force-nonewprivs], |
216 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | 233 | AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])) |
217 | AS_IF([test "x$enable_selinux" = "xyes"], [ | 234 | AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ |
218 | HAVE_SELINUX="-DHAVE_SELINUX" | 235 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" |
219 | EXTRA_LDFLAGS+=" -lselinux " | 236 | AC_SUBST(HAVE_FORCE_NONEWPRIVS) |
220 | AC_SUBST(HAVE_SELINUX) | 237 | ]) |
238 | |||
239 | HAVE_LTS="" | ||
240 | AC_ARG_ENABLE([lts], | ||
241 | AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) | ||
242 | AS_IF([test "x$enable_lts" = "xyes"], [ | ||
243 | HAVE_LTS="-DHAVE_LTS" | ||
244 | AC_SUBST(HAVE_LTS) | ||
245 | |||
246 | HAVE_DBUSPROXY="" | ||
247 | AC_SUBST(HAVE_DBUSPROXY) | ||
248 | |||
249 | HAVE_OVERLAYFS="" | ||
250 | AC_SUBST(HAVE_OVERLAYFS) | ||
251 | |||
252 | HAVE_OUTPUT="" | ||
253 | AC_SUBST(HAVE_OUTPUT) | ||
254 | |||
255 | HAVE_USERTMPFS="" | ||
256 | AC_SUBST(HAVE_USERTMPFS) | ||
257 | |||
258 | HAVE_MAN="-DHAVE_MAN" | ||
259 | AC_SUBST(HAVE_MAN) | ||
260 | |||
261 | HAVE_FIRETUNNEL="" | ||
262 | AC_SUBST(HAVE_FIRETUNNEL) | ||
263 | |||
264 | HAVE_PRIVATEHOME="" | ||
265 | AC_SUBST(HAVE_PRIVATE_HOME) | ||
266 | |||
267 | HAVE_CHROOT="" | ||
268 | AC_SUBST(HAVE_CHROOT) | ||
269 | |||
270 | HAVE_GLOBALCFG="" | ||
271 | AC_SUBST(HAVE_GLOBALCFG) | ||
272 | |||
273 | HAVE_USERNS="" | ||
274 | AC_SUBST(HAVE_USERNS) | ||
275 | |||
276 | HAVE_X11="" | ||
277 | AC_SUBST(HAVE_X11) | ||
278 | |||
279 | HAVE_FILE_TRANSFER="" | ||
280 | AC_SUBST(HAVE_FILE_TRANSFER) | ||
281 | |||
282 | HAVE_SUID="yes" | ||
283 | AC_SUBST(HAVE_SUID) | ||
284 | |||
285 | BUSYBOX_WORKAROUND="no" | ||
286 | AC_SUBST(BUSYBOX_WORKAROUND) | ||
287 | |||
288 | HAVE_CONTRIB_INSTALL="no", | ||
289 | AC_SUBST(HAVE_CONTRIB_INSTALL) | ||
221 | ]) | 290 | ]) |
222 | 291 | ||
292 | |||
293 | |||
294 | |||
223 | # checking pthread library | 295 | # checking pthread library |
224 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 296 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
225 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 297 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -233,14 +305,16 @@ fi | |||
233 | AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | 305 | AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) |
234 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 306 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
235 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 307 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
236 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 308 | src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
237 | src/profstats/Makefile src/man/Makefile test/Makefile) | 309 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ |
310 | src/jailtest/Makefile) | ||
238 | 311 | ||
239 | echo | 312 | echo |
240 | echo "Configuration options:" | 313 | echo "Configuration options:" |
241 | echo " prefix: $prefix" | 314 | echo " prefix: $prefix" |
242 | echo " sysconfdir: $sysconfdir" | 315 | echo " sysconfdir: $sysconfdir" |
243 | echo " apparmor: $HAVE_APPARMOR" | 316 | echo " apparmor: $HAVE_APPARMOR" |
317 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
244 | echo " global config: $HAVE_GLOBALCFG" | 318 | echo " global config: $HAVE_GLOBALCFG" |
245 | echo " chroot: $HAVE_CHROOT" | 319 | echo " chroot: $HAVE_CHROOT" |
246 | echo " network: $HAVE_NETWORK" | 320 | echo " network: $HAVE_NETWORK" |
@@ -252,6 +326,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
252 | echo " overlayfs support: $HAVE_OVERLAYFS" | 326 | echo " overlayfs support: $HAVE_OVERLAYFS" |
253 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | 327 | echo " DBUS proxy support: $HAVE_DBUSPROXY" |
254 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | 328 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" |
329 | echo " enable --ouput logging: $HAVE_OUTPUT" | ||
255 | echo " Manpage support: $HAVE_MAN" | 330 | echo " Manpage support: $HAVE_MAN" |
256 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 331 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
257 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 332 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
@@ -261,6 +336,20 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
261 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 336 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
262 | echo " Gcov instrumentation: $HAVE_GCOV" | 337 | echo " Gcov instrumentation: $HAVE_GCOV" |
263 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 338 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
264 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
265 | echo " Install as a SUID executable: $HAVE_SUID" | 339 | echo " Install as a SUID executable: $HAVE_SUID" |
340 | echo " LTS: $HAVE_LTS" | ||
341 | echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" | ||
266 | echo | 342 | echo |
343 | |||
344 | |||
345 | if test "$HAVE_LTS" = -DHAVE_LTS; then | ||
346 | echo | ||
347 | echo | ||
348 | echo "*********************************************************" | ||
349 | echo "* Warning: Long-term support (LTS) was enabled! *" | ||
350 | echo "* Most compile-time options have bean rewritten! *" | ||
351 | echo "*********************************************************" | ||
352 | echo | ||
353 | echo | ||
354 | fi | ||
355 | |||
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh index 2943983e5..6eebc67c5 100755 --- a/contrib/firejail-welcome.sh +++ b/contrib/firejail-welcome.sh | |||
@@ -1,7 +1,7 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | # This file is part of Firejail project | 3 | # This file is part of Firejail project |
4 | # Copyright (C) 2020 Firejail Authors | 4 | # Copyright (C) 2020-2021 Firejail Authors |
5 | # License GPL v2 | 5 | # License GPL v2 |
6 | 6 | ||
7 | if ! command -v zenity >/dev/null; then | 7 | if ! command -v zenity >/dev/null; then |
diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py index 487df4c83..b4a947535 100755 --- a/contrib/fj-mkdeb.py +++ b/contrib/fj-mkdeb.py | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # This script automates the workaround for https://github.com/netblue30/firejail/issues/772 | 6 | # This script automates the workaround for https://github.com/netblue30/firejail/issues/772 |
diff --git a/contrib/fjclip.py b/contrib/fjclip.py index 66038430d..3e99d71e9 100755 --- a/contrib/fjclip.py +++ b/contrib/fjclip.py | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | import sys | 6 | import sys |
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py index f1880283b..294bde997 100755 --- a/contrib/fjdisplay.py +++ b/contrib/fjdisplay.py | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | import re | 6 | import re |
diff --git a/contrib/fjresize.py b/contrib/fjresize.py index 6ab963c58..d656f5c91 100755 --- a/contrib/fjresize.py +++ b/contrib/fjresize.py | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | import sys | 6 | import sys |
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index 7a351c065..941fc45ef 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | set -x | 5 | set -x |
6 | 6 | ||
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py index 67e851282..9205d9b3e 100755 --- a/contrib/jail_prober.py +++ b/contrib/jail_prober.py | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | """ | 5 | """ |
6 | Figure out which profile options may be causing a particular program to break | 6 | Figure out which profile options may be causing a particular program to break |
diff --git a/contrib/sort.py b/contrib/sort.py index 54b2cbaa6..9e5062c3c 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | """ | 5 | """ |
6 | Sort the items of multi-item options in profiles, the following options are supported: | 6 | Sort the items of multi-item options in profiles, the following options are supported: |
@@ -80,7 +80,7 @@ def fix_profile(filename): | |||
80 | lines = profile.read().split("\n") | 80 | lines = profile.read().split("\n") |
81 | was_fixed = False | 81 | was_fixed = False |
82 | fixed_profile = [] | 82 | fixed_profile = [] |
83 | for line in lines: | 83 | for lineno, line in enumerate(lines): |
84 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): | 84 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): |
85 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" | 85 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" |
86 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): | 86 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): |
@@ -95,6 +95,10 @@ def fix_profile(filename): | |||
95 | fixed_line = line | 95 | fixed_line = line |
96 | if fixed_line != line: | 96 | if fixed_line != line: |
97 | was_fixed = True | 97 | was_fixed = True |
98 | print( | ||
99 | f"{filename}:{lineno + 1}:-{line}\n" | ||
100 | f"{filename}:{lineno + 1}:+{fixed_line}" | ||
101 | ) | ||
98 | fixed_profile.append(fixed_line) | 102 | fixed_profile.append(fixed_line) |
99 | if was_fixed: | 103 | if was_fixed: |
100 | profile.seek(0) | 104 | profile.seek(0) |
@@ -108,6 +112,7 @@ def fix_profile(filename): | |||
108 | 112 | ||
109 | def main(args): | 113 | def main(args): |
110 | exit_code = 0 | 114 | exit_code = 0 |
115 | print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") | ||
111 | for filename in args: | 116 | for filename in args: |
112 | try: | 117 | try: |
113 | if exit_code not in (1, 101): | 118 | if exit_code not in (1, 101): |
@@ -120,8 +125,8 @@ def main(args): | |||
120 | except PermissionError: | 125 | except PermissionError: |
121 | print(f"[ Error ] Can't read/write `{filename}'") | 126 | print(f"[ Error ] Can't read/write `{filename}'") |
122 | exit_code = 1 | 127 | exit_code = 1 |
123 | except: | 128 | except Exception as err: |
124 | print(f"[ Error ] An error occurred while processing `{filename}'") | 129 | print(f"[ Error ] An error occurred while processing `{filename}': {err}") |
125 | exit_code = 1 | 130 | exit_code = 1 |
126 | return exit_code | 131 | return exit_code |
127 | 132 | ||
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh index b990ac23c..728ff5a78 100755 --- a/contrib/syscalls.sh +++ b/contrib/syscalls.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt" | 6 | STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt" |
diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh index 1fceca788..4c715aaf7 100755 --- a/contrib/update_deb.sh +++ b/contrib/update_deb.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # Purpose: Fetch, compile, and install firejail from GitHub source. For | 6 | # Purpose: Fetch, compile, and install firejail from GitHub source. For |
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ec87f1d2d..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -126,40 +126,14 @@ signal (receive), | |||
126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
128 | ########## | 128 | ########## |
129 | capability chown, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
130 | capability dac_override, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
131 | capability dac_read_search, | 131 | # We allow all caps by default and remove the ones we don't like: |
132 | capability fowner, | 132 | capability, |
133 | capability fsetid, | 133 | deny capability audit_write, |
134 | capability kill, | 134 | deny capability audit_control, |
135 | capability setgid, | 135 | deny capability mac_override, |
136 | capability setuid, | 136 | deny capability mac_admin, |
137 | capability setpcap, | ||
138 | capability linux_immutable, | ||
139 | capability net_bind_service, | ||
140 | capability net_broadcast, | ||
141 | capability net_admin, | ||
142 | capability net_raw, | ||
143 | capability ipc_lock, | ||
144 | capability ipc_owner, | ||
145 | capability sys_module, | ||
146 | capability sys_rawio, | ||
147 | capability sys_chroot, | ||
148 | capability sys_ptrace, | ||
149 | capability sys_pacct, | ||
150 | capability sys_admin, | ||
151 | capability sys_boot, | ||
152 | capability sys_nice, | ||
153 | capability sys_resource, | ||
154 | capability sys_time, | ||
155 | capability sys_tty_config, | ||
156 | capability mknod, | ||
157 | capability lease, | ||
158 | #capability audit_write, | ||
159 | #capability audit_control, | ||
160 | capability setfcap, | ||
161 | #capability mac_override, | ||
162 | #capability mac_admin, | ||
163 | 137 | ||
164 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
165 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index f086653f8..893a1ce46 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
@@ -1,2 +1,5 @@ | |||
1 | # Site-specific additions and overrides for 'firejail-default'. | 1 | # Site-specific additions and overrides for 'firejail-default'. |
2 | # For more details, please see /etc/apparmor.d/local/README. | 2 | # For more details, please see /etc/apparmor.d/local/README. |
3 | |||
4 | # Uncomment to opt-in to apparmor for torbrowser-launcher | ||
5 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, | ||
diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc deleted file mode 100644 index f33ce3115..000000000 --- a/etc/inc/chromium-common-hardened.inc +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | caps.drop all | ||
2 | nonewprivs | ||
3 | noroot | ||
4 | protocol unix,inet,inet6,netlink | ||
5 | seccomp !chroot | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d724e3b52..52534a9e9 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -442,6 +442,7 @@ blacklist ${PATH}/mount | |||
442 | blacklist ${PATH}/mount.ecryptfs_private | 442 | blacklist ${PATH}/mount.ecryptfs_private |
443 | blacklist ${PATH}/nc | 443 | blacklist ${PATH}/nc |
444 | blacklist ${PATH}/ncat | 444 | blacklist ${PATH}/ncat |
445 | blacklist ${PATH}/nmap | ||
445 | blacklist ${PATH}/newgidmap | 446 | blacklist ${PATH}/newgidmap |
446 | blacklist ${PATH}/newgrp | 447 | blacklist ${PATH}/newgrp |
447 | blacklist ${PATH}/newuidmap | 448 | blacklist ${PATH}/newuidmap |
@@ -452,6 +453,7 @@ blacklist ${PATH}/sg | |||
452 | blacklist ${PATH}/strace | 453 | blacklist ${PATH}/strace |
453 | blacklist ${PATH}/su | 454 | blacklist ${PATH}/su |
454 | blacklist ${PATH}/sudo | 455 | blacklist ${PATH}/sudo |
456 | blacklist ${PATH}/tcpdump | ||
455 | blacklist ${PATH}/umount | 457 | blacklist ${PATH}/umount |
456 | blacklist ${PATH}/unix_chkpwd | 458 | blacklist ${PATH}/unix_chkpwd |
457 | blacklist ${PATH}/xev | 459 | blacklist ${PATH}/xev |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 05f82170d..9dffa750a 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -5,6 +5,7 @@ include disable-programs.local | |||
5 | blacklist ${HOME}/Arduino | 5 | blacklist ${HOME}/Arduino |
6 | blacklist ${HOME}/i2p | 6 | blacklist ${HOME}/i2p |
7 | blacklist ${HOME}/Monero/wallets | 7 | blacklist ${HOME}/Monero/wallets |
8 | blacklist ${HOME}/Nextcloud | ||
8 | blacklist ${HOME}/Nextcloud/Notes | 9 | blacklist ${HOME}/Nextcloud/Notes |
9 | blacklist ${HOME}/SoftMaker | 10 | blacklist ${HOME}/SoftMaker |
10 | blacklist ${HOME}/Standard Notes Backups | 11 | blacklist ${HOME}/Standard Notes Backups |
@@ -117,8 +118,10 @@ blacklist ${HOME}/.config/MusE | |||
117 | blacklist ${HOME}/.config/MuseScore | 118 | blacklist ${HOME}/.config/MuseScore |
118 | blacklist ${HOME}/.config/MusicBrainz | 119 | blacklist ${HOME}/.config/MusicBrainz |
119 | blacklist ${HOME}/.config/Nathan Osman | 120 | blacklist ${HOME}/.config/Nathan Osman |
121 | blacklist ${HOME}/.config/Nextcloud | ||
120 | blacklist ${HOME}/.config/Nylas Mail | 122 | blacklist ${HOME}/.config/Nylas Mail |
121 | blacklist ${HOME}/.config/PacmanLogViewer | 123 | blacklist ${HOME}/.config/PacmanLogViewer |
124 | blacklist ${HOME}/.config/PawelStolowski | ||
122 | blacklist ${HOME}/.config/PBE | 125 | blacklist ${HOME}/.config/PBE |
123 | blacklist ${HOME}/.config/Philipp Schmieder | 126 | blacklist ${HOME}/.config/Philipp Schmieder |
124 | blacklist ${HOME}/.config/QGIS | 127 | blacklist ${HOME}/.config/QGIS |
@@ -164,6 +167,7 @@ blacklist ${HOME}/.config/aweather | |||
164 | blacklist ${HOME}/.config/backintime | 167 | blacklist ${HOME}/.config/backintime |
165 | blacklist ${HOME}/.config/baloofilerc | 168 | blacklist ${HOME}/.config/baloofilerc |
166 | blacklist ${HOME}/.config/baloorc | 169 | blacklist ${HOME}/.config/baloorc |
170 | blacklist ${HOME}/.config/bcompare | ||
167 | blacklist ${HOME}/.config/blender | 171 | blacklist ${HOME}/.config/blender |
168 | blacklist ${HOME}/.config/bless | 172 | blacklist ${HOME}/.config/bless |
169 | blacklist ${HOME}/.config/bnox | 173 | blacklist ${HOME}/.config/bnox |
@@ -265,6 +269,7 @@ blacklist ${HOME}/.config/inkscape | |||
265 | blacklist ${HOME}/.config/inox | 269 | blacklist ${HOME}/.config/inox |
266 | blacklist ${HOME}/.config/iridium | 270 | blacklist ${HOME}/.config/iridium |
267 | blacklist ${HOME}/.config/itch | 271 | blacklist ${HOME}/.config/itch |
272 | blacklist ${HOME}/.config/jami | ||
268 | blacklist ${HOME}/.config/jd-gui.cfg | 273 | blacklist ${HOME}/.config/jd-gui.cfg |
269 | blacklist ${HOME}/.config/k3brc | 274 | blacklist ${HOME}/.config/k3brc |
270 | blacklist ${HOME}/.config/kaffeinerc | 275 | blacklist ${HOME}/.config/kaffeinerc |
@@ -304,12 +309,12 @@ blacklist ${HOME}/.config/lugaru | |||
304 | blacklist ${HOME}/.config/lutris | 309 | blacklist ${HOME}/.config/lutris |
305 | blacklist ${HOME}/.config/lximage-qt | 310 | blacklist ${HOME}/.config/lximage-qt |
306 | blacklist ${HOME}/.config/mailtransports | 311 | blacklist ${HOME}/.config/mailtransports |
307 | blacklist ${HOME}/.local/share/man | ||
308 | blacklist ${HOME}/.config/mana | 312 | blacklist ${HOME}/.config/mana |
309 | blacklist ${HOME}/.config/mate-calc | 313 | blacklist ${HOME}/.config/mate-calc |
310 | blacklist ${HOME}/.config/mate/eom | 314 | blacklist ${HOME}/.config/mate/eom |
311 | blacklist ${HOME}/.config/mate/mate-dictionary | 315 | blacklist ${HOME}/.config/mate/mate-dictionary |
312 | blacklist ${HOME}/.config/matrix-mirage | 316 | blacklist ${HOME}/.config/matrix-mirage |
317 | blacklist ${HOME}/.config/mcomix | ||
313 | blacklist ${HOME}/.config/meld | 318 | blacklist ${HOME}/.config/meld |
314 | blacklist ${HOME}/.config/meteo-qt | 319 | blacklist ${HOME}/.config/meteo-qt |
315 | blacklist ${HOME}/.config/menulibre.cfg | 320 | blacklist ${HOME}/.config/menulibre.cfg |
@@ -333,6 +338,7 @@ blacklist ${HOME}/.config/nemo | |||
333 | blacklist ${HOME}/.config/neomutt | 338 | blacklist ${HOME}/.config/neomutt |
334 | blacklist ${HOME}/.config/netsurf | 339 | blacklist ${HOME}/.config/netsurf |
335 | blacklist ${HOME}/.config/newsbeuter | 340 | blacklist ${HOME}/.config/newsbeuter |
341 | blacklist ${HOME}/.config/newsboat | ||
336 | blacklist ${HOME}/.config/newsflash | 342 | blacklist ${HOME}/.config/newsflash |
337 | blacklist ${HOME}/.config/nheko | 343 | blacklist ${HOME}/.config/nheko |
338 | blacklist ${HOME}/.config/NitroShare | 344 | blacklist ${HOME}/.config/NitroShare |
@@ -344,6 +350,7 @@ blacklist ${HOME}/.config/okularrc | |||
344 | blacklist ${HOME}/.config/onboard | 350 | blacklist ${HOME}/.config/onboard |
345 | blacklist ${HOME}/.config/onionshare | 351 | blacklist ${HOME}/.config/onionshare |
346 | blacklist ${HOME}/.config/onlyoffice | 352 | blacklist ${HOME}/.config/onlyoffice |
353 | blacklist ${HOME}/.config/openmw | ||
347 | blacklist ${HOME}/.config/opera | 354 | blacklist ${HOME}/.config/opera |
348 | blacklist ${HOME}/.config/opera-beta | 355 | blacklist ${HOME}/.config/opera-beta |
349 | blacklist ${HOME}/.config/orage | 356 | blacklist ${HOME}/.config/orage |
@@ -356,6 +363,7 @@ blacklist ${HOME}/.config/pavucontrol.ini | |||
356 | blacklist ${HOME}/.config/pcmanfm | 363 | blacklist ${HOME}/.config/pcmanfm |
357 | blacklist ${HOME}/.config/pdfmod | 364 | blacklist ${HOME}/.config/pdfmod |
358 | blacklist ${HOME}/.config/Pinta | 365 | blacklist ${HOME}/.config/Pinta |
366 | blacklist ${HOME}/.config/pipe-viewer | ||
359 | blacklist ${HOME}/.config/pitivi | 367 | blacklist ${HOME}/.config/pitivi |
360 | blacklist ${HOME}/.config/pix | 368 | blacklist ${HOME}/.config/pix |
361 | blacklist ${HOME}/.config/pluma | 369 | blacklist ${HOME}/.config/pluma |
@@ -436,6 +444,7 @@ blacklist ${HOME}/.config/yandex-browser | |||
436 | blacklist ${HOME}/.config/yandex-browser-beta | 444 | blacklist ${HOME}/.config/yandex-browser-beta |
437 | blacklist ${HOME}/.config/yelp | 445 | blacklist ${HOME}/.config/yelp |
438 | blacklist ${HOME}/.config/youtube-dl | 446 | blacklist ${HOME}/.config/youtube-dl |
447 | blacklist ${HOME}/.config/youtube-dlg | ||
439 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 448 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
440 | blacklist ${HOME}/.config/youtube-music-desktop-app | 449 | blacklist ${HOME}/.config/youtube-music-desktop-app |
441 | blacklist ${HOME}/.config/youtube-viewer | 450 | blacklist ${HOME}/.config/youtube-viewer |
@@ -582,7 +591,9 @@ blacklist ${HOME}/.local/share/JetBrains | |||
582 | blacklist ${HOME}/.local/share/Kingsoft | 591 | blacklist ${HOME}/.local/share/Kingsoft |
583 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 592 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
584 | blacklist ${HOME}/.local/share/Mumble | 593 | blacklist ${HOME}/.local/share/Mumble |
594 | blacklist ${HOME}/.local/share/Nextcloud | ||
585 | blacklist ${HOME}/.local/share/PBE | 595 | blacklist ${HOME}/.local/share/PBE |
596 | blacklist ${HOME}/.local/share/PawelStolowski | ||
586 | blacklist ${HOME}/.local/share/Psi | 597 | blacklist ${HOME}/.local/share/Psi |
587 | blacklist ${HOME}/.local/share/QGIS | 598 | blacklist ${HOME}/.local/share/QGIS |
588 | blacklist ${HOME}/.local/share/QMediathekView | 599 | blacklist ${HOME}/.local/share/QMediathekView |
@@ -658,6 +669,7 @@ blacklist ${HOME}/.local/share/gradio | |||
658 | blacklist ${HOME}/.local/share/gwenview | 669 | blacklist ${HOME}/.local/share/gwenview |
659 | blacklist ${HOME}/.local/share/i2p | 670 | blacklist ${HOME}/.local/share/i2p |
660 | blacklist ${HOME}/.local/share/IntoTheBreach | 671 | blacklist ${HOME}/.local/share/IntoTheBreach |
672 | blacklist ${HOME}/.local/share/jami | ||
661 | blacklist ${HOME}/.local/share/kaffeine | 673 | blacklist ${HOME}/.local/share/kaffeine |
662 | blacklist ${HOME}/.local/share/kalgebra | 674 | blacklist ${HOME}/.local/share/kalgebra |
663 | blacklist ${HOME}/.local/share/kate | 675 | blacklist ${HOME}/.local/share/kate |
@@ -683,11 +695,14 @@ blacklist ${HOME}/.local/share/lollypop | |||
683 | blacklist ${HOME}/.local/share/love | 695 | blacklist ${HOME}/.local/share/love |
684 | blacklist ${HOME}/.local/share/lugaru | 696 | blacklist ${HOME}/.local/share/lugaru |
685 | blacklist ${HOME}/.local/share/lutris | 697 | blacklist ${HOME}/.local/share/lutris |
698 | blacklist ${HOME}/.local/share/man | ||
686 | blacklist ${HOME}/.local/share/mana | 699 | blacklist ${HOME}/.local/share/mana |
687 | blacklist ${HOME}/.local/share/maps-places.json | 700 | blacklist ${HOME}/.local/share/maps-places.json |
688 | blacklist ${HOME}/.local/share/matrix-mirage | 701 | blacklist ${HOME}/.local/share/matrix-mirage |
702 | blacklist ${HOME}/.local/share/mcomix | ||
689 | blacklist ${HOME}/.local/share/meld | 703 | blacklist ${HOME}/.local/share/meld |
690 | blacklist ${HOME}/.local/share/midori | 704 | blacklist ${HOME}/.local/share/midori |
705 | blacklist ${HOME}/.local/share/minder | ||
691 | blacklist ${HOME}/.local/share/mirage | 706 | blacklist ${HOME}/.local/share/mirage |
692 | blacklist ${HOME}/.local/share/multimc | 707 | blacklist ${HOME}/.local/share/multimc |
693 | blacklist ${HOME}/.local/share/multimc5 | 708 | blacklist ${HOME}/.local/share/multimc5 |
@@ -698,11 +713,14 @@ blacklist ${HOME}/.local/share/nautilus-python | |||
698 | blacklist ${HOME}/.local/share/nemo | 713 | blacklist ${HOME}/.local/share/nemo |
699 | blacklist ${HOME}/.local/share/nemo-python | 714 | blacklist ${HOME}/.local/share/nemo-python |
700 | blacklist ${HOME}/.local/share/news-flash | 715 | blacklist ${HOME}/.local/share/news-flash |
716 | blacklist ${HOME}/.local/share/newsbeuter | ||
717 | blacklist ${HOME}/.local/share/newsboat | ||
701 | blacklist ${HOME}/.local/share/nomacs | 718 | blacklist ${HOME}/.local/share/nomacs |
702 | blacklist ${HOME}/.local/share/notes | 719 | blacklist ${HOME}/.local/share/notes |
703 | blacklist ${HOME}/.local/share/ocenaudio | 720 | blacklist ${HOME}/.local/share/ocenaudio |
704 | blacklist ${HOME}/.local/share/okular | 721 | blacklist ${HOME}/.local/share/okular |
705 | blacklist ${HOME}/.local/share/onlyoffice | 722 | blacklist ${HOME}/.local/share/onlyoffice |
723 | blacklist ${HOME}/.local/share/openmw | ||
706 | blacklist ${HOME}/.local/share/orage | 724 | blacklist ${HOME}/.local/share/orage |
707 | blacklist ${HOME}/.local/share/org.kde.gwenview | 725 | blacklist ${HOME}/.local/share/org.kde.gwenview |
708 | blacklist ${HOME}/.local/share/Paradox Interactive | 726 | blacklist ${HOME}/.local/share/Paradox Interactive |
@@ -786,6 +804,7 @@ blacklist ${HOME}/.opera-beta | |||
786 | blacklist ${HOME}/.ostrichriders | 804 | blacklist ${HOME}/.ostrichriders |
787 | blacklist ${HOME}/.paradoxinteractive | 805 | blacklist ${HOME}/.paradoxinteractive |
788 | blacklist ${HOME}/.parallelrealities/blobwars | 806 | blacklist ${HOME}/.parallelrealities/blobwars |
807 | blacklist ${HOME}/.pcsxr | ||
789 | blacklist ${HOME}/.penguin-command | 808 | blacklist ${HOME}/.penguin-command |
790 | blacklist ${HOME}/.pingus | 809 | blacklist ${HOME}/.pingus |
791 | blacklist ${HOME}/.pioneer | 810 | blacklist ${HOME}/.pioneer |
@@ -888,6 +907,7 @@ blacklist ${HOME}/.cache/INRIA | |||
888 | blacklist ${HOME}/.cache/MusicBrainz | 907 | blacklist ${HOME}/.cache/MusicBrainz |
889 | blacklist ${HOME}/.cache/NewsFlashGTK | 908 | blacklist ${HOME}/.cache/NewsFlashGTK |
890 | blacklist ${HOME}/.cache/Otter | 909 | blacklist ${HOME}/.cache/Otter |
910 | blacklist ${HOME}/.cache/PawelStolowski | ||
891 | blacklist ${HOME}/.cache/Psi | 911 | blacklist ${HOME}/.cache/Psi |
892 | blacklist ${HOME}/.cache/QuiteRss | 912 | blacklist ${HOME}/.cache/QuiteRss |
893 | blacklist ${HOME}/.cache/Quotient/quaternion | 913 | blacklist ${HOME}/.cache/Quotient/quaternion |
@@ -996,6 +1016,7 @@ blacklist ${HOME}/.cache/org.gnome.Maps | |||
996 | blacklist ${HOME}/.cache/pdfmod | 1016 | blacklist ${HOME}/.cache/pdfmod |
997 | blacklist ${HOME}/.cache/peek | 1017 | blacklist ${HOME}/.cache/peek |
998 | blacklist ${HOME}/.cache/pip | 1018 | blacklist ${HOME}/.cache/pip |
1019 | blacklist ${HOME}/.cache/pipe-viewer | ||
999 | blacklist ${HOME}/.cache/plasmashell | 1020 | blacklist ${HOME}/.cache/plasmashell |
1000 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | 1021 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* |
1001 | blacklist ${HOME}/.cache/psi | 1022 | blacklist ${HOME}/.cache/psi |
diff --git a/etc/inc/feh-network.inc b/etc/inc/feh-network.inc deleted file mode 100644 index e94e7205c..000000000 --- a/etc/inc/feh-network.inc +++ /dev/null | |||
@@ -1,4 +0,0 @@ | |||
1 | ignore net none | ||
2 | netfilter | ||
3 | protocol unix,inet,inet6 | ||
4 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | ||
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index b2294c070..0d31255ad 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile | |||
@@ -7,8 +7,8 @@ include 7z.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Included in archiver-common.inc | 10 | # Included in archiver-common.profile |
11 | ignore include disable-shell.inc | 11 | ignore include disable-shell.inc |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include archiver-common.inc | 14 | include archiver-common.profile |
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 2cdd3a90c..5a21744cf 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile | |||
@@ -5,6 +5,7 @@ include android-studio.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Google | ||
8 | noblacklist ${HOME}/.AndroidStudio* | 9 | noblacklist ${HOME}/.AndroidStudio* |
9 | noblacklist ${HOME}/.android | 10 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.jack-server | 11 | noblacklist ${HOME}/.jack-server |
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index f99934e66..5a20a8181 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile | |||
@@ -8,4 +8,4 @@ include ar.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include archiver-common.inc | 11 | include archiver-common.profile |
diff --git a/etc/inc/archiver-common.inc b/etc/profile-a-l/archiver-common.profile index 74b0b6ef6..74b0b6ef6 100644 --- a/etc/inc/archiver-common.inc +++ b/etc/profile-a-l/archiver-common.profile | |||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 6e0ecb012..e377de2c8 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -17,4 +17,4 @@ private-etc alternatives,group,login.defs,passwd | |||
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include archiver-common.inc | 20 | include archiver-common.profile |
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index adca38cb5..2b032e977 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
@@ -40,7 +40,7 @@ seccomp | |||
40 | shell none | 40 | shell none |
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | private-bin atril,atril-previewer,atril-thumbnailer | 43 | private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,ld.so.cache | 45 | private-etc alternatives,fonts,ld.so.cache |
46 | # atril uses webkit gtk to display epub files | 46 | # atril uses webkit gtk to display epub files |
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile new file mode 100644 index 000000000..178e2dc9f --- /dev/null +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for Beyond Compare by Scooter Software | ||
2 | # Description: directory and file compare utility | ||
3 | # Disables the network, which only impacts checking for updates. | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include bcompare.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/bcompare | ||
11 | # In case the user decides to include disable-programs.inc, still allow | ||
12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application | ||
13 | noblacklist ${HOME}/.config/gwenviewrc | ||
14 | |||
15 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc | ||
16 | #include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc | ||
22 | #include disable-programs.inc | ||
23 | # Uncommenting this breaks launch | ||
24 | # include disable-shell.inc | ||
25 | include disable-write-mnt.inc | ||
26 | # Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} | ||
27 | # include disable-xdg.inc | ||
28 | |||
29 | # include whitelist-common.inc | ||
30 | # include whitelist-runuser-common.inc | ||
31 | # include whitelist-usr-share-common.inc | ||
32 | # include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | # Uncommenting might break Pulse Audio | ||
37 | #machine-id | ||
38 | net none | ||
39 | no3d | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | # Allow applications launched on sound files to play them | ||
45 | #nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-cache | ||
55 | private-dev | ||
56 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
57 | # private-etc alternatives,fonts,machine-id | ||
58 | # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index fb4f643c8..d731a6a6e 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -9,4 +9,4 @@ include globals.local | |||
9 | private-etc alternatives,group,localtime,passwd | 9 | private-etc alternatives,group,localtime,passwd |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include archiver-common.inc | 12 | include archiver-common.profile |
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile index 09eaa2d12..0283a6934 100644 --- a/etc/profile-a-l/chromium-browser-privacy.profile +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -11,7 +11,7 @@ mkdir ${HOME}/.config/ungoogled-chromium | |||
11 | whitelist ${HOME}/.cache/ungoogled-chromium | 11 | whitelist ${HOME}/.cache/ungoogled-chromium |
12 | whitelist ${HOME}/.config/ungoogled-chromium | 12 | whitelist ${HOME}/.config/ungoogled-chromium |
13 | 13 | ||
14 | # private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings | 14 | # private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include chromium.profile | 17 | include chromium.profile |
diff --git a/etc/profile-a-l/chromium-common-hardened.profile b/etc/profile-a-l/chromium-common-hardened.profile new file mode 100644 index 000000000..d756eec50 --- /dev/null +++ b/etc/profile-a-l/chromium-common-hardened.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include chromium-common-hardened.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 1afb2c6e1..b81b1cb36 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -32,7 +32,7 @@ include whitelist-var-common.inc | |||
32 | 32 | ||
33 | # Uncomment the next line (or add it to your chromium-common.local) | 33 | # Uncomment the next line (or add it to your chromium-common.local) |
34 | # if your kernel allows unprivileged userns clone. | 34 | # if your kernel allows unprivileged userns clone. |
35 | #include chromium-common-hardened.inc | 35 | #include chromium-common-hardened.profile |
36 | 36 | ||
37 | # Uncomment or put in your chromium-common.local to allow screen sharing under | 37 | # Uncomment or put in your chromium-common.local to allow screen sharing under |
38 | # wayland. | 38 | # wayland. |
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile new file mode 100644 index 000000000..8be06a4b3 --- /dev/null +++ b/etc/profile-a-l/com.github.phase1geo.minder.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for com.github.phase1geo.minder | ||
2 | # Description: Mind-mapping application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include com.github.phase1geo.minder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/minder | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${PICTURES} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.local/share/minder | ||
23 | whitelist ${HOME}/.local/share/minder | ||
24 | whitelist ${DOCUMENTS} | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${PICTURES} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | net none | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin com.github.phase1geo.minder | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user filter | ||
59 | dbus-user.own com.github.phase1geo.minder | ||
60 | dbus-user.talk ca.desrt.dconf | ||
61 | dbus-system none | ||
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 0e0299655..bdc4f21a6 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile | |||
@@ -11,4 +11,4 @@ noblacklist /sbin | |||
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include archiver-common.inc | 14 | include archiver-common.profile |
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index 13d830b55..fc920a065 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -18,6 +18,7 @@ include disable-exec.inc | |||
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | 22 | include disable-xdg.inc |
22 | 23 | ||
23 | mkdir ${HOME}/.cache/dolphin-emu | 24 | mkdir ${HOME}/.cache/dolphin-emu |
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile index 11b9a4f42..b9ef5d49d 100644 --- a/etc/profile-a-l/dosbox.profile +++ b/etc/profile-a-l/dosbox.profile | |||
@@ -11,14 +11,17 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-shell.inc | 18 | include disable-shell.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
21 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
21 | 23 | ||
24 | apparmor | ||
22 | caps.drop all | 25 | caps.drop all |
23 | netfilter | 26 | netfilter |
24 | nodvd | 27 | nodvd |
@@ -36,3 +39,6 @@ tracelog | |||
36 | private-bin dosbox | 39 | private-bin dosbox |
37 | private-dev | 40 | private-dev |
38 | private-tmp | 41 | private-tmp |
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile new file mode 100644 index 000000000..988ba90fc --- /dev/null +++ b/etc/profile-a-l/ebook-convert.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-convert.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile new file mode 100644 index 000000000..3b5fee0a8 --- /dev/null +++ b/etc/profile-a-l/ebook-edit.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-edit.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile new file mode 100644 index 000000000..594a8e241 --- /dev/null +++ b/etc/profile-a-l/ebook-meta.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-meta.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile new file mode 100644 index 000000000..ad94e32a2 --- /dev/null +++ b/etc/profile-a-l/ebook-polish.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-polish.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index d3be07c9d..691616393 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -20,7 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | # Uncomment the next line (or add it to your chromium-common.local) | 21 | # Uncomment the next line (or add it to your chromium-common.local) |
22 | # if your kernel allows unprivileged userns clone. | 22 | # if your kernel allows unprivileged userns clone. |
23 | #include chromium-common-hardened.inc | 23 | #include chromium-common-hardened.profile |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.keep sys_admin,sys_chroot | 26 | caps.keep sys_admin,sys_chroot |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 6c0892c56..7ec611293 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -36,7 +36,6 @@ tracelog | |||
36 | private-dev | 36 | private-dev |
37 | # private-tmp | 37 | # private-tmp |
38 | 38 | ||
39 | dbus-user none | 39 | dbus-user filter |
40 | dbus-user.talk ca.desrt.dconf | ||
40 | dbus-system none | 41 | dbus-system none |
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/feh-network.profile b/etc/profile-a-l/feh-network.profile new file mode 100644 index 000000000..f35facd64 --- /dev/null +++ b/etc/profile-a-l/feh-network.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include feh-network.local | ||
4 | |||
5 | ignore net none | ||
6 | netfilter | ||
7 | protocol unix,inet,inet6 | ||
8 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | ||
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 8ac7755de..6d6287f7f 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -18,7 +18,7 @@ include disable-shell.inc | |||
18 | # This profile disables network access | 18 | # This profile disables network access |
19 | # In order to enable network access, | 19 | # In order to enable network access, |
20 | # uncomment the following or put it in your feh.local: | 20 | # uncomment the following or put it in your feh.local: |
21 | # include feh-network.inc | 21 | # include feh-network.profile |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | net none | 24 | net none |
diff --git a/etc/inc/firefox-common-addons.inc b/etc/profile-a-l/firefox-common-addons.profile index ca7731442..4da087f7f 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -3,11 +3,15 @@ | |||
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore include whitelist-runuser-common.inc | 5 | ignore include whitelist-runuser-common.inc |
6 | ignore private-cache | ||
6 | 7 | ||
8 | noblacklist ${HOME}/.cache/youtube-dl | ||
7 | noblacklist ${HOME}/.config/kgetrc | 9 | noblacklist ${HOME}/.config/kgetrc |
10 | noblacklist ${HOME}/.config/mpv | ||
8 | noblacklist ${HOME}/.config/okularpartrc | 11 | noblacklist ${HOME}/.config/okularpartrc |
9 | noblacklist ${HOME}/.config/okularrc | 12 | noblacklist ${HOME}/.config/okularrc |
10 | noblacklist ${HOME}/.config/qpdfview | 13 | noblacklist ${HOME}/.config/qpdfview |
14 | noblacklist ${HOME}/.config/youtube-dl | ||
11 | noblacklist ${HOME}/.kde/share/apps/kget | 15 | noblacklist ${HOME}/.kde/share/apps/kget |
12 | noblacklist ${HOME}/.kde/share/apps/okular | 16 | noblacklist ${HOME}/.kde/share/apps/okular |
13 | noblacklist ${HOME}/.kde/share/config/kgetrc | 17 | noblacklist ${HOME}/.kde/share/config/kgetrc |
@@ -22,15 +26,19 @@ noblacklist ${HOME}/.local/share/kget | |||
22 | noblacklist ${HOME}/.local/share/kxmlgui5/okular | 26 | noblacklist ${HOME}/.local/share/kxmlgui5/okular |
23 | noblacklist ${HOME}/.local/share/okular | 27 | noblacklist ${HOME}/.local/share/okular |
24 | noblacklist ${HOME}/.local/share/qpdfview | 28 | noblacklist ${HOME}/.local/share/qpdfview |
29 | noblacklist ${HOME}/.netrc | ||
25 | 30 | ||
26 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | 31 | whitelist ${HOME}/.cache/gnome-mplayer/plugin |
32 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs | ||
27 | whitelist ${HOME}/.config/gnome-mplayer | 33 | whitelist ${HOME}/.config/gnome-mplayer |
28 | whitelist ${HOME}/.config/kgetrc | 34 | whitelist ${HOME}/.config/kgetrc |
35 | whitelist ${HOME}/.config/mpv | ||
29 | whitelist ${HOME}/.config/okularpartrc | 36 | whitelist ${HOME}/.config/okularpartrc |
30 | whitelist ${HOME}/.config/okularrc | 37 | whitelist ${HOME}/.config/okularrc |
31 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | 38 | whitelist ${HOME}/.config/pipelight-silverlight5.1 |
32 | whitelist ${HOME}/.config/pipelight-widevine | 39 | whitelist ${HOME}/.config/pipelight-widevine |
33 | whitelist ${HOME}/.config/qpdfview | 40 | whitelist ${HOME}/.config/qpdfview |
41 | whitelist ${HOME}/.config/youtube-dl | ||
34 | whitelist ${HOME}/.kde/share/apps/kget | 42 | whitelist ${HOME}/.kde/share/apps/kget |
35 | whitelist ${HOME}/.kde/share/apps/okular | 43 | whitelist ${HOME}/.kde/share/apps/okular |
36 | whitelist ${HOME}/.kde/share/config/kgetrc | 44 | whitelist ${HOME}/.kde/share/config/kgetrc |
@@ -48,6 +56,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular | |||
48 | whitelist ${HOME}/.local/share/okular | 56 | whitelist ${HOME}/.local/share/okular |
49 | whitelist ${HOME}/.local/share/qpdfview | 57 | whitelist ${HOME}/.local/share/qpdfview |
50 | whitelist ${HOME}/.local/share/tridactyl | 58 | whitelist ${HOME}/.local/share/tridactyl |
59 | whitelist ${HOME}/.netrc | ||
51 | whitelist ${HOME}/.pentadactyl | 60 | whitelist ${HOME}/.pentadactyl |
52 | whitelist ${HOME}/.pentadactylrc | 61 | whitelist ${HOME}/.pentadactylrc |
53 | whitelist ${HOME}/.tridactylrc | 62 | whitelist ${HOME}/.tridactylrc |
@@ -57,6 +66,9 @@ whitelist ${HOME}/.wine-pipelight | |||
57 | whitelist ${HOME}/.wine-pipelight64 | 66 | whitelist ${HOME}/.wine-pipelight64 |
58 | whitelist ${HOME}/.zotero | 67 | whitelist ${HOME}/.zotero |
59 | whitelist ${HOME}/dwhelper | 68 | whitelist ${HOME}/dwhelper |
69 | whitelist /usr/share/lua | ||
70 | whitelist /usr/share/lua* | ||
71 | whitelist /usr/share/vulkan | ||
60 | 72 | ||
61 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python | 73 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
62 | noblacklist ${HOME}/.local/share/gnome-shell | 74 | noblacklist ${HOME}/.local/share/gnome-shell |
@@ -75,17 +87,5 @@ include allow-python3.inc | |||
75 | 87 | ||
76 | # ff2mpv | 88 | # ff2mpv |
77 | #ignore noexec ${HOME} | 89 | #ignore noexec ${HOME} |
78 | #noblacklist ${HOME}/.config/mpv | ||
79 | #noblacklist ${HOME}/.config/youtube-dl | ||
80 | #noblacklist ${HOME}/.netrc | ||
81 | #include allow-lua.inc | 90 | #include allow-lua.inc |
82 | #include allow-python3.inc | ||
83 | #mkdir ${HOME}/.config/mpv | ||
84 | #mkdir ${HOME}/.config/youtube-dl | ||
85 | #whitelist ${HOME}/.config/mpv | ||
86 | #whitelist ${HOME}/.config/youtube-dl | ||
87 | #whitelist ${HOME}/.netrc | ||
88 | #whitelist /usr/share/lua | ||
89 | #whitelist /usr/share/lua* | ||
90 | #whitelist /usr/share/vulkan | ||
91 | #private-bin env,mpv,python3*,waf,youtube-dl | 91 | #private-bin env,mpv,python3*,waf,youtube-dl |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index fe0a27828..a955722c8 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -10,7 +10,7 @@ include firefox-common.local | |||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.profile |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
16 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile new file mode 100644 index 000000000..828d638ed --- /dev/null +++ b/etc/profile-a-l/gget.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for gget | ||
2 | # Description: a cli. to get things. from git repos | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gget.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist ${DOWNLOADS} | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol inet,inet6 | ||
43 | seccomp | ||
44 | seccomp.block-secondary | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin gget | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
53 | private-lib | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index d56d6714e..820d5e694 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -55,5 +55,5 @@ private-dev | |||
55 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg | 55 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user filter |
59 | dbus-system none | 59 | dbus-system none |
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 035c6459c..b261c16f4 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile | |||
@@ -12,4 +12,4 @@ include globals.local | |||
12 | noblacklist /var/lib/pacman | 12 | noblacklist /var/lib/pacman |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
15 | include archiver-common.inc | 15 | include archiver-common.profile |
diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile new file mode 100644 index 000000000..3ad0f3a4f --- /dev/null +++ b/etc/profile-a-l/ipcalc-ng.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile ipcalc-ng | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ipcalc-ng.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include ipcalc.profile | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile new file mode 100644 index 000000000..4b97b83b7 --- /dev/null +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for ipcalc | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ipcalc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
10 | include allow-perl.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | # include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | # include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | # machine-id | ||
31 | net none | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | # protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | # tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private | ||
49 | private-bin bash,ipcalc,ipcalc-ng,perl,sh | ||
50 | # private-cache | ||
51 | private-dev | ||
52 | # empty etc directory | ||
53 | private-etc none | ||
54 | private-lib | ||
55 | private-opt none | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | # memory-deny-write-execute | ||
62 | # read-only ${HOME} | ||
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile new file mode 100644 index 000000000..226bb0008 --- /dev/null +++ b/etc/profile-a-l/jami-gnome.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for jami-gnome | ||
2 | # Description: An encrypted peer-to-peer messenger | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jami-gnome.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/jami | ||
10 | noblacklist ${HOME}/.local/share/jami | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | #include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/jami | ||
20 | mkdir ${HOME}/.local/share/jami | ||
21 | whitelist ${HOME}/.config/jami | ||
22 | whitelist ${HOME}/.local/share/jami | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | env QT_QPA_PLATFORM=xcb | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index e5beb741a..edb7ed840 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -20,7 +20,7 @@ nowhitelist ${DOWNLOADS} | |||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
22 | 22 | ||
23 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh |
24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 41840e3b0..5786a4687 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -10,7 +10,11 @@ noblacklist ${HOME}/.config/kdiff3fileitemactionrc | |||
10 | noblacklist ${HOME}/.config/kdiff3rc | 10 | noblacklist ${HOME}/.config/kdiff3rc |
11 | 11 | ||
12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. | 12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. |
13 | # by default we deny access only to .ssh and .gnupg | ||
13 | #include disable-common.inc | 14 | #include disable-common.inc |
15 | blacklist ${HOME}/.ssh | ||
16 | blacklist ${HOME}/.gnupg | ||
17 | |||
14 | include disable-devel.inc | 18 | include disable-devel.inc |
15 | include disable-exec.inc | 19 | include disable-exec.inc |
16 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile new file mode 100644 index 000000000..f3175c590 --- /dev/null +++ b/etc/profile-a-l/lzop.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lzop | ||
2 | # Description: File compressor using lzo lib | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lzop.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile new file mode 100644 index 000000000..b2687ba3c --- /dev/null +++ b/etc/profile-m-z/PCSX2.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for PCSX2 | ||
2 | # Description: A PlayStation 2 emulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PCSX2.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: you must whitelist your games folder in a PCSX2.local | ||
10 | |||
11 | noblacklist ${HOME}/.config/PCSX2 | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/PCSX2 | ||
24 | whitelist ${HOME}/.config/PCSX2 | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | net none | ||
34 | netfilter | ||
35 | # Uncomment the following line if not loading games from disc | ||
36 | #nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,netlink | ||
44 | #seccomp - breaks loading with no logs | ||
45 | shell none | ||
46 | #tracelog - 32/64 bit incompatibility | ||
47 | |||
48 | private-bin PCSX2 | ||
49 | private-cache | ||
50 | # uncomment the following line if you do not need controller support | ||
51 | #private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
53 | private-opt none | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-m-z/PPSSPPSDL.profile b/etc/profile-m-z/PPSSPPSDL.profile new file mode 100644 index 000000000..deb00a436 --- /dev/null +++ b/etc/profile-m-z/PPSSPPSDL.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for PPSSPPSDL | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include PPSSPPSDL.local | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include ppsspp.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index 6f74e6da3..965750bf0 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -29,6 +29,7 @@ whitelist /usr/share/locale | |||
29 | whitelist /usr/share/man | 29 | whitelist /usr/share/man |
30 | whitelist /var/cache/man | 30 | whitelist /var/cache/man |
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
@@ -53,10 +54,10 @@ tracelog | |||
53 | x11 none | 54 | x11 none |
54 | 55 | ||
55 | disable-mnt | 56 | disable-mnt |
56 | private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 57 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
57 | private-cache | 58 | private-cache |
58 | private-dev | 59 | private-dev |
59 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 60 | private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
60 | private-tmp | 61 | private-tmp |
61 | 62 | ||
62 | dbus-user none | 63 | dbus-user none |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 55865fe72..70e5c72cf 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -12,6 +12,9 @@ include globals.local | |||
12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf | 12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf |
13 | 13 | ||
14 | noblacklist ${HOME}/.cache/marker | 14 | noblacklist ${HOME}/.cache/marker |
15 | noblacklist ${DOCUMENTS} | ||
16 | |||
17 | include allow-python3.inc | ||
15 | 18 | ||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
@@ -47,7 +50,7 @@ seccomp.block-secondary | |||
47 | shell none | 50 | shell none |
48 | tracelog | 51 | tracelog |
49 | 52 | ||
50 | private-bin marker | 53 | private-bin marker,python3* |
51 | private-cache | 54 | private-cache |
52 | private-dev | 55 | private-dev |
53 | private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 | 56 | private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 |
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index b6dc643d4..d30965922 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -15,6 +15,7 @@ include disable-shell.inc | |||
15 | 15 | ||
16 | include whitelist-common.inc | 16 | include whitelist-common.inc |
17 | 17 | ||
18 | apparmor | ||
18 | caps.drop all | 19 | caps.drop all |
19 | netfilter | 20 | netfilter |
20 | no3d | 21 | no3d |
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile index 85581a2f0..6efb19502 100644 --- a/etc/profile-m-z/newsbeuter.profile +++ b/etc/profile-m-z/newsbeuter.profile | |||
@@ -7,13 +7,23 @@ include newsbeuter.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.config/newsbeuter | 10 | ignore include newsboat.local |
11 | noblacklist ${HOME}/.newsbeuter | 11 | ignore mkdir ${HOME}/.config/newsboat |
12 | ignore mkdir ${HOME}/.local/share/newsboat | ||
13 | ignore mkdir ${HOME}/.newsboat | ||
14 | blacklist ${PATH}/newsboat | ||
15 | |||
16 | blacklist ${HOME}/.config/newsboat | ||
17 | blacklist ${HOME}/.local/share/newsboat | ||
18 | blacklist ${HOME}/.newsboat | ||
19 | |||
20 | nowhitelist ${HOME}/.config/newsboat | ||
21 | nowhitelist ${HOME}/.local/share/newsboat | ||
22 | nowhitelist ${HOME}/.newsboat | ||
12 | 23 | ||
13 | mkdir ${HOME}/.config/newsbeuter | 24 | mkdir ${HOME}/.config/newsbeuter |
25 | mkdir ${HOME}/.local/share/newsbeuter | ||
14 | mkdir ${HOME}/.newsbeuter | 26 | mkdir ${HOME}/.newsbeuter |
15 | whitelist ${HOME}/.config/newsbeuter | ||
16 | whitelist ${HOME}/.newsbeuter | ||
17 | 27 | ||
18 | private-bin newsbeuter | 28 | private-bin newsbeuter |
19 | 29 | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index 85b780ced..23c2de43c 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -6,6 +6,11 @@ include newsboat.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/newsbeuter | ||
10 | noblacklist ${HOME}/.config/newsboat | ||
11 | noblacklist ${HOME}/.local/share/newsbeuter | ||
12 | noblacklist ${HOME}/.local/share/newsboat | ||
13 | noblacklist ${HOME}/.newsbeuter | ||
9 | noblacklist ${HOME}/.newsboat | 14 | noblacklist ${HOME}/.newsboat |
10 | 15 | ||
11 | include disable-common.inc | 16 | include disable-common.inc |
@@ -16,7 +21,14 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 21 | include disable-programs.inc |
17 | include disable-xdg.inc | 22 | include disable-xdg.inc |
18 | 23 | ||
24 | mkdir ${HOME}/.config/newsboat | ||
25 | mkdir ${HOME}/.local/share/newsboat | ||
19 | mkdir ${HOME}/.newsboat | 26 | mkdir ${HOME}/.newsboat |
27 | whitelist ${HOME}/.config/newsbeuter | ||
28 | whitelist ${HOME}/.config/newsboat | ||
29 | whitelist ${HOME}/.local/share/newsbeuter | ||
30 | whitelist ${HOME}/.local/share/newsboat | ||
31 | whitelist ${HOME}/.newsbeuter | ||
20 | whitelist ${HOME}/.newsboat | 32 | whitelist ${HOME}/.newsboat |
21 | include whitelist-common.inc | 33 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
@@ -38,7 +50,7 @@ seccomp | |||
38 | shell none | 50 | shell none |
39 | 51 | ||
40 | disable-mnt | 52 | disable-mnt |
41 | private-bin gzip,lynx,newsboat,sh | 53 | private-bin gzip,lynx,newsboat,sh,w3m |
42 | private-cache | 54 | private-cache |
43 | private-dev | 55 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo | 56 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
diff --git a/etc/profile-m-z/nextcloud-desktop.profile b/etc/profile-m-z/nextcloud-desktop.profile new file mode 100644 index 000000000..e74f9c03f --- /dev/null +++ b/etc/profile-m-z/nextcloud-desktop.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for nextcloud | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include nextcloud-desktop.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include nextcloud.profile | ||
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile new file mode 100644 index 000000000..4e7c902d9 --- /dev/null +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -0,0 +1,71 @@ | |||
1 | # Firejail profile for nextcloud | ||
2 | # Description: Nextcloud desktop synchronization client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nextcloud.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/Nextcloud | ||
10 | noblacklist ${HOME}/.config/Nextcloud | ||
11 | noblacklist ${HOME}/.local/share/Nextcloud | ||
12 | # Uncomment or put in your nextcloud.local to allow sync with more directories. | ||
13 | #noblacklist ${DOCUMENTS} | ||
14 | #noblacklist ${MUSIC} | ||
15 | #noblacklist ${PICTURES} | ||
16 | #noblacklist ${VIDEOS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/Nextcloud | ||
28 | mkdir ${HOME}/.config/Nextcloud | ||
29 | mkdir ${HOME}/.local/share/Nextcloud | ||
30 | whitelist ${HOME}/Nextcloud | ||
31 | whitelist ${HOME}/.config/Nextcloud | ||
32 | whitelist ${HOME}/.local/share/Nextcloud | ||
33 | # Uncomment or put in your nextcloud.local to allow sync with more directories. | ||
34 | #whitelist ${DOCUMENTS} | ||
35 | #whitelist ${MUSIC} | ||
36 | #whitelist ${PICTURES} | ||
37 | #whitelist ${VIDEOS} | ||
38 | include whitelist-common.inc | ||
39 | include whitelist-runuser-common.inc | ||
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
42 | |||
43 | apparmor | ||
44 | caps.drop all | ||
45 | machine-id | ||
46 | netfilter | ||
47 | no3d | ||
48 | nodvd | ||
49 | nogroups | ||
50 | nonewprivs | ||
51 | noroot | ||
52 | nosound | ||
53 | notv | ||
54 | nou2f | ||
55 | novideo | ||
56 | protocol unix,inet,inet6,netlink | ||
57 | seccomp | ||
58 | seccomp.block-secondary | ||
59 | shell none | ||
60 | tracelog | ||
61 | |||
62 | disable-mnt | ||
63 | private-bin nextcloud,nextcloud-desktop | ||
64 | private-cache | ||
65 | private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | ||
66 | private-dev | ||
67 | private-tmp | ||
68 | |||
69 | dbus-user filter | ||
70 | dbus-user.talk org.freedesktop.secrets | ||
71 | dbus-system none | ||
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index c12fc9a78..202905631 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Node.js | 1 | # Firejail profile for Node.js |
2 | # Description: Common profile for npm/yarn | 2 | # Description: Asynchronous event-driven JavaScript runtime |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include nodejs-common.local | 5 | include nodejs-common.local |
@@ -45,7 +45,9 @@ shell none | |||
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | private-dev | 47 | private-dev |
48 | # May need to add `passwd` to `private-etc` below to enable debugging with some IDEs | ||
48 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg | 49 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg |
50 | # May need to be commented out in order to enable debugging with some IDEs | ||
49 | private-tmp | 51 | private-tmp |
50 | 52 | ||
51 | dbus-user none | 53 | dbus-user none |
diff --git a/etc/profile-m-z/openmw-launcher.profile b/etc/profile-m-z/openmw-launcher.profile new file mode 100644 index 000000000..c9cc144e4 --- /dev/null +++ b/etc/profile-m-z/openmw-launcher.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for openmw-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include openmw-launcher.local | ||
5 | |||
6 | # Redirect | ||
7 | include openmw.profile | ||
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile new file mode 100644 index 000000000..270d64c1e --- /dev/null +++ b/etc/profile-m-z/openmw.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for openmw | ||
2 | # Description: Open source engine re-implementation for Morrowind | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openmw.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/openmw | ||
10 | noblacklist ${HOME}/.local/share/openmw | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/openmw | ||
23 | mkdir ${HOME}/.local/share/openmw | ||
24 | whitelist ${HOME}/.config/openmw | ||
25 | # Copy Morrowind data files into the following directory or load it from /mnt | ||
26 | # or whitelist it in a openmw.local | ||
27 | whitelist ${HOME}/.local/share/openmw | ||
28 | whitelist /usr/share/openmw | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | ipc-namespace | ||
37 | net none | ||
38 | netfilter | ||
39 | # Uncomment the following line if installing from disc | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,netlink | ||
48 | seccomp | ||
49 | seccomp.block-secondary | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg | ||
57 | private-opt none | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 46a84372c..b034efde9 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -43,7 +43,7 @@ x11 none | |||
43 | 43 | ||
44 | private-bin patch,red | 44 | private-bin patch,red |
45 | private-dev | 45 | private-dev |
46 | private-lib libfakeroot | 46 | private-lib libdl.so.*,libfakeroot |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile new file mode 100644 index 000000000..c25c4ae66 --- /dev/null +++ b/etc/profile-m-z/pcsxr.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for pcsxr | ||
2 | # Description: A PlayStation emulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pcsxr.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: you must whitelist your games folder in a pcsxr.local | ||
10 | |||
11 | noblacklist ${HOME}/.pcsxr | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.pcsxr | ||
24 | whitelist ${HOME}/.pcsxr | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | net none | ||
34 | netfilter | ||
35 | # Uncomment the following line if not loading games from disc | ||
36 | #nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,netlink | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | private-bin pcsxr | ||
49 | private-cache | ||
50 | # uncomment the following line if you do not need controller support | ||
51 | #private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
53 | private-opt none | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index c71553bcd..263d99c83 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -1,13 +1,14 @@ | |||
1 | # Firejail profile for ppsspp | 1 | # Firejail profile for ppsspp |
2 | # Description: A PSP emulator written in C++ | 2 | # Description: A PSP emulator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include ppsspp.local | 5 | include ppsspp.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a ppsspp.local | ||
10 | |||
9 | noblacklist ${HOME}/.config/ppsspp | 11 | noblacklist ${HOME}/.config/ppsspp |
10 | noblacklist ${DOCUMENTS} | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -15,8 +16,15 @@ include disable-exec.inc | |||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-write-mnt.inc | ||
18 | include disable-xdg.inc | 20 | include disable-xdg.inc |
19 | 21 | ||
22 | mkdir ${HOME}/.config/ppsspp | ||
23 | whitelist ${HOME}/.config/ppsspp | ||
24 | whitelist /usr/share/ppsspp | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
21 | 29 | ||
22 | caps.drop all | 30 | caps.drop all |
@@ -27,11 +35,13 @@ nogroups | |||
27 | nonewprivs | 35 | nonewprivs |
28 | noroot | 36 | noroot |
29 | notv | 37 | notv |
38 | nou2f | ||
30 | novideo | 39 | novideo |
31 | protocol unix,netlink | 40 | protocol unix,netlink |
32 | seccomp | 41 | seccomp |
33 | shell none | 42 | shell none |
34 | 43 | ||
44 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL | ||
35 | # uncomment the following line if you do not need controller support | 45 | # uncomment the following line if you do not need controller support |
36 | #private-dev | 46 | #private-dev |
37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 47 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile new file mode 100644 index 000000000..c9da0b628 --- /dev/null +++ b/etc/profile-m-z/rtv-addons.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include rtv-addons.local | ||
4 | # You can configure rtv to open different type of links | ||
5 | # in external applications. Configuration here: | ||
6 | # https://github.com/michael-lazar/rtv#viewing-media-links | ||
7 | # This include is meant to facilitate that configuration | ||
8 | # with the use of a .local file. | ||
9 | |||
10 | ignore nosound | ||
11 | ignore private-bin | ||
12 | ignore dbus-user none | ||
13 | |||
14 | noblacklist ${HOME}/.config/mpv | ||
15 | noblacklist ${HOME}/.mailcap | ||
16 | noblacklist ${HOME}/.netrc | ||
17 | noblacklist ${HOME}/.w3m | ||
18 | |||
19 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs | ||
20 | whitelist ${HOME}/.config/mpv | ||
21 | whitelist ${HOME}/.mailcap | ||
22 | whitelist ${HOME}/.netrc | ||
23 | whitelist ${HOME}/.w3m | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 14740e05f..6f971b96b 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
@@ -16,6 +16,11 @@ noblacklist ${HOME}/.local/share/rtv | |||
16 | include allow-python2.inc | 16 | include allow-python2.inc |
17 | include allow-python3.inc | 17 | include allow-python3.inc |
18 | 18 | ||
19 | # You can configure rtv to open different type of links | ||
20 | # in external applications. Configuration here: | ||
21 | # https://github.com/michael-lazar/rtv#viewing-media-links | ||
22 | # Uncomment or put in rtv.local for external application support | ||
23 | #include rtv-addons.profile | ||
19 | include disable-common.inc | 24 | include disable-common.inc |
20 | include disable-devel.inc | 25 | include disable-devel.inc |
21 | include disable-exec.inc | 26 | include disable-exec.inc |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 666a37def..ebd3168b3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -6,7 +6,6 @@ include signal-desktop.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | 8 | # Disabled until someone reported positive feedback |
9 | ignore include-xdg.inc | ||
10 | ignore include whitelist-runuser-common.inc | 9 | ignore include whitelist-runuser-common.inc |
11 | ignore include whitelist-usr-share-common.inc | 10 | ignore include whitelist-usr-share-common.inc |
12 | ignore private-cache | 11 | ignore private-cache |
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile index b39763981..ed04eda8e 100644 --- a/etc/profile-m-z/skypeforlinux.profile +++ b/etc/profile-m-z/skypeforlinux.profile | |||
@@ -18,6 +18,7 @@ ignore dbus-user none | |||
18 | ignore dbus-system none | 18 | ignore dbus-system none |
19 | 19 | ||
20 | # breaks Skype | 20 | # breaks Skype |
21 | ignore apparmor | ||
21 | ignore noexec /tmp | 22 | ignore noexec /tmp |
22 | 23 | ||
23 | noblacklist ${HOME}/.config/skypeforlinux | 24 | noblacklist ${HOME}/.config/skypeforlinux |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 641c3a79d..7bc731333 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -24,6 +24,7 @@ whitelist ${RUNUSER}/keyring/ssh | |||
24 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
26 | 26 | ||
27 | apparmor | ||
27 | caps.drop all | 28 | caps.drop all |
28 | ipc-namespace | 29 | ipc-namespace |
29 | netfilter | 30 | netfilter |
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile index b62b19101..17ceedee7 100644 --- a/etc/profile-m-z/start-tor-browser.profile +++ b/etc/profile-m-z/start-tor-browser.profile | |||
@@ -3,40 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include start-tor-browser.local | 4 | include start-tor-browser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | ignore noexec ${HOME} | 9 | # Redirect |
9 | 10 | include start-tor-browser.desktop.profile | |
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp !chroot | ||
31 | shell none | ||
32 | # tracelog may cause issues, see github issue #1930 | ||
33 | #tracelog | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity | ||
37 | private-dev | ||
38 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 9d7a23d43..0d3a900e9 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -7,7 +7,7 @@ include tar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Included in archiver-common.inc | 10 | # Included in archiver-common.profile |
11 | ignore include disable-shell.inc | 11 | ignore include disable-shell.inc |
12 | 12 | ||
13 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop | 13 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop |
@@ -20,4 +20,4 @@ private-etc alternatives,group,localtime,login.defs,passwd | |||
20 | writable-var | 20 | writable-var |
21 | 21 | ||
22 | # Redirect | 22 | # Redirect |
23 | include archiver-common.inc | 23 | include archiver-common.profile |
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 7984702f3..6f863d7a1 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist /sbin | 9 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | noblacklist ${PATH}/tcpdump | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fce7dc461..38d291324 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -36,10 +36,20 @@ noroot | |||
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
41 | tracelog | ||
40 | 42 | ||
41 | disable-mnt | 43 | disable-mnt |
44 | #private-bin telegram,Telegram,telegram-desktop | ||
42 | private-cache | 45 | private-cache |
43 | private-dev | 46 | private-dev |
44 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
45 | private-tmp | 48 | private-tmp |
49 | |||
50 | dbus-user filter | ||
51 | dbus-user.talk org.freedesktop.Notifications | ||
52 | dbus-user.talk org.kde.StatusNotifierWatcher | ||
53 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
54 | dbus-user.talk org.freedesktop.ScreenSaver | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 6bcc51f4d..5cb5caf8d 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -15,6 +15,9 @@ noblacklist ${HOME}/.local/share/torbrowser | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | blacklist /opt | ||
19 | blacklist /srv | ||
20 | |||
18 | include disable-common.inc | 21 | include disable-common.inc |
19 | include disable-devel.inc | 22 | include disable-devel.inc |
20 | include disable-exec.inc | 23 | include disable-exec.inc |
@@ -28,9 +31,16 @@ mkdir ${HOME}/.local/share/torbrowser | |||
28 | whitelist ${DOWNLOADS} | 31 | whitelist ${DOWNLOADS} |
29 | whitelist ${HOME}/.config/torbrowser | 32 | whitelist ${HOME}/.config/torbrowser |
30 | whitelist ${HOME}/.local/share/torbrowser | 33 | whitelist ${HOME}/.local/share/torbrowser |
34 | whitelist /usr/share/torbrowser-launcher | ||
31 | include whitelist-common.inc | 35 | include whitelist-common.inc |
32 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
33 | 39 | ||
40 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. | ||
41 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | ||
42 | # to be uncommented too for this to work as expected. | ||
43 | #apparmor | ||
34 | caps.drop all | 44 | caps.drop all |
35 | netfilter | 45 | netfilter |
36 | nodvd | 46 | nodvd |
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 8dbbfcc62..348d3cb80 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -14,7 +14,7 @@ whitelist ${HOME}/.config/transmission-daemon | |||
14 | whitelist /var/lib/transmission | 14 | whitelist /var/lib/transmission |
15 | 15 | ||
16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | 16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
17 | protocol unix,inet,inet6,packet | 17 | protocol packet |
18 | 18 | ||
19 | private-bin transmission-daemon | 19 | private-bin transmission-daemon |
20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 65f1a425a..9d3d9b40e 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -12,4 +12,4 @@ private-etc alternatives,group,localtime,passwd | |||
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
15 | include archiver-common.inc | 15 | include archiver-common.profile |
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index c94416b87..0231e3dba 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -13,4 +13,4 @@ noblacklist ${HOME}/.local/share/gnome-shell | |||
13 | private-etc alternatives,group,localtime,passwd | 13 | private-etc alternatives,group,localtime,passwd |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include archiver-common.inc | 16 | include archiver-common.profile |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 7a49ad88a..64d787bfb 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -34,6 +34,7 @@ include whitelist-var-common.inc | |||
34 | 34 | ||
35 | # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 | 35 | # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 |
36 | 36 | ||
37 | apparmor | ||
37 | caps.keep net_raw,sys_nice | 38 | caps.keep net_raw,sys_nice |
38 | netfilter | 39 | netfilter |
39 | nodvd | 40 | nodvd |
@@ -43,8 +44,10 @@ shell none | |||
43 | tracelog | 44 | tracelog |
44 | 45 | ||
45 | #disable-mnt | 46 | #disable-mnt |
47 | #private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | ||
46 | private-cache | 48 | private-cache |
47 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
50 | private-tmp | ||
48 | 51 | ||
49 | dbus-user none | 52 | dbus-user none |
50 | dbus-system none | 53 | dbus-system none |
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile new file mode 100644 index 000000000..582a0f693 --- /dev/null +++ b/etc/profile-m-z/vmware-player.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-player | ||
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-player.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile new file mode 100644 index 000000000..6290b57f4 --- /dev/null +++ b/etc/profile-m-z/vmware-workstation.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-workstation | ||
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-workstation.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index c5e8d1631..79f71f2fd 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile | |||
@@ -8,4 +8,4 @@ include xzdec.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include archiver-common.inc | 11 | include archiver-common.profile |
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile new file mode 100644 index 000000000..c072d6267 --- /dev/null +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for youtube-dl-gui | ||
2 | # Description: A cross platform front-end GUI of the popular youtube-dl media downloader | ||
3 | include youtube-dl-gui.local | ||
4 | # This file is overwritten after every install/update | ||
5 | include globals.local | ||
6 | |||
7 | #These are blacklisted by disable-interpreters.inc | ||
8 | include allow-python2.inc | ||
9 | include allow-python3.inc | ||
10 | |||
11 | noblacklist ${HOME}/.config/youtube-dlg | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/youtube-dlg | ||
23 | whitelist ${HOME}/.config/youtube-dlg | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | seccomp.block-secondary | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index 07a75f97f..faeb5c5c5 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile | |||
@@ -8,4 +8,4 @@ include zstd.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include archiver-common.inc | 11 | include archiver-common.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 9e9fc3fe9..065245a63 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION OF THE PROGRAM |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
5 | # This is a generic template to help you with creation of profiles | 5 | # This is a generic template to help you create profiles. |
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/. | 6 | # PRs welcome at https://github.com/netblue30/firejail/. |
7 | # | 7 | # |
8 | # Rules to follow: | 8 | # Rules to follow: |
9 | # - lines with one # are often used in profiles | 9 | # - lines with one # are often used in profiles |
10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
12 | # (e. g. a program that is unable to save user's work is considered bad practice) | 12 | # (e.g. a program that is unable to save user's work is considered bad practice) |
13 | # - dedicate some time (based on the complexity of the application) to profile testing before raising | 13 | # - dedicate ample time (based on the complexity of the application) to profile testing before |
14 | # a pull request | 14 | # submitting a pull request |
15 | # - keep the sections structure, use a single empty line as separator | 15 | # - keep the sections structure, use a single empty line as separator |
16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware |
@@ -42,7 +42,7 @@ | |||
42 | # ${DOCUMENTS} | 42 | # ${DOCUMENTS} |
43 | # ${DOWNLOADS} | 43 | # ${DOWNLOADS} |
44 | # ${HOME} (user's home) | 44 | # ${HOME} (user's home) |
45 | # ${PATH} (contents of PATH envvar) | 45 | # ${PATH} (contents of PATH env var) |
46 | # ${MUSIC} | 46 | # ${MUSIC} |
47 | # ${RUNUSER} (/run/user/UID) | 47 | # ${RUNUSER} (/run/user/UID) |
48 | # ${VIDEOS} | 48 | # ${VIDEOS} |
@@ -81,12 +81,11 @@ include globals.local | |||
81 | # `ls -aR` | 81 | # `ls -aR` |
82 | #noblacklist PATH | 82 | #noblacklist PATH |
83 | 83 | ||
84 | # Allow python (blacklisted by disable-interpreters.inc) | 84 | # Allows files commonly used by IDEs |
85 | #include allow-python2.inc | 85 | #include allow-common-devel.inc |
86 | #include allow-python3.inc | ||
87 | 86 | ||
88 | # Allow perl (blacklisted by disable-interpreters.inc) | 87 | # Allow gjs (blacklisted by disable-interpreters.inc) |
89 | #include allow-perl.inc | 88 | #include allow-gjs.inc |
90 | 89 | ||
91 | # Allow java (blacklisted by disable-devel.inc) | 90 | # Allow java (blacklisted by disable-devel.inc) |
92 | #include allow-java.inc | 91 | #include allow-java.inc |
@@ -94,14 +93,15 @@ include globals.local | |||
94 | # Allow lua (blacklisted by disable-interpreters.inc) | 93 | # Allow lua (blacklisted by disable-interpreters.inc) |
95 | #include allow-lua.inc | 94 | #include allow-lua.inc |
96 | 95 | ||
97 | # Allow ruby (blacklisted by disable-interpreters.inc) | 96 | # Allow perl (blacklisted by disable-interpreters.inc) |
98 | #include allow-ruby.inc | 97 | #include allow-perl.inc |
99 | 98 | ||
100 | # Allow gjs (blacklisted by disable-interpreters.inc) | 99 | # Allow python (blacklisted by disable-interpreters.inc) |
101 | #include allow-gjs.inc | 100 | #include allow-python2.inc |
101 | #include allow-python3.inc | ||
102 | 102 | ||
103 | # Allows files commonly used by IDEs | 103 | # Allow ruby (blacklisted by disable-interpreters.inc) |
104 | #include allow-common-devel.inc | 104 | #include allow-ruby.inc |
105 | 105 | ||
106 | # Allow ssh (blacklisted by disable-common.inc) | 106 | # Allow ssh (blacklisted by disable-common.inc) |
107 | #include allow-ssh.inc | 107 | #include allow-ssh.inc |
@@ -117,10 +117,10 @@ include globals.local | |||
117 | #include disable-xdg.inc | 117 | #include disable-xdg.inc |
118 | 118 | ||
119 | # This section often mirrors noblacklist section above. The idea is | 119 | # This section often mirrors noblacklist section above. The idea is |
120 | # that if a user feels too restricted (he's unable to save files into | 120 | # that if a user feels too restricted (e.g. unable to save files into |
121 | # home directory for instance) he/she may disable whitelist (nowhitelist) | 121 | # home directory) they may disable whitelist (nowhitelist) |
122 | # in PROFILE.local but still be protected by BLACKLISTS section | 122 | # in PROFILE.local but still be protected by BLACKLISTS section |
123 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | 123 | # (explanation at https://github.com/netblue30/firejail/issues/1569) |
124 | #mkdir PATH | 124 | #mkdir PATH |
125 | ##mkfile PATH | 125 | ##mkfile PATH |
126 | #whitelist PATH | 126 | #whitelist PATH |
@@ -136,7 +136,7 @@ include globals.local | |||
136 | ##hostname NAME | 136 | ##hostname NAME |
137 | # CLI only | 137 | # CLI only |
138 | ##ipc-namespace | 138 | ##ipc-namespace |
139 | # breaks sound and sometime dbus related functions | 139 | # breaks audio and sometimes dbus related functions |
140 | #machine-id | 140 | #machine-id |
141 | # 'net none' or 'netfilter' | 141 | # 'net none' or 'netfilter' |
142 | #net none | 142 | #net none |
@@ -155,13 +155,13 @@ include globals.local | |||
155 | # - unix is usually needed | 155 | # - unix is usually needed |
156 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) | 156 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) |
157 | # - netlink is rarely needed | 157 | # - netlink is rarely needed |
158 | # - packet almost never | 158 | # - packet and bluetooth almost never |
159 | #protocol unix,inet,inet6,netlink,packet | 159 | #protocol unix,inet,inet6,netlink,packet,bluetooth |
160 | #seccomp | 160 | #seccomp |
161 | ##seccomp !chroot | 161 | ##seccomp !chroot |
162 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
163 | #seccomp.block-secondary | 163 | #seccomp.block-secondary |
164 | ##seccomp-error-action log (Only for debugging seccomp issues) | 164 | ##seccomp-error-action log (only for debugging seccomp issues) |
165 | #shell none | 165 | #shell none |
166 | #tracelog | 166 | #tracelog |
167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
@@ -176,16 +176,16 @@ include globals.local | |||
176 | #private-etc FILES | 176 | #private-etc FILES |
177 | # private-etc templates (see also #1734, #2093) | 177 | # private-etc templates (see also #1734, #2093) |
178 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg | 178 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
179 | # Extra: magic,magic.mgc,passwd,group | 179 | # Extra: group,magic,magic.mgc,passwd |
180 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc | 180 | # 3D: bumblebee,drirc,glvnd,nvidia |
181 | # Extra: proxychains.conf,gai.conf | 181 | # Audio: alsa,asound.conf,machine-id,pulse |
182 | # Sound: alsa,asound.conf,pulse,machine-id | 182 | # D-Bus: dbus-1,machine-id |
183 | # GUI: fonts,pango,X11 | 183 | # GUI: fonts,pango,X11 |
184 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 | 184 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 |
185 | # Qt: Trolltech.conf | ||
186 | # KDE: kde4rc,kde5rc | 185 | # KDE: kde4rc,kde5rc |
187 | # 3D: drirc,glvnd,bumblebee,nvidia | 186 | # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl |
188 | # D-Bus: dbus-1,machine-id | 187 | # Extra: gai.conf,proxychains.conf |
188 | # Qt: Trolltech.conf | ||
189 | ##private-lib LIBS | 189 | ##private-lib LIBS |
190 | ##private-opt NAME | 190 | ##private-opt NAME |
191 | #private-tmp | 191 | #private-tmp |
@@ -194,15 +194,16 @@ include globals.local | |||
194 | ##writable-var | 194 | ##writable-var |
195 | ##writable-var-log | 195 | ##writable-var-log |
196 | 196 | ||
197 | # Since 0.9.63 also a more granular regulation of dbus is supported. | 197 | # Since 0.9.63 also a more granular control of dbus is supported. |
198 | # To get the dbus-addresses to which an application needs access to. | 198 | # To get the dbus-addresses an application needs access to you can |
199 | # You can look at flatpak if the application is also distriputed via flatpak: | 199 | # check with flatpak (when the application is distriputed that way): |
200 | # flatpak remote-info --show-metadata flathub <APP-ID> | 200 | # flatpak remote-info --show-metadata flathub <APP-ID> |
201 | # Notes: | 201 | # Notes: |
202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
203 | # - In order to make dconf work (if it is used by the app) you need to allow | 203 | # - Some features like native notifications are implemented as portal too. |
204 | # 'ca.desrt.dconf' even if it is not allowed by flatpak. | 204 | # - In order to make dconf work (when used by the app) you need to allow |
205 | # Notes and Policiy about addresses can be found at | 205 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
206 | # Notes and policies about addresses can be found at | ||
206 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | 207 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> |
207 | #dbus-user filter | 208 | #dbus-user filter |
208 | #dbus-user.own com.github.netblue30.firejail | 209 | #dbus-user.own com.github.netblue30.firejail |
@@ -211,7 +212,7 @@ include globals.local | |||
211 | #dbus-system none | 212 | #dbus-system none |
212 | 213 | ||
213 | ##env VAR=VALUE | 214 | ##env VAR=VALUE |
215 | ##join-or-start NAME | ||
214 | #memory-deny-write-execute | 216 | #memory-deny-write-execute |
215 | ##noexec PATH | 217 | ##noexec PATH |
216 | ##read-only ${HOME} | 218 | ##read-only ${HOME} |
217 | ##join-or-start NAME | ||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | gcov_init() { | 6 | gcov_init() { |
diff --git a/install.sh b/install.sh index 2fa61cc0a..e26cea7b0 100755 --- a/install.sh +++ b/install.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | echo "installing..." | 6 | echo "installing..." |
diff --git a/linecnt.sh b/linecnt.sh index 1bf834015..ccce2da82 100755 --- a/linecnt.sh +++ b/linecnt.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | gcov_init() { | 6 | gcov_init() { |
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | echo "Calculating SHA256 for all files in /transfer - firejail version $1" | 6 | echo "Calculating SHA256 for all files in /transfer - firejail version $1" |
diff --git a/mkdeb.sh.in b/mkdeb.sh.in index 5b68175fd..e45acf8eb 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ | 6 | # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ |
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | sed -i -e ' | 6 | sed -i -e ' |
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set -e | 6 | set -e |
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | echo "extracting UID_MIN and GID_MIN" | 6 | echo "extracting UID_MIN and GID_MIN" |
diff --git a/platform/debian/copyright b/platform/debian/copyright index c0f98104d..d4bdb1283 100644 --- a/platform/debian/copyright +++ b/platform/debian/copyright | |||
@@ -7,7 +7,7 @@ This is the Debian/Ubuntu prepackaged version of firejail. | |||
7 | and networking stack isolation, and it runs on any recent Linux system. It | 7 | and networking stack isolation, and it runs on any recent Linux system. It |
8 | includes a sandbox profile for Mozilla Firefox. | 8 | includes a sandbox profile for Mozilla Firefox. |
9 | 9 | ||
10 | Copyright (C) 2014-2020 Firejail Authors (see README file for more details) | 10 | Copyright (C) 2014-2021 Firejail Authors (see README file for more details) |
11 | 11 | ||
12 | This program is free software; you can redistribute it and/or modify | 12 | This program is free software; you can redistribute it and/or modify |
13 | it under the terms of the GNU General Public License as published by | 13 | it under the terms of the GNU General Public License as published by |
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index da91f5a4f..85df1b4eb 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -35,10 +35,12 @@ rm -rf %{buildroot} | |||
35 | %attr(4755, -, -) %{_bindir}/__NAME__ | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
36 | %{_bindir}/firecfg | 36 | %{_bindir}/firecfg |
37 | %{_bindir}/firemon | 37 | %{_bindir}/firemon |
38 | %{_bindir}/jailtest | ||
38 | %{_libdir}/__NAME__ | 39 | %{_libdir}/__NAME__ |
39 | %{_datarootdir}/bash-completion/completions/__NAME__ | 40 | %{_datarootdir}/bash-completion/completions/__NAME__ |
40 | %{_datarootdir}/bash-completion/completions/firecfg | 41 | %{_datarootdir}/bash-completion/completions/firecfg |
41 | %{_datarootdir}/bash-completion/completions/firemon | 42 | %{_datarootdir}/bash-completion/completions/firemon |
43 | %{_datarootdir}/zsh/site-functions/_firejail | ||
42 | %{_docdir}/__NAME__ | 44 | %{_docdir}/__NAME__ |
43 | %{_mandir}/man1/__NAME__.1.gz | 45 | %{_mandir}/man1/__NAME__.1.gz |
44 | %{_mandir}/man1/firecfg.1.gz | 46 | %{_mandir}/man1/firecfg.1.gz |
@@ -46,4 +48,5 @@ rm -rf %{buildroot} | |||
46 | %{_mandir}/man5/__NAME__-login.5.gz | 48 | %{_mandir}/man5/__NAME__-login.5.gz |
47 | %{_mandir}/man5/__NAME__-profile.5.gz | 49 | %{_mandir}/man5/__NAME__-profile.5.gz |
48 | %{_mandir}/man5/__NAME__-users.5.gz | 50 | %{_mandir}/man5/__NAME__-users.5.gz |
51 | %{_mandir}/man5/jailtest.5.gz | ||
49 | %config(noreplace) %{_sysconfdir}/__NAME__ | 52 | %config(noreplace) %{_sysconfdir}/__NAME__ |
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index c9b90dbe3..b8470dd71 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>" | 6 | # Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>" |
diff --git a/src/bash_completion/Makefile.in b/src/bash_completion/Makefile.in new file mode 100644 index 000000000..f7db9e6b4 --- /dev/null +++ b/src/bash_completion/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: firejail.bash_completion | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | firejail.bash_completion: firejail.bash_completion.in | ||
7 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | ||
8 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | ||
9 | rm $@.tmp | ||
10 | |||
11 | .PHONY: clean | ||
12 | clean: | ||
13 | rm -fr firejail.bash_completion | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion.in index 0a1b34d7d..f68edf380 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -9,6 +9,17 @@ __interfaces(){ | |||
9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs | 9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs |
10 | } | 10 | } |
11 | 11 | ||
12 | _profiles() { | ||
13 | if [[ -d "$1" ]] ; then | ||
14 | ls -1 $1/*.profile 2>/dev/null | sed -E 's;^.*\/;;g' | ||
15 | fi | ||
16 | } | ||
17 | _all_profiles() { | ||
18 | local sys_profiles=$(_profiles _SYSCONFDIR_/firejail) | ||
19 | local user_profiles=$(_profiles $HOME/.config/firejail) | ||
20 | COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur")) | ||
21 | } | ||
22 | |||
12 | 23 | ||
13 | _firejail() | 24 | _firejail() |
14 | { | 25 | { |
@@ -20,7 +31,7 @@ _firejail() | |||
20 | return 0 | 31 | return 0 |
21 | ;; | 32 | ;; |
22 | --profile) | 33 | --profile) |
23 | _filedir | 34 | _all_profiles |
24 | return 0 | 35 | return 0 |
25 | ;; | 36 | ;; |
26 | --hosts-file) | 37 | --hosts-file) |
@@ -79,10 +90,6 @@ _firejail() | |||
79 | _filedir | 90 | _filedir |
80 | return 0 | 91 | return 0 |
81 | ;; | 92 | ;; |
82 | --audit) | ||
83 | _filedir | ||
84 | return 0 | ||
85 | ;; | ||
86 | --net) | 93 | --net) |
87 | comps=$(__interfaces) | 94 | comps=$(__interfaces) |
88 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) | 95 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) |
diff --git a/src/common.mk.in b/src/common.mk.in index b8a13cd1b..a3df4abb6 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -25,6 +25,9 @@ HAVE_GCOV=@HAVE_GCOV@ | |||
25 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | 26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ |
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | 27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ |
28 | HAVE_OUTPUT=@HAVE_OUTPUT@ | ||
29 | HAVE_LTS=@HAVE_LTS@ | ||
30 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | ||
28 | 31 | ||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 32 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | 33 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -34,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
34 | CFLAGS = @CFLAGS@ | 37 | CFLAGS = @CFLAGS@ |
35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 38 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 39 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
37 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 40 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS) |
38 | CFLAGS += $(MANFLAGS) | 41 | CFLAGS += $(MANFLAGS) |
39 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 42 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
40 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 43 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in deleted file mode 100644 index 44c121a4c..000000000 --- a/src/faudit/Makefile.in +++ /dev/null | |||
@@ -1,14 +0,0 @@ | |||
1 | all: faudit | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | faudit: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/faudit/caps.c b/src/faudit/caps.c deleted file mode 100644 index 6687fce5a..000000000 --- a/src/faudit/caps.c +++ /dev/null | |||
@@ -1,78 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "faudit.h" | ||
22 | #include <linux/capability.h> | ||
23 | |||
24 | #define MAXBUF 4098 | ||
25 | static int extract_caps(uint64_t *val) { | ||
26 | FILE *fp = fopen("/proc/self/status", "r"); | ||
27 | if (!fp) | ||
28 | return 1; | ||
29 | |||
30 | char buf[MAXBUF]; | ||
31 | while (fgets(buf, MAXBUF, fp)) { | ||
32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | ||
33 | char *ptr = buf + 8; | ||
34 | unsigned long long tmp; | ||
35 | sscanf(ptr, "%llx", &tmp); | ||
36 | *val = tmp; | ||
37 | fclose(fp); | ||
38 | return 0; | ||
39 | } | ||
40 | } | ||
41 | |||
42 | fclose(fp); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | // return 1 if the capability is in the map | ||
47 | static int check_capability(uint64_t map, int cap) { | ||
48 | int i; | ||
49 | uint64_t mask = 1ULL; | ||
50 | |||
51 | for (i = 0; i < 64; i++, mask <<= 1) { | ||
52 | if ((i == cap) && (mask & map)) | ||
53 | return 1; | ||
54 | } | ||
55 | |||
56 | return 0; | ||
57 | } | ||
58 | |||
59 | void caps_test(void) { | ||
60 | uint64_t caps_val; | ||
61 | |||
62 | if (extract_caps(&caps_val)) { | ||
63 | printf("SKIP: cannot extract capabilities on this platform.\n"); | ||
64 | return; | ||
65 | } | ||
66 | |||
67 | if (caps_val) { | ||
68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); | ||
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | ||
70 | |||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | ||
72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); | ||
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | ||
74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); | ||
75 | } | ||
76 | else | ||
77 | printf("GOOD: all capabilities are disabled.\n"); | ||
78 | } | ||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c deleted file mode 100644 index 2a3c282d7..000000000 --- a/src/faudit/dbus.c +++ /dev/null | |||
@@ -1,131 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include "../include/rundefs.h" | ||
22 | #include <stdarg.h> | ||
23 | #include <sys/socket.h> | ||
24 | #include <sys/un.h> | ||
25 | |||
26 | // return 0 if the connection is possible | ||
27 | int check_unix(const char *sockfile) { | ||
28 | assert(sockfile); | ||
29 | int rv = -1; | ||
30 | |||
31 | // open socket | ||
32 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
33 | if (sock == -1) | ||
34 | return rv; | ||
35 | |||
36 | // connect | ||
37 | struct sockaddr_un remote; | ||
38 | memset(&remote, 0, sizeof(struct sockaddr_un)); | ||
39 | remote.sun_family = AF_UNIX; | ||
40 | strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); | ||
41 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); | ||
42 | if (*sockfile == '@') | ||
43 | remote.sun_path[0] = '\0'; | ||
44 | if (connect(sock, (struct sockaddr *)&remote, len) == 0) | ||
45 | rv = 0; | ||
46 | |||
47 | close(sock); | ||
48 | return rv; | ||
49 | } | ||
50 | |||
51 | static char *test_dbus_env(char *env_var_name) { | ||
52 | // check the session bus | ||
53 | char *str = getenv(env_var_name); | ||
54 | char *found = NULL; | ||
55 | if (str) { | ||
56 | int rv = 0; | ||
57 | char *bus = strdup(str); | ||
58 | if (!bus) | ||
59 | errExit("strdup"); | ||
60 | char *sockfile; | ||
61 | if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { | ||
62 | sockfile += 13; | ||
63 | *sockfile = '@'; | ||
64 | char *ptr = strchr(sockfile, ','); | ||
65 | if (ptr) | ||
66 | *ptr = '\0'; | ||
67 | rv = check_unix(sockfile); | ||
68 | *sockfile = '@'; | ||
69 | if (rv == 0) | ||
70 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
71 | else if (rv == -1) | ||
72 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
73 | } | ||
74 | else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { | ||
75 | sockfile += 10; | ||
76 | char *ptr = strchr(sockfile, ','); | ||
77 | if (ptr) | ||
78 | *ptr = '\0'; | ||
79 | rv = check_unix(sockfile); | ||
80 | if (rv == 0) { | ||
81 | if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 || | ||
82 | strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) { | ||
83 | printf("GOOD: D-Bus filtering is active on %s\n", sockfile); | ||
84 | } else { | ||
85 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
86 | } | ||
87 | } | ||
88 | else if (rv == -1) | ||
89 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
90 | found = strdup(sockfile); | ||
91 | if (!found) | ||
92 | errExit("strdup"); | ||
93 | } | ||
94 | else if (strstr(bus, "tcp:host=") != NULL) | ||
95 | printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); | ||
96 | else | ||
97 | printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); | ||
98 | free(bus); | ||
99 | } | ||
100 | else | ||
101 | printf("MAYBE: %s environment variable not configured.\n", env_var_name); | ||
102 | return found; | ||
103 | } | ||
104 | |||
105 | static void test_default_socket(const char *found, const char *format, ...) { | ||
106 | va_list ap; | ||
107 | va_start(ap, format); | ||
108 | char *sockfile; | ||
109 | if (vasprintf(&sockfile, format, ap) == -1) | ||
110 | errExit("vasprintf"); | ||
111 | va_end(ap); | ||
112 | if (found != NULL && strcmp(found, sockfile) == 0) | ||
113 | goto end; | ||
114 | int rv = check_unix(sockfile); | ||
115 | if (rv == 0) | ||
116 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
117 | end: | ||
118 | free(sockfile); | ||
119 | } | ||
120 | |||
121 | void dbus_test(void) { | ||
122 | char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS"); | ||
123 | test_default_socket(found_user, "/run/user/%d/bus", (int) getuid()); | ||
124 | test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid()); | ||
125 | if (found_user != NULL) | ||
126 | free(found_user); | ||
127 | char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS"); | ||
128 | test_default_socket(found_system, "/run/dbus/system_bus_socket"); | ||
129 | if (found_system != NULL) | ||
130 | free(found_system); | ||
131 | } | ||
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h deleted file mode 100644 index 20189a0ff..000000000 --- a/src/faudit/faudit.h +++ /dev/null | |||
@@ -1,68 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifndef FAUDIT_H | ||
22 | #define FAUDIT_H | ||
23 | #define _GNU_SOURCE | ||
24 | #include <stdio.h> | ||
25 | #include <stdlib.h> | ||
26 | #include <stdint.h> | ||
27 | #include <string.h> | ||
28 | #include <unistd.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/stat.h> | ||
31 | #include <sys/mount.h> | ||
32 | #include <assert.h> | ||
33 | |||
34 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) | ||
35 | |||
36 | // main.c | ||
37 | extern char *prog; | ||
38 | |||
39 | // pid.c | ||
40 | void pid_test(void); | ||
41 | |||
42 | // caps.c | ||
43 | void caps_test(void); | ||
44 | |||
45 | // seccomp.c | ||
46 | void seccomp_test(void); | ||
47 | |||
48 | // syscall.c | ||
49 | void syscall_helper(int argc, char **argv); | ||
50 | void syscall_run(const char *name); | ||
51 | |||
52 | // files.c | ||
53 | void files_test(void); | ||
54 | |||
55 | // network.c | ||
56 | void network_test(void); | ||
57 | |||
58 | // dbus.c | ||
59 | int check_unix(const char *sockfile); | ||
60 | void dbus_test(void); | ||
61 | |||
62 | // dev.c | ||
63 | void dev_test(void); | ||
64 | |||
65 | // x11.c | ||
66 | void x11_test(void); | ||
67 | |||
68 | #endif | ||
diff --git a/src/faudit/files.c b/src/faudit/files.c deleted file mode 100644 index 6dd3874b9..000000000 --- a/src/faudit/files.c +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <fcntl.h> | ||
22 | #include <pwd.h> | ||
23 | |||
24 | static char *username = NULL; | ||
25 | static char *homedir = NULL; | ||
26 | |||
27 | static void check_home_file(const char *name) { | ||
28 | assert(homedir); | ||
29 | |||
30 | char *fname; | ||
31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | ||
32 | errExit("asprintf"); | ||
33 | |||
34 | if (access(fname, R_OK) == 0) { | ||
35 | printf("UGLY: I can access files in %s directory. ", fname); | ||
36 | printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); | ||
37 | } | ||
38 | else | ||
39 | printf("GOOD: I cannot access files in %s directory.\n", fname); | ||
40 | |||
41 | free(fname); | ||
42 | } | ||
43 | |||
44 | void files_test(void) { | ||
45 | struct passwd *pw = getpwuid(getuid()); | ||
46 | if (!pw) { | ||
47 | fprintf(stderr, "Error: cannot retrieve user account information\n"); | ||
48 | return; | ||
49 | } | ||
50 | |||
51 | username = strdup(pw->pw_name); | ||
52 | if (!username) | ||
53 | errExit("strdup"); | ||
54 | homedir = strdup(pw->pw_dir); | ||
55 | if (!homedir) | ||
56 | errExit("strdup"); | ||
57 | |||
58 | // check access to .ssh directory | ||
59 | check_home_file(".ssh"); | ||
60 | |||
61 | // check access to .gnupg directory | ||
62 | check_home_file(".gnupg"); | ||
63 | |||
64 | // check access to Firefox browser directory | ||
65 | check_home_file(".mozilla"); | ||
66 | |||
67 | // check access to Chromium browser directory | ||
68 | check_home_file(".config/chromium"); | ||
69 | |||
70 | // check access to Debian Icedove directory | ||
71 | check_home_file(".icedove"); | ||
72 | |||
73 | // check access to Thunderbird directory | ||
74 | check_home_file(".thunderbird"); | ||
75 | } | ||
diff --git a/src/faudit/main.c b/src/faudit/main.c deleted file mode 100644 index f6df9772d..000000000 --- a/src/faudit/main.c +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | char *prog; | ||
22 | |||
23 | int main(int argc, char **argv) { | ||
24 | // make test-arguments helper | ||
25 | if (getenv("FIREJAIL_TEST_ARGUMENTS")) { | ||
26 | printf("Arguments:\n"); | ||
27 | |||
28 | int i; | ||
29 | for (i = 0; i < argc; i++) { | ||
30 | printf("#%s#\n", argv[i]); | ||
31 | } | ||
32 | |||
33 | return 0; | ||
34 | } | ||
35 | |||
36 | |||
37 | if (argc != 1) { | ||
38 | int i; | ||
39 | |||
40 | for (i = 1; i < argc; i++) { | ||
41 | if (strcmp(argv[i], "syscall") == 0) { | ||
42 | syscall_helper(argc, argv); | ||
43 | return 0; | ||
44 | } | ||
45 | } | ||
46 | return 1; | ||
47 | } | ||
48 | |||
49 | printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); | ||
50 | |||
51 | // extract program name | ||
52 | prog = realpath(argv[0], NULL); | ||
53 | if (prog == NULL) { | ||
54 | prog = strdup("faudit"); | ||
55 | if (!prog) | ||
56 | errExit("strdup"); | ||
57 | } | ||
58 | printf("INFO: starting %s.\n", prog); | ||
59 | |||
60 | |||
61 | // check pid namespace | ||
62 | pid_test(); | ||
63 | printf("\n"); | ||
64 | |||
65 | // check seccomp | ||
66 | seccomp_test(); | ||
67 | printf("\n"); | ||
68 | |||
69 | // check capabilities | ||
70 | caps_test(); | ||
71 | printf("\n"); | ||
72 | |||
73 | // check some well-known problematic files and directories | ||
74 | files_test(); | ||
75 | printf("\n"); | ||
76 | |||
77 | // network | ||
78 | network_test(); | ||
79 | printf("\n"); | ||
80 | |||
81 | // dbus | ||
82 | dbus_test(); | ||
83 | printf("\n"); | ||
84 | |||
85 | // x11 test | ||
86 | x11_test(); | ||
87 | printf("\n"); | ||
88 | |||
89 | // /dev test | ||
90 | dev_test(); | ||
91 | printf("\n"); | ||
92 | |||
93 | |||
94 | free(prog); | ||
95 | printf("--------------------------------------------------------------------------------\n"); | ||
96 | |||
97 | return 0; | ||
98 | } | ||
diff --git a/src/faudit/network.c b/src/faudit/network.c deleted file mode 100644 index f28aff554..000000000 --- a/src/faudit/network.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <arpa/inet.h> | ||
23 | #include <linux/netlink.h> | ||
24 | #include <linux/rtnetlink.h> | ||
25 | |||
26 | static void check_ssh(void) { | ||
27 | // open socket | ||
28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
29 | if (sock == -1) { | ||
30 | printf("GOOD: SSH server not available on localhost.\n"); | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | // connect to localhost | ||
35 | struct sockaddr_in server; | ||
36 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
37 | server.sin_family = AF_INET; | ||
38 | server.sin_port = htons(22); | ||
39 | |||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
41 | printf("GOOD: SSH server not available on localhost.\n"); | ||
42 | else { | ||
43 | printf("MAYBE: an SSH server is accessible on localhost. "); | ||
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
45 | } | ||
46 | |||
47 | close(sock); | ||
48 | } | ||
49 | |||
50 | static void check_http(void) { | ||
51 | // open socket | ||
52 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
53 | if (sock == -1) { | ||
54 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | // connect to localhost | ||
59 | struct sockaddr_in server; | ||
60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
61 | server.sin_family = AF_INET; | ||
62 | server.sin_port = htons(80); | ||
63 | |||
64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
65 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
66 | else { | ||
67 | printf("MAYBE: an HTTP server is accessible on localhost. "); | ||
68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
69 | } | ||
70 | |||
71 | close(sock); | ||
72 | } | ||
73 | |||
74 | void check_netlink(void) { | ||
75 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | ||
76 | if (sock == -1) { | ||
77 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
78 | return; | ||
79 | } | ||
80 | |||
81 | struct sockaddr_nl local; | ||
82 | memset(&local, 0, sizeof(local)); | ||
83 | local.nl_family = AF_NETLINK; | ||
84 | local.nl_groups = 0; //subscriptions; | ||
85 | |||
86 | if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { | ||
87 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
88 | close(sock); | ||
89 | return; | ||
90 | } | ||
91 | |||
92 | close(sock); | ||
93 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | ||
94 | printf("You can use \"--protocol\" to disable the socket.\n"); | ||
95 | } | ||
96 | |||
97 | void network_test(void) { | ||
98 | check_ssh(); | ||
99 | check_http(); | ||
100 | check_netlink(); | ||
101 | } | ||
diff --git a/src/faudit/pid.c b/src/faudit/pid.c deleted file mode 100644 index 0a277ddc2..000000000 --- a/src/faudit/pid.c +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | void pid_test(void) { | ||
23 | static char *kern_proc[] = { | ||
24 | "kthreadd", | ||
25 | "ksoftirqd", | ||
26 | "kworker", | ||
27 | "rcu_sched", | ||
28 | "rcu_bh", | ||
29 | NULL // NULL terminated list | ||
30 | }; | ||
31 | int i; | ||
32 | |||
33 | // look at the first 10 processes | ||
34 | int not_visible = 1; | ||
35 | for (i = 1; i <= 10; i++) { | ||
36 | struct stat s; | ||
37 | char *fname; | ||
38 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | ||
39 | errExit("asprintf"); | ||
40 | if (stat(fname, &s) == -1) { | ||
41 | free(fname); | ||
42 | continue; | ||
43 | } | ||
44 | |||
45 | // open file | ||
46 | /* coverity[toctou] */ | ||
47 | FILE *fp = fopen(fname, "r"); | ||
48 | if (!fp) { | ||
49 | free(fname); | ||
50 | continue; | ||
51 | } | ||
52 | |||
53 | // read file | ||
54 | char buf[100]; | ||
55 | if (fgets(buf, 10, fp) == NULL) { | ||
56 | fclose(fp); | ||
57 | free(fname); | ||
58 | continue; | ||
59 | } | ||
60 | not_visible = 0; | ||
61 | |||
62 | // clean /n | ||
63 | char *ptr; | ||
64 | if ((ptr = strchr(buf, '\n')) != NULL) | ||
65 | *ptr = '\0'; | ||
66 | |||
67 | // check process name against the kernel list | ||
68 | int j = 0; | ||
69 | while (kern_proc[j] != NULL) { | ||
70 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | ||
71 | fclose(fp); | ||
72 | free(fname); | ||
73 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); | ||
74 | printf("Are you sure you're running in a sandbox?\n"); | ||
75 | return; | ||
76 | } | ||
77 | j++; | ||
78 | } | ||
79 | |||
80 | fclose(fp); | ||
81 | free(fname); | ||
82 | } | ||
83 | |||
84 | pid_t pid = getpid(); | ||
85 | if (not_visible && pid > 100) | ||
86 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
87 | else | ||
88 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
89 | |||
90 | // try to guess the type of container/sandbox | ||
91 | char *str = getenv("container"); | ||
92 | if (str) | ||
93 | printf("INFO: container/sandbox %s.\n", str); | ||
94 | else { | ||
95 | str = getenv("SNAP"); | ||
96 | if (str) | ||
97 | printf("INFO: this is a snap package\n"); | ||
98 | } | ||
99 | } | ||
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c deleted file mode 100644 index ca9d34b84..000000000 --- a/src/faudit/seccomp.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | #define MAXBUF 4098 | ||
23 | static int extract_seccomp(int *val) { | ||
24 | FILE *fp = fopen("/proc/self/status", "r"); | ||
25 | if (!fp) | ||
26 | return 1; | ||
27 | |||
28 | char buf[MAXBUF]; | ||
29 | while (fgets(buf, MAXBUF, fp)) { | ||
30 | if (strncmp(buf, "Seccomp:\t", 9) == 0) { | ||
31 | char *ptr = buf + 9; | ||
32 | int tmp; | ||
33 | sscanf(ptr, "%d", &tmp); | ||
34 | *val = tmp; | ||
35 | fclose(fp); | ||
36 | return 0; | ||
37 | } | ||
38 | } | ||
39 | |||
40 | fclose(fp); | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | void seccomp_test(void) { | ||
45 | int seccomp_status; | ||
46 | int rv = extract_seccomp(&seccomp_status); | ||
47 | |||
48 | if (rv) { | ||
49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); | ||
50 | return; | ||
51 | } | ||
52 | |||
53 | if (seccomp_status == 0) { | ||
54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); | ||
55 | } | ||
56 | else if (seccomp_status == 1) | ||
57 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); | ||
58 | else if (seccomp_status == 2) { | ||
59 | printf("GOOD: seccomp BPF enabled.\n"); | ||
60 | |||
61 | printf("checking syscalls: "); fflush(0); | ||
62 | printf("mount... "); fflush(0); | ||
63 | syscall_run("mount"); | ||
64 | |||
65 | printf("umount2... "); fflush(0); | ||
66 | syscall_run("umount2"); | ||
67 | |||
68 | printf("ptrace... "); fflush(0); | ||
69 | syscall_run("ptrace"); | ||
70 | |||
71 | printf("swapon... "); fflush(0); | ||
72 | syscall_run("swapon"); | ||
73 | |||
74 | printf("swapoff... "); fflush(0); | ||
75 | syscall_run("swapoff"); | ||
76 | |||
77 | printf("init_module... "); fflush(0); | ||
78 | syscall_run("init_module"); | ||
79 | |||
80 | printf("delete_module... "); fflush(0); | ||
81 | syscall_run("delete_module"); | ||
82 | |||
83 | printf("chroot... "); fflush(0); | ||
84 | syscall_run("chroot"); | ||
85 | |||
86 | printf("pivot_root... "); fflush(0); | ||
87 | syscall_run("pivot_root"); | ||
88 | |||
89 | #if defined(__i386__) || defined(__x86_64__) | ||
90 | printf("iopl... "); fflush(0); | ||
91 | syscall_run("iopl"); | ||
92 | |||
93 | printf("ioperm... "); fflush(0); | ||
94 | syscall_run("ioperm"); | ||
95 | #endif | ||
96 | printf("\n"); | ||
97 | } | ||
98 | else | ||
99 | fprintf(stderr, "Error: unrecognized seccomp mode\n"); | ||
100 | |||
101 | } | ||
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c deleted file mode 100644 index a8aa572a7..000000000 --- a/src/faudit/syscall.c +++ /dev/null | |||
@@ -1,105 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/ptrace.h> | ||
22 | #include <sys/swap.h> | ||
23 | #if defined(__i386__) || defined(__x86_64__) | ||
24 | #include <sys/io.h> | ||
25 | #endif | ||
26 | #include <sys/wait.h> | ||
27 | extern int init_module(void *module_image, unsigned long len, | ||
28 | const char *param_values); | ||
29 | extern int finit_module(int fd, const char *param_values, | ||
30 | int flags); | ||
31 | extern int delete_module(const char *name, int flags); | ||
32 | extern int pivot_root(const char *new_root, const char *put_old); | ||
33 | |||
34 | void syscall_helper(int argc, char **argv) { | ||
35 | (void) argc; | ||
36 | |||
37 | if (argc < 3) | ||
38 | return; | ||
39 | |||
40 | if (strcmp(argv[2], "mount") == 0) { | ||
41 | int rv = mount(NULL, NULL, NULL, 0, NULL); | ||
42 | (void) rv; | ||
43 | printf("\nUGLY: mount syscall permitted.\n"); | ||
44 | } | ||
45 | else if (strcmp(argv[2], "umount2") == 0) { | ||
46 | umount2(NULL, 0); | ||
47 | printf("\nUGLY: umount2 syscall permitted.\n"); | ||
48 | } | ||
49 | else if (strcmp(argv[2], "ptrace") == 0) { | ||
50 | ptrace(0, 0, NULL, NULL); | ||
51 | printf("\nUGLY: ptrace syscall permitted.\n"); | ||
52 | } | ||
53 | else if (strcmp(argv[2], "swapon") == 0) { | ||
54 | swapon(NULL, 0); | ||
55 | printf("\nUGLY: swapon syscall permitted.\n"); | ||
56 | } | ||
57 | else if (strcmp(argv[2], "swapoff") == 0) { | ||
58 | swapoff(NULL); | ||
59 | printf("\nUGLY: swapoff syscall permitted.\n"); | ||
60 | } | ||
61 | else if (strcmp(argv[2], "init_module") == 0) { | ||
62 | init_module(NULL, 0, NULL); | ||
63 | printf("\nUGLY: init_module syscall permitted.\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[2], "delete_module") == 0) { | ||
66 | delete_module(NULL, 0); | ||
67 | printf("\nUGLY: delete_module syscall permitted.\n"); | ||
68 | } | ||
69 | else if (strcmp(argv[2], "chroot") == 0) { | ||
70 | int rv = chroot("/blablabla-57281292"); | ||
71 | (void) rv; | ||
72 | printf("\nUGLY: chroot syscall permitted.\n"); | ||
73 | } | ||
74 | else if (strcmp(argv[2], "pivot_root") == 0) { | ||
75 | pivot_root(NULL, NULL); | ||
76 | printf("\nUGLY: pivot_root syscall permitted.\n"); | ||
77 | } | ||
78 | #if defined(__i386__) || defined(__x86_64__) | ||
79 | else if (strcmp(argv[2], "iopl") == 0) { | ||
80 | iopl(0L); | ||
81 | printf("\nUGLY: iopl syscall permitted.\n"); | ||
82 | } | ||
83 | else if (strcmp(argv[2], "ioperm") == 0) { | ||
84 | ioperm(0, 0, 0); | ||
85 | printf("\nUGLY: ioperm syscall permitted.\n"); | ||
86 | } | ||
87 | #endif | ||
88 | exit(0); | ||
89 | } | ||
90 | |||
91 | void syscall_run(const char *name) { | ||
92 | assert(prog); | ||
93 | |||
94 | pid_t child = fork(); | ||
95 | if (child < 0) | ||
96 | errExit("fork"); | ||
97 | if (child == 0) { | ||
98 | execl(prog, prog, "syscall", name, NULL); | ||
99 | perror("execl"); | ||
100 | _exit(1); | ||
101 | } | ||
102 | |||
103 | // wait for the child to finish | ||
104 | waitpid(child, NULL, 0); | ||
105 | } | ||
diff --git a/src/faudit/x11.c b/src/faudit/x11.c deleted file mode 100644 index 5907ca761..000000000 --- a/src/faudit/x11.c +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <dirent.h> | ||
23 | |||
24 | |||
25 | void x11_test(void) { | ||
26 | // check regular display 0 sockets | ||
27 | if (check_unix("/tmp/.X11-unix/X0") == 0) | ||
28 | printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); | ||
29 | |||
30 | if (check_unix("@/tmp/.X11-unix/X0") == 0) | ||
31 | printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); | ||
32 | |||
33 | // check all unix sockets in /tmp/.X11-unix directory | ||
34 | DIR *dir; | ||
35 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
36 | // sleep 2 seconds and try again | ||
37 | sleep(2); | ||
38 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
39 | ; | ||
40 | } | ||
41 | } | ||
42 | |||
43 | if (dir == NULL) | ||
44 | printf("GOOD: cannot open /tmp/.X11-unix directory\n"); | ||
45 | else { | ||
46 | struct dirent *entry; | ||
47 | while ((entry = readdir(dir)) != NULL) { | ||
48 | if (strcmp(entry->d_name, "X0") == 0) | ||
49 | continue; | ||
50 | if (strcmp(entry->d_name, ".") == 0) | ||
51 | continue; | ||
52 | if (strcmp(entry->d_name, "..") == 0) | ||
53 | continue; | ||
54 | char *name; | ||
55 | if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) | ||
56 | errExit("asprintf"); | ||
57 | if (check_unix(name) == 0) | ||
58 | printf("MAYBE: X11 socket %s is available\n", name); | ||
59 | free(name); | ||
60 | } | ||
61 | closedir(dir); | ||
62 | } | ||
63 | } | ||
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in index 2847ca2cb..6eaee284b 100644 --- a/src/fbuilder/Makefile.in +++ b/src/fbuilder/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fbuilder | 2 | all: fbuilder |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fbuilder: $(OBJS) | 9 | fbuilder: $(OBJS) |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index c6f84dfbc..96bd351f3 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 0bc4a0ee2..495f71ab8 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index c0f4a3407..683009b71 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 09f41a838..96a83954d 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 041d14d0e..dc3cce456 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 5c043ffec..8d3621c02 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index bf4e911dd..6e302a606 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index 5612c21d5..f4917aefc 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c index 2ae829403..52493f470 100644 --- a/src/fbuilder/utils.c +++ b/src/fbuilder/utils.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 85f84aa32..e19f5d3b5 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fcopy | 2 | all: fcopy |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fcopy: $(OBJS) ../lib/common.o | 9 | fcopy: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index e65501d6d..572e9f601 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -51,8 +51,9 @@ static int selinux_enabled = -1; | |||
51 | #endif | 51 | #endif |
52 | 52 | ||
53 | // copy from firejail/selinux.c | 53 | // copy from firejail/selinux.c |
54 | static void selinux_relabel_path(const char *path, const char *inside_path) | 54 | static void selinux_relabel_path(const char *path, const char *inside_path) { |
55 | { | 55 | assert(path); |
56 | assert(inside_path); | ||
56 | #if HAVE_SELINUX | 57 | #if HAVE_SELINUX |
57 | char procfs_path[64]; | 58 | char procfs_path[64]; |
58 | char *fcon = NULL; | 59 | char *fcon = NULL; |
@@ -172,6 +173,51 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
172 | } | 173 | } |
173 | } | 174 | } |
174 | 175 | ||
176 | static char *proc_pid_to_self(const char *target) { | ||
177 | assert(target); | ||
178 | char *use_target = 0; | ||
179 | char *proc_pid = 0; | ||
180 | |||
181 | if (!(use_target = realpath(target, NULL))) | ||
182 | goto done; | ||
183 | |||
184 | // target is under /proc/<PID>? | ||
185 | static const char proc[] = "/proc/"; | ||
186 | if (strncmp(use_target, proc, sizeof(proc) - 1)) | ||
187 | goto done; | ||
188 | |||
189 | int digit = use_target[sizeof(proc) - 1]; | ||
190 | if (digit < '1' || digit > '9') | ||
191 | goto done; | ||
192 | |||
193 | // check where /proc/self points to | ||
194 | static const char proc_self[] = "/proc/self"; | ||
195 | if (!(proc_pid = realpath(proc_self, NULL))) | ||
196 | goto done; | ||
197 | |||
198 | // redirect /proc/PID/xxx -> /proc/self/XXX | ||
199 | size_t pfix = strlen(proc_pid); | ||
200 | if (strncmp(use_target, proc_pid, pfix)) | ||
201 | goto done; | ||
202 | |||
203 | if (use_target[pfix] != 0 && use_target[pfix] != '/') | ||
204 | goto done; | ||
205 | |||
206 | char *tmp; | ||
207 | if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) { | ||
208 | if (arg_debug) | ||
209 | fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp); | ||
210 | free(use_target); | ||
211 | use_target = tmp; | ||
212 | } | ||
213 | else | ||
214 | errExit("asprintf"); | ||
215 | |||
216 | done: | ||
217 | if (proc_pid) | ||
218 | free(proc_pid); | ||
219 | return use_target; | ||
220 | } | ||
175 | 221 | ||
176 | void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { | 222 | void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { |
177 | (void) mode; | 223 | (void) mode; |
@@ -183,7 +229,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
183 | if (lstat(linkpath, &s) == 0) | 229 | if (lstat(linkpath, &s) == 0) |
184 | return; | 230 | return; |
185 | 231 | ||
186 | char *rp = realpath(target, NULL); | 232 | char *rp = proc_pid_to_self(target); |
187 | if (rp) { | 233 | if (rp) { |
188 | if (symlink(rp, linkpath) == -1) { | 234 | if (symlink(rp, linkpath) == -1) { |
189 | free(rp); | 235 | free(rp); |
@@ -227,16 +273,14 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
227 | first = 0; | 273 | first = 0; |
228 | else if (!arg_quiet) | 274 | else if (!arg_quiet) |
229 | fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); | 275 | fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); |
230 | free(outfname); | 276 | goto out; |
231 | return 0; | ||
232 | } | 277 | } |
233 | 278 | ||
234 | // extract mode and ownership | 279 | // extract mode and ownership |
235 | if (stat(infname, &s) != 0) { | 280 | if (stat(infname, &s) != 0) { |
236 | if (!arg_quiet) | 281 | if (!arg_quiet) |
237 | fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); | 282 | fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); |
238 | free(outfname); | 283 | goto out; |
239 | return 0; | ||
240 | } | 284 | } |
241 | uid_t uid = s.st_uid; | 285 | uid_t uid = s.st_uid; |
242 | gid_t gid = s.st_gid; | 286 | gid_t gid = s.st_gid; |
@@ -246,8 +290,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
246 | if ((s.st_size + size_cnt) > copy_limit) { | 290 | if ((s.st_size + size_cnt) > copy_limit) { |
247 | fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); | 291 | fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); |
248 | size_limit_reached = 1; | 292 | size_limit_reached = 1; |
249 | free(outfname); | 293 | goto out; |
250 | return 0; | ||
251 | } | 294 | } |
252 | 295 | ||
253 | file_cnt++; | 296 | file_cnt++; |
@@ -262,7 +305,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
262 | else if (ftype == FTW_SL) { | 305 | else if (ftype == FTW_SL) { |
263 | copy_link(infname, outfname, mode, uid, gid); | 306 | copy_link(infname, outfname, mode, uid, gid); |
264 | } | 307 | } |
265 | 308 | out: | |
309 | free(outfname); | ||
266 | return(0); | 310 | return(0); |
267 | } | 311 | } |
268 | 312 | ||
@@ -295,6 +339,7 @@ static char *check(const char *src) { | |||
295 | return rsrc; // normal exit from the function | 339 | return rsrc; // normal exit from the function |
296 | 340 | ||
297 | errexit: | 341 | errexit: |
342 | free(rsrc); | ||
298 | fprintf(stderr, "Error fcopy: invalid file %s\n", src); | 343 | fprintf(stderr, "Error fcopy: invalid file %s\n", src); |
299 | exit(1); | 344 | exit(1); |
300 | } | 345 | } |
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index 40f6b9679..43329be46 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firecfg | 2 | all: firecfg |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o | 9 | firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 16aa638b3..06b0a117f 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d056d0654..6cef32249 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -20,7 +20,9 @@ Maelstrom | |||
20 | Maps | 20 | Maps |
21 | Mathematica | 21 | Mathematica |
22 | Natron | 22 | Natron |
23 | PCSX2 | ||
23 | PPSSPPQt | 24 | PPSSPPQt |
25 | PPSSPPSDL | ||
24 | QMediathekView | 26 | QMediathekView |
25 | QOwnNotes | 27 | QOwnNotes |
26 | Screenshot | 28 | Screenshot |
@@ -77,6 +79,7 @@ balsa | |||
77 | baobab | 79 | baobab |
78 | barrier | 80 | barrier |
79 | basilisk | 81 | basilisk |
82 | bcompare | ||
80 | beaker | 83 | beaker |
81 | bibletime | 84 | bibletime |
82 | bijiben | 85 | bijiben |
@@ -146,6 +149,7 @@ cola | |||
146 | com.github.bleakgrey.tootle | 149 | com.github.bleakgrey.tootle |
147 | com.github.dahenson.agenda | 150 | com.github.dahenson.agenda |
148 | com.github.johnfactotum.Foliate | 151 | com.github.johnfactotum.Foliate |
152 | com.github.phase1geo.minder | ||
149 | com.gitlab.newsflash | 153 | com.gitlab.newsflash |
150 | conkeror | 154 | conkeror |
151 | conky | 155 | conky |
@@ -191,6 +195,10 @@ dropbox | |||
191 | d-feet | 195 | d-feet |
192 | easystroke | 196 | easystroke |
193 | ebook-viewer | 197 | ebook-viewer |
198 | ebook-convert | ||
199 | ebook-edit | ||
200 | ebook-meta | ||
201 | ebook-polish | ||
194 | electron-mail | 202 | electron-mail |
195 | electrum | 203 | electrum |
196 | element-desktop | 204 | element-desktop |
@@ -375,6 +383,8 @@ impressive | |||
375 | inkscape | 383 | inkscape |
376 | inkview | 384 | inkview |
377 | inox | 385 | inox |
386 | ipcalc | ||
387 | ipcalc-ng | ||
378 | iridium | 388 | iridium |
379 | iridium-browser | 389 | iridium-browser |
380 | jd-gui | 390 | jd-gui |
@@ -458,7 +468,7 @@ lynx | |||
458 | lyx | 468 | lyx |
459 | macrofusion | 469 | macrofusion |
460 | magicor | 470 | magicor |
461 | # man | 471 | man |
462 | manaplus | 472 | manaplus |
463 | marker | 473 | marker |
464 | masterpdfeditor | 474 | masterpdfeditor |
@@ -547,6 +557,8 @@ neverputt | |||
547 | newsbeuter | 557 | newsbeuter |
548 | newsboat | 558 | newsboat |
549 | newsflash | 559 | newsflash |
560 | nextcloud | ||
561 | nextcloud-desktop | ||
550 | nheko | 562 | nheko |
551 | nicotine | 563 | nicotine |
552 | nitroshare | 564 | nitroshare |
@@ -573,6 +585,8 @@ openarena | |||
573 | openarena_ded | 585 | openarena_ded |
574 | opencity | 586 | opencity |
575 | openclonk | 587 | openclonk |
588 | openmw | ||
589 | openmw-launcher | ||
576 | openoffice.org | 590 | openoffice.org |
577 | openshot | 591 | openshot |
578 | openshot-qt | 592 | openshot-qt |
@@ -589,6 +603,7 @@ parole | |||
589 | patch | 603 | patch |
590 | pavucontrol | 604 | pavucontrol |
591 | pavucontrol-qt | 605 | pavucontrol-qt |
606 | pcsxr | ||
592 | pdfchain | 607 | pdfchain |
593 | pdfmod | 608 | pdfmod |
594 | pdfsam | 609 | pdfsam |
@@ -803,6 +818,8 @@ vivaldi-snapshot | |||
803 | vivaldi-stable | 818 | vivaldi-stable |
804 | vlc | 819 | vlc |
805 | vmware | 820 | vmware |
821 | vmware-player | ||
822 | vmware-workstation | ||
806 | vscodium | 823 | vscodium |
807 | vulturesclaw | 824 | vulturesclaw |
808 | vultureseye | 825 | vultureseye |
@@ -864,6 +881,7 @@ yandex-browser | |||
864 | yelp | 881 | yelp |
865 | youtube | 882 | youtube |
866 | youtube-dl | 883 | youtube-dl |
884 | youtube-dl-gui | ||
867 | youtube-viewer | 885 | youtube-viewer |
868 | youtubemusic-nativefier | 886 | youtubemusic-nativefier |
869 | ytmdesktop | 887 | ytmdesktop |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 4dfc4194e..15826cf37 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 0e520b0f1..363000e15 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c index e7670c94c..e3fcdbd83 100644 --- a/src/firecfg/sound.c +++ b/src/firecfg/sound.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firecfg/util.c b/src/firecfg/util.c index b46da0be3..14d90b549 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index b9bf13b9c..793d2cdd1 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firejail | 2 | all: firejail |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o | 9 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index dd94b9921..59758bf2d 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -29,7 +29,7 @@ | |||
29 | #include <errno.h> | 29 | #include <errno.h> |
30 | 30 | ||
31 | static char *devloop = NULL; // device file | 31 | static char *devloop = NULL; // device file |
32 | static char *mntdir = NULL; // mount point in /tmp directory | 32 | static long unsigned size = 0; // offset into appimage file |
33 | 33 | ||
34 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 34 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h |
35 | static void err_loop(void) { | 35 | static void err_loop(void) { |
@@ -44,27 +44,27 @@ void appimage_set(const char *appimage) { | |||
44 | EUID_ASSERT(); | 44 | EUID_ASSERT(); |
45 | 45 | ||
46 | #ifdef LOOP_CTL_GET_FREE | 46 | #ifdef LOOP_CTL_GET_FREE |
47 | // check appimage file | 47 | // open appimage file |
48 | invalid_filename(appimage, 0); // no globbing | 48 | invalid_filename(appimage, 0); // no globbing |
49 | if (access(appimage, R_OK) == -1) { | 49 | int ffd = open(appimage, O_RDONLY|O_CLOEXEC); |
50 | fprintf(stderr, "Error: cannot access AppImage file\n"); | 50 | if (ffd == -1) { |
51 | fprintf(stderr, "Error: cannot read AppImage file\n"); | ||
52 | exit(1); | ||
53 | } | ||
54 | struct stat s; | ||
55 | if (fstat(ffd, &s) == -1) | ||
56 | errExit("fstat"); | ||
57 | if (!S_ISREG(s.st_mode)) { | ||
58 | fprintf(stderr, "Error: invalid AppImage file\n"); | ||
51 | exit(1); | 59 | exit(1); |
52 | } | 60 | } |
53 | 61 | ||
54 | // get appimage type and ELF size | 62 | // get appimage type and ELF size |
55 | // a value of 0 means we are dealing with a type1 appimage | 63 | // a value of 0 means we are dealing with a type1 appimage |
56 | long unsigned int size = appimage2_size(appimage); | 64 | size = appimage2_size(ffd); |
57 | if (arg_debug) | 65 | if (arg_debug) |
58 | printf("AppImage ELF size %lu\n", size); | 66 | printf("AppImage ELF size %lu\n", size); |
59 | 67 | ||
60 | // open appimage file | ||
61 | /* coverity[toctou] */ | ||
62 | int ffd = open(appimage, O_RDONLY|O_CLOEXEC); | ||
63 | if (ffd == -1) { | ||
64 | fprintf(stderr, "Error: cannot open AppImage file\n"); | ||
65 | exit(1); | ||
66 | } | ||
67 | |||
68 | // find or allocate a free loop device to use | 68 | // find or allocate a free loop device to use |
69 | EUID_ROOT(); | 69 | EUID_ROOT(); |
70 | int cfd = open("/dev/loop-control", O_RDWR); | 70 | int cfd = open("/dev/loop-control", O_RDWR); |
@@ -77,6 +77,7 @@ void appimage_set(const char *appimage) { | |||
77 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) | 77 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) |
78 | errExit("asprintf"); | 78 | errExit("asprintf"); |
79 | 79 | ||
80 | // associate loop device with appimage | ||
80 | int lfd = open(devloop, O_RDONLY); | 81 | int lfd = open(devloop, O_RDONLY); |
81 | if (lfd == -1) | 82 | if (lfd == -1) |
82 | err_loop(); | 83 | err_loop(); |
@@ -90,64 +91,24 @@ void appimage_set(const char *appimage) { | |||
90 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) | 91 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) |
91 | err_loop(); | 92 | err_loop(); |
92 | } | 93 | } |
93 | |||
94 | close(lfd); | 94 | close(lfd); |
95 | close(ffd); | 95 | close(ffd); |
96 | EUID_USER(); | 96 | EUID_USER(); |
97 | 97 | ||
98 | // creates appimage mount point perms 0700 | 98 | // set environment |
99 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) | ||
100 | errExit("asprintf"); | ||
101 | EUID_ROOT(); | ||
102 | mkdir_attr(mntdir, 0700, getuid(), getgid()); | ||
103 | EUID_USER(); | ||
104 | |||
105 | // mount | ||
106 | char *mode; | ||
107 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) | ||
108 | errExit("asprintf"); | ||
109 | unsigned long flags = MS_MGC_VAL|MS_RDONLY; | ||
110 | if (getuid()) | ||
111 | flags |= MS_NODEV|MS_NOSUID; | ||
112 | |||
113 | EUID_ROOT(); | ||
114 | if (size == 0) { | ||
115 | fmessage("Mounting appimage type 1\n"); | ||
116 | if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) | ||
117 | errExit("mounting appimage"); | ||
118 | } | ||
119 | else { | ||
120 | fmessage("Mounting appimage type 2\n"); | ||
121 | if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) | ||
122 | errExit("mounting appimage"); | ||
123 | } | ||
124 | |||
125 | if (arg_debug) | ||
126 | printf("appimage mounted on %s\n", mntdir); | ||
127 | EUID_USER(); | ||
128 | |||
129 | char* abspath = realpath(appimage, NULL); | 99 | char* abspath = realpath(appimage, NULL); |
130 | if (abspath == NULL) | 100 | if (abspath == NULL) |
131 | errExit("Failed to obtain absolute path"); | 101 | errExit("Failed to obtain absolute path"); |
132 | |||
133 | // set environment | ||
134 | env_store_name_val("APPIMAGE", abspath, SETENV); | 102 | env_store_name_val("APPIMAGE", abspath, SETENV); |
103 | free(abspath); | ||
135 | 104 | ||
136 | if (mntdir) | 105 | env_store_name_val("APPDIR", RUN_FIREJAIL_APPIMAGE_DIR, SETENV); |
137 | env_store_name_val("APPDIR", mntdir, SETENV); | ||
138 | 106 | ||
139 | if (size != 0) | 107 | if (size != 0) |
140 | env_store_name_val("ARGV0", appimage, SETENV); | 108 | env_store_name_val("ARGV0", appimage, SETENV); |
141 | 109 | ||
142 | if (cfg.cwd) | 110 | if (cfg.cwd) |
143 | env_store_name_val("OWD", cfg.cwd, SETENV); | 111 | env_store_name_val("OWD", cfg.cwd, SETENV); |
144 | |||
145 | // build new command line | ||
146 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) | ||
147 | errExit("asprintf"); | ||
148 | |||
149 | free(abspath); | ||
150 | free(mode); | ||
151 | #ifdef HAVE_GCOV | 112 | #ifdef HAVE_GCOV |
152 | __gcov_flush(); | 113 | __gcov_flush(); |
153 | #endif | 114 | #endif |
@@ -157,44 +118,38 @@ void appimage_set(const char *appimage) { | |||
157 | #endif | 118 | #endif |
158 | } | 119 | } |
159 | 120 | ||
160 | void appimage_clear(void) { | 121 | // mount appimage into sandbox file system |
161 | int rv; | 122 | void appimage_mount(void) { |
123 | if (!devloop) | ||
124 | return; | ||
162 | 125 | ||
163 | EUID_ROOT(); | 126 | unsigned long flags = MS_MGC_VAL|MS_RDONLY; |
164 | if (mntdir) { | 127 | if (getuid()) |
165 | int i; | 128 | flags |= MS_NODEV|MS_NOSUID; |
166 | int rv = 0; | ||
167 | for (i = 0; i < 5; i++) { | ||
168 | rv = umount2(mntdir, MNT_FORCE); | ||
169 | if (rv == 0) { | ||
170 | fmessage("AppImage unmounted\n"); | ||
171 | |||
172 | break; | ||
173 | } | ||
174 | if (rv == -1 && errno == EBUSY) { | ||
175 | fwarning("EBUSY error trying to unmount %s\n", mntdir); | ||
176 | sleep(2); | ||
177 | continue; | ||
178 | } | ||
179 | |||
180 | // rv = -1 | ||
181 | if (!arg_quiet) { | ||
182 | fwarning("error trying to unmount %s\n", mntdir); | ||
183 | perror("umount"); | ||
184 | } | ||
185 | } | ||
186 | 129 | ||
187 | if (rv == 0) { | 130 | if (size == 0) { |
188 | rmdir(mntdir); | 131 | fmessage("Mounting appimage type 1\n"); |
189 | free(mntdir); | 132 | char *mode; |
190 | } | 133 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) |
134 | errExit("asprintf"); | ||
135 | if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "iso9660", flags, mode) < 0) | ||
136 | errExit("mounting appimage"); | ||
137 | free(mode); | ||
191 | } | 138 | } |
139 | else { | ||
140 | fmessage("Mounting appimage type 2\n"); | ||
141 | if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "squashfs", flags, NULL) < 0) | ||
142 | errExit("mounting appimage"); | ||
143 | } | ||
144 | } | ||
192 | 145 | ||
146 | void appimage_clear(void) { | ||
147 | EUID_ROOT(); | ||
193 | if (devloop) { | 148 | if (devloop) { |
194 | int lfd = open(devloop, O_RDONLY); | 149 | int lfd = open(devloop, O_RDONLY); |
195 | if (lfd != -1) { | 150 | if (lfd != -1) { |
196 | rv = ioctl(lfd, LOOP_CLR_FD, 0); | 151 | if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) |
197 | (void) rv; | 152 | fmessage("AppImage detached\n"); |
198 | close(lfd); | 153 | close(lfd); |
199 | } | 154 | } |
200 | } | 155 | } |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index a58f9a8ca..43ca501da 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -132,22 +132,20 @@ static long unsigned int read_elf64(int fd) { | |||
132 | 132 | ||
133 | // return 0 if error | 133 | // return 0 if error |
134 | // return 0 if this is not an appimgage2 file | 134 | // return 0 if this is not an appimgage2 file |
135 | long unsigned int appimage2_size(const char *fname) { | 135 | long unsigned int appimage2_size(int fd) { |
136 | ssize_t ret; | 136 | ssize_t ret; |
137 | int fd; | ||
138 | long unsigned int size = 0; | 137 | long unsigned int size = 0; |
139 | 138 | ||
140 | fd = open(fname, O_RDONLY); | ||
141 | if (fd < 0) | 139 | if (fd < 0) |
142 | return 0; | 140 | return 0; |
143 | 141 | ||
144 | ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); | 142 | ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); |
145 | if (ret != EI_NIDENT) | 143 | if (ret != EI_NIDENT) |
146 | goto getout; | 144 | return 0; |
147 | 145 | ||
148 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && | 146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && |
149 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) | 147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) |
150 | goto getout; | 148 | return 0; |
151 | 149 | ||
152 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { | 150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { |
153 | size = read_elf32(fd); | 151 | size = read_elf32(fd); |
@@ -156,23 +154,19 @@ long unsigned int appimage2_size(const char *fname) { | |||
156 | size = read_elf64(fd); | 154 | size = read_elf64(fd); |
157 | } | 155 | } |
158 | else { | 156 | else { |
159 | goto getout; | 157 | return 0; |
160 | } | 158 | } |
161 | if (size == 0) | 159 | if (size == 0) |
162 | goto getout; | 160 | return 0; |
163 | 161 | ||
164 | 162 | ||
165 | // look for a LZMA header at this location | 163 | // look for a LZMA header at this location |
166 | unsigned char buf[4]; | 164 | unsigned char buf[4]; |
167 | ret = pread(fd, buf, 4, size); | 165 | ret = pread(fd, buf, 4, size); |
168 | if (ret != 4) { | 166 | if (ret != 4) |
169 | size = 0; | 167 | return 0; |
170 | goto getout; | ||
171 | } | ||
172 | if (memcmp(buf, "hsqs", 4) != 0) | 168 | if (memcmp(buf, "hsqs", 4) != 0) |
173 | size = 0; | 169 | return 0; |
174 | 170 | ||
175 | getout: | ||
176 | close(fd); | ||
177 | return size; | 171 | return size; |
178 | } | 172 | } |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index 69d872110..1e9641097 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 6fd0b53ef..1c952c0bc 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index b89e3009a..597f9915b 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -162,6 +162,21 @@ static CapsEntry capslist[] = { | |||
162 | #else | 162 | #else |
163 | {"audit_read", 37 }, | 163 | {"audit_read", 37 }, |
164 | #endif | 164 | #endif |
165 | #ifdef CAP_PERFMON | ||
166 | {"perfmon", CAP_PERFMON }, | ||
167 | #else | ||
168 | {"perfmon", 38 }, | ||
169 | #endif | ||
170 | #ifdef CAP_BPF | ||
171 | {"bpf", CAP_BPF }, | ||
172 | #else | ||
173 | {"bpf", 39 }, | ||
174 | #endif | ||
175 | #ifdef CAP_CHECKPOINT_RESTORE | ||
176 | {"checkpoint_restore", CAP_CHECKPOINT_RESTORE }, | ||
177 | #else | ||
178 | {"checkpoint_restore", 40 }, | ||
179 | #endif | ||
165 | 180 | ||
166 | // | 181 | // |
167 | // end of generated code | 182 | // end of generated code |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 30cd96c42..986b1157d 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fb2171a55..e1613b325 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -269,6 +269,14 @@ errout: | |||
269 | 269 | ||
270 | void print_compiletime_support(void) { | 270 | void print_compiletime_support(void) { |
271 | printf("Compile time support:\n"); | 271 | printf("Compile time support:\n"); |
272 | printf("\t- Always force nonewprivs support is %s\n", | ||
273 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
274 | "enabled" | ||
275 | #else | ||
276 | "disabled" | ||
277 | #endif | ||
278 | ); | ||
279 | |||
272 | printf("\t- AppArmor support is %s\n", | 280 | printf("\t- AppArmor support is %s\n", |
273 | #ifdef HAVE_APPARMOR | 281 | #ifdef HAVE_APPARMOR |
274 | "enabled" | 282 | "enabled" |
@@ -333,6 +341,13 @@ void print_compiletime_support(void) { | |||
333 | #endif | 341 | #endif |
334 | ); | 342 | ); |
335 | 343 | ||
344 | printf("\t- output logging is %s\n", | ||
345 | #ifdef HAVE_OUTPUT | ||
346 | "enabled" | ||
347 | #else | ||
348 | "disabled" | ||
349 | #endif | ||
350 | ); | ||
336 | printf("\t- overlayfs support is %s\n", | 351 | printf("\t- overlayfs support is %s\n", |
337 | #ifdef HAVE_OVERLAYFS | 352 | #ifdef HAVE_OVERLAYFS |
338 | "enabled" | 353 | "enabled" |
@@ -380,4 +395,6 @@ void print_compiletime_support(void) { | |||
380 | "disabled" | 395 | "disabled" |
381 | #endif | 396 | #endif |
382 | ); | 397 | ); |
398 | |||
399 | |||
383 | } | 400 | } |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 9253490ca..d7e96cf4c 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -171,7 +171,7 @@ void fs_chroot(const char *rootdir) { | |||
171 | free(proc); | 171 | free(proc); |
172 | close(fd); | 172 | close(fd); |
173 | 173 | ||
174 | // x11 | 174 | #ifdef HAVE_X11 |
175 | // if users want this mount, they should set FIREJAIL_CHROOT_X11 | 175 | // if users want this mount, they should set FIREJAIL_CHROOT_X11 |
176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { | 176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { |
177 | if (arg_debug) | 177 | if (arg_debug) |
@@ -199,6 +199,7 @@ void fs_chroot(const char *rootdir) { | |||
199 | free(proc); | 199 | free(proc); |
200 | close(fd); | 200 | close(fd); |
201 | } | 201 | } |
202 | #endif // HAVE_X11 | ||
202 | 203 | ||
203 | // some older distros don't have a /run directory, create one by default | 204 | // some older distros don't have a /run directory, create one by default |
204 | if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) | 205 | if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 91279a977..f902c4e1c 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -161,18 +161,16 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar | |||
161 | assert(*window_title); | 161 | assert(*window_title); |
162 | } | 162 | } |
163 | 163 | ||
164 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) { | 164 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { |
165 | // index == -1 could happen if we have --shell=none and no program was specified | 165 | // index == -1 could happen if we have --shell=none and no program was specified |
166 | // the program should exit with an error before entering this function | 166 | // the program should exit with an error before entering this function |
167 | assert(index != -1); | 167 | assert(index != -1); |
168 | 168 | ||
169 | if (arg_debug) | 169 | char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun"; |
170 | printf("Building AppImage command line: %s\n", *command_line); | ||
171 | |||
172 | 170 | ||
173 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes | 171 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes |
174 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage | 172 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage |
175 | int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun | 173 | int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun |
176 | int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun | 174 | int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun |
177 | 175 | ||
178 | if (len4 > ARG_MAX) { | 176 | if (len4 > ARG_MAX) { |
@@ -180,11 +178,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
180 | errExit("cmdline_length"); | 178 | errExit("cmdline_length"); |
181 | } | 179 | } |
182 | 180 | ||
183 | // save created apprun in cfg.command_line | ||
184 | char *tmp1 = strdup(*command_line); | ||
185 | if (!tmp1) | ||
186 | errExit("strdup"); | ||
187 | |||
188 | // TODO: deal with extra allocated memory. | 181 | // TODO: deal with extra allocated memory. |
189 | char *command_line_tmp = malloc(len1 + len3 + 1); | 182 | char *command_line_tmp = malloc(len1 + len3 + 1); |
190 | if (!command_line_tmp) | 183 | if (!command_line_tmp) |
@@ -200,13 +193,12 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
200 | assert(*window_title); | 193 | assert(*window_title); |
201 | 194 | ||
202 | // 'fix' command_line now | 195 | // 'fix' command_line now |
203 | if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1) | 196 | if (asprintf(command_line, "'%s' %s", apprun_path, command_line_tmp + len2) == -1) |
204 | errExit("asprintf"); | 197 | errExit("asprintf"); |
205 | 198 | ||
206 | if (arg_debug) | 199 | if (arg_debug) |
207 | printf("AppImage quoted command line: %s\n", *command_line); | 200 | printf("AppImage quoted command line: %s\n", *command_line); |
208 | 201 | ||
209 | // free strdup | 202 | // free strdup |
210 | free(tmp1); | ||
211 | free(command_line_tmp); | 203 | free(command_line_tmp); |
212 | } | 204 | } |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 66fa9fadf..3427e8ade 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 1d0f07089..658b84537 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -111,7 +111,7 @@ static int check_object_path(const char *path) { | |||
111 | } | 111 | } |
112 | ++p; | 112 | ++p; |
113 | } | 113 | } |
114 | return in_segment && segments >= 2; | 114 | return in_segment && segments >= 1; |
115 | } | 115 | } |
116 | 116 | ||
117 | int dbus_check_name(const char *name) { | 117 | int dbus_check_name(const char *name) { |
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index 456bba91b..bdbb338d5 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 9ee6c6bfb..03818df0b 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e352dadc4..ca4c988fa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp | |||
328 | extern int arg_writable_run_user; // writable /run/user | 328 | extern int arg_writable_run_user; // writable /run/user |
329 | extern int arg_writable_var_log; // writable /var/log | 329 | extern int arg_writable_var_log; // writable /var/log |
330 | extern int arg_appimage; // appimage | 330 | extern int arg_appimage; // appimage |
331 | extern int arg_audit; // audit | ||
332 | extern char *arg_audit_prog; // audit | ||
333 | extern int arg_apparmor; // apparmor | 331 | extern int arg_apparmor; // apparmor |
334 | extern int arg_allow_debuggers; // allow debuggers | 332 | extern int arg_allow_debuggers; // allow debuggers |
335 | extern int arg_x11_block; // block X11 | 333 | extern int arg_x11_block; // block X11 |
@@ -451,6 +449,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname); | |||
451 | // add a profile entry in cfg.profile list; use str to populate the list | 449 | // add a profile entry in cfg.profile list; use str to populate the list |
452 | void profile_add(char *str); | 450 | void profile_add(char *str); |
453 | void profile_add_ignore(const char *str); | 451 | void profile_add_ignore(const char *str); |
452 | char *profile_list_normalize(char *list); | ||
453 | char *profile_list_compress(char *list); | ||
454 | void profile_list_augment(char **list, const char *items); | ||
454 | 455 | ||
455 | // list.c | 456 | // list.c |
456 | void list(void); | 457 | void list(void); |
@@ -649,6 +650,8 @@ void network_set_run_file(pid_t pid); | |||
649 | 650 | ||
650 | // fs_etc.c | 651 | // fs_etc.c |
651 | void fs_machineid(void); | 652 | void fs_machineid(void); |
653 | void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list); | ||
654 | void fs_private_dir_mount(const char *private_dir, const char *private_run_dir); | ||
652 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); | 655 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
653 | 656 | ||
654 | // no_sandbox.c | 657 | // no_sandbox.c |
@@ -795,15 +798,15 @@ void print_compiletime_support(void); | |||
795 | 798 | ||
796 | // appimage.c | 799 | // appimage.c |
797 | void appimage_set(const char *appimage_path); | 800 | void appimage_set(const char *appimage_path); |
801 | void appimage_mount(void); | ||
798 | void appimage_clear(void); | 802 | void appimage_clear(void); |
799 | const char *appimage_getdir(void); | ||
800 | 803 | ||
801 | // appimage_size.c | 804 | // appimage_size.c |
802 | long unsigned int appimage2_size(const char *fname); | 805 | long unsigned int appimage2_size(int fd); |
803 | 806 | ||
804 | // cmdline.c | 807 | // cmdline.c |
805 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); | 808 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
806 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path); | 809 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
807 | 810 | ||
808 | // sbox.c | 811 | // sbox.c |
809 | // programs | 812 | // programs |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ef1f87f0c..fc67a15f3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
170 | } | 170 | } |
171 | } | 171 | } |
172 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
173 | selinux_relabel_path(fname, fname); | ||
173 | last_disable = SUCCESSFUL; | 174 | last_disable = SUCCESSFUL; |
174 | } | 175 | } |
175 | else | 176 | else |
@@ -800,8 +801,6 @@ void disable_config(void) { | |||
800 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); | 801 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); |
801 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | 802 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) |
802 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | 803 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); |
803 | if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0) | ||
804 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR); | ||
805 | } | 804 | } |
806 | 805 | ||
807 | 806 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index a48d6cf67..61398f12b 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 3950ea2fd..b2fa60f63 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 271e46855..abec25d45 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <errno.h> | ||
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
23 | #include <sys/types.h> | 24 | #include <sys/types.h> |
@@ -138,7 +139,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
138 | } | 139 | } |
139 | 140 | ||
140 | 141 | ||
141 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { | 142 | void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list) { |
142 | assert(private_dir); | 143 | assert(private_dir); |
143 | assert(private_run_dir); | 144 | assert(private_run_dir); |
144 | assert(private_list); | 145 | assert(private_list); |
@@ -147,12 +148,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
147 | struct stat s; | 148 | struct stat s; |
148 | if (stat(private_dir, &s) == -1) { | 149 | if (stat(private_dir, &s) == -1) { |
149 | if (arg_debug) | 150 | if (arg_debug) |
150 | printf("Cannot find %s\n", private_dir); | 151 | printf("Cannot find %s: %s\n", private_dir, strerror(errno)); |
151 | return; | 152 | return; |
152 | } | 153 | } |
153 | 154 | ||
154 | timetrace_start(); | ||
155 | |||
156 | // create /run/firejail/mnt/etc directory | 155 | // create /run/firejail/mnt/etc directory |
157 | mkdir_attr(private_run_dir, 0755, 0, 0); | 156 | mkdir_attr(private_run_dir, 0755, 0, 0); |
158 | selinux_relabel_path(private_run_dir, private_dir); | 157 | selinux_relabel_path(private_run_dir, private_dir); |
@@ -185,9 +184,23 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
185 | free(dlist); | 184 | free(dlist); |
186 | fs_logger_print(); | 185 | fs_logger_print(); |
187 | } | 186 | } |
187 | } | ||
188 | |||
189 | void fs_private_dir_mount(const char *private_dir, const char *private_run_dir) { | ||
190 | assert(private_dir); | ||
191 | assert(private_run_dir); | ||
188 | 192 | ||
189 | if (arg_debug) | 193 | if (arg_debug) |
190 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); | 194 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); |
195 | |||
196 | // nothing to do if directory does not exist | ||
197 | struct stat s; | ||
198 | if (stat(private_dir, &s) == -1) { | ||
199 | if (arg_debug) | ||
200 | printf("Cannot find %s: %s\n", private_dir, strerror(errno)); | ||
201 | return; | ||
202 | } | ||
203 | |||
191 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) | 204 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) |
192 | errExit("mount bind"); | 205 | errExit("mount bind"); |
193 | fs_logger2("mount", private_dir); | 206 | fs_logger2("mount", private_dir); |
@@ -196,6 +209,11 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
196 | if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 209 | if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
197 | errExit("mounting tmpfs"); | 210 | errExit("mounting tmpfs"); |
198 | fs_logger2("tmpfs", private_run_dir); | 211 | fs_logger2("tmpfs", private_run_dir); |
212 | } | ||
199 | 213 | ||
214 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { | ||
215 | timetrace_start(); | ||
216 | fs_private_dir_copy(private_dir, private_run_dir, private_list); | ||
217 | fs_private_dir_mount(private_dir, private_run_dir); | ||
200 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 218 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
201 | } | 219 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8c7c19203..46f32d7ad 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | #include <fcntl.h> | 32 | #include <fcntl.h> |
33 | #ifndef O_PATH | 33 | #ifndef O_PATH |
34 | # define O_PATH 010000000 | 34 | #define O_PATH 010000000 |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | static void skel(const char *homedir, uid_t u, gid_t g) { | 37 | static void skel(const char *homedir, uid_t u, gid_t g) { |
@@ -384,7 +384,6 @@ void fs_private(void) { | |||
384 | if (chown(homedir, u, g) < 0) | 384 | if (chown(homedir, u, g) < 0) |
385 | errExit("chown"); | 385 | errExit("chown"); |
386 | 386 | ||
387 | selinux_relabel_path(homedir, homedir); | ||
388 | fs_logger2("mkdir", homedir); | 387 | fs_logger2("mkdir", homedir); |
389 | fs_logger2("tmpfs", homedir); | 388 | fs_logger2("tmpfs", homedir); |
390 | } | 389 | } |
@@ -392,6 +391,8 @@ void fs_private(void) { | |||
392 | // mask user home directory | 391 | // mask user home directory |
393 | // the directory should be owned by the current user | 392 | // the directory should be owned by the current user |
394 | fs_tmpfs(homedir, 1); | 393 | fs_tmpfs(homedir, 1); |
394 | |||
395 | selinux_relabel_path(homedir, homedir); | ||
395 | } | 396 | } |
396 | 397 | ||
397 | skel(homedir, u, g); | 398 | skel(homedir, u, g); |
@@ -549,7 +550,7 @@ void fs_private_home_list(void) { | |||
549 | 550 | ||
550 | // create /run/firejail/mnt/home directory | 551 | // create /run/firejail/mnt/home directory |
551 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); | 552 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); |
552 | selinux_relabel_path(RUN_HOME_DIR, "/home"); | 553 | selinux_relabel_path(RUN_HOME_DIR, homedir); |
553 | fs_logger_print(); // save the current log | 554 | fs_logger_print(); // save the current log |
554 | 555 | ||
555 | if (arg_debug) | 556 | if (arg_debug) |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 5d6fddf8e..8a3bb71ea 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index b8c1b21b1..0491fd9b1 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -23,16 +23,43 @@ | |||
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <sys/types.h> | 24 | #include <sys/types.h> |
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | #include <dirent.h> | 26 | #include <fcntl.h> |
27 | #include <errno.h> | ||
27 | #include <glob.h> | 28 | #include <glob.h> |
28 | #define MAXBUF 4096 | 29 | #define MAXBUF 4096 |
29 | 30 | ||
30 | extern void fslib_install_stdc(void); | 31 | extern void fslib_install_stdc(void); |
32 | extern void fslib_install_firejail(void); | ||
31 | extern void fslib_install_system(void); | 33 | extern void fslib_install_system(void); |
32 | 34 | ||
33 | static int lib_cnt = 0; | 35 | static int lib_cnt = 0; |
34 | static int dir_cnt = 0; | 36 | static int dir_cnt = 0; |
35 | 37 | ||
38 | static const char *masked_lib_dirs[] = { | ||
39 | "/usr/lib64", | ||
40 | "/lib64", | ||
41 | "/usr/lib", | ||
42 | "/lib", | ||
43 | "/usr/local/lib64", | ||
44 | "/usr/local/lib", | ||
45 | NULL, | ||
46 | }; | ||
47 | |||
48 | // return 1 if the file is in masked_lib_dirs[] | ||
49 | static int valid_full_path(const char *full_path) { | ||
50 | if (strstr(full_path, "..")) | ||
51 | return 0; | ||
52 | |||
53 | int i = 0; | ||
54 | while (masked_lib_dirs[i]) { | ||
55 | if (strncmp(full_path, masked_lib_dirs[i], strlen(masked_lib_dirs[i])) == 0 && | ||
56 | full_path[strlen(masked_lib_dirs[i])] == '/') | ||
57 | return 1; | ||
58 | i++; | ||
59 | } | ||
60 | return 0; | ||
61 | } | ||
62 | |||
36 | char *find_in_path(const char *program) { | 63 | char *find_in_path(const char *program) { |
37 | EUID_ASSERT(); | 64 | EUID_ASSERT(); |
38 | if (arg_debug) | 65 | if (arg_debug) |
@@ -44,9 +71,10 @@ char *find_in_path(const char *program) { | |||
44 | errExit("readlink"); | 71 | errExit("readlink"); |
45 | self[len] = '\0'; | 72 | self[len] = '\0'; |
46 | 73 | ||
47 | char *path = getenv("PATH"); | 74 | const char *path = env_get("PATH"); |
48 | if (!path) | 75 | if (!path) |
49 | return NULL; | 76 | return NULL; |
77 | |||
50 | char *dup = strdup(path); | 78 | char *dup = strdup(path); |
51 | if (!dup) | 79 | if (!dup) |
52 | errExit("strdup"); | 80 | errExit("strdup"); |
@@ -79,22 +107,6 @@ char *find_in_path(const char *program) { | |||
79 | return NULL; | 107 | return NULL; |
80 | } | 108 | } |
81 | 109 | ||
82 | static void report_duplication(const char *full_path) { | ||
83 | char *fname = strrchr(full_path, '/'); | ||
84 | if (fname && *(++fname) != '\0') { | ||
85 | // report the file on all bin paths | ||
86 | int i = 0; | ||
87 | while (default_lib_paths[i]) { | ||
88 | char *p; | ||
89 | if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1) | ||
90 | errExit("asprintf"); | ||
91 | fs_logger2("clone", p); | ||
92 | free(p); | ||
93 | i++; | ||
94 | } | ||
95 | } | ||
96 | } | ||
97 | |||
98 | static char *build_dest_dir(const char *full_path) { | 110 | static char *build_dest_dir(const char *full_path) { |
99 | assert(full_path); | 111 | assert(full_path); |
100 | if (strstr(full_path, "/x86_64-linux-gnu/")) | 112 | if (strstr(full_path, "/x86_64-linux-gnu/")) |
@@ -102,68 +114,108 @@ static char *build_dest_dir(const char *full_path) { | |||
102 | return RUN_LIB_DIR; | 114 | return RUN_LIB_DIR; |
103 | } | 115 | } |
104 | 116 | ||
105 | // copy fname in private_run_dir | 117 | // return name of mount target in allocated memory |
106 | void fslib_duplicate(const char *full_path) { | 118 | static char *build_dest_name(const char *full_path) { |
107 | assert(full_path); | 119 | assert(full_path); |
120 | char *fname = strrchr(full_path, '/'); | ||
121 | assert(fname); | ||
122 | fname++; | ||
123 | assert(*fname != '\0'); | ||
108 | 124 | ||
109 | struct stat s; | 125 | char *dest; |
110 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) | 126 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1) |
111 | return; | 127 | errExit("asprintf"); |
128 | return dest; | ||
129 | } | ||
112 | 130 | ||
113 | char *dest_dir = build_dest_dir(full_path); | 131 | static void fslib_mount_dir(const char *full_path) { |
132 | // create new directory and mount the original on top of it | ||
133 | char *dest = build_dest_name(full_path); | ||
134 | if (mkdir(dest, 0755) == -1) { | ||
135 | if (errno == EEXIST) { // directory has been mounted already, nothing to do | ||
136 | free(dest); | ||
137 | return; | ||
138 | } | ||
139 | errExit("mkdir"); | ||
140 | } | ||
114 | 141 | ||
115 | // don't copy it if the file is already there | 142 | if (arg_debug || arg_debug_private_lib) |
116 | char *ptr = strrchr(full_path, '/'); | 143 | printf(" mounting %s on %s\n", full_path, dest); |
117 | if (!ptr) | 144 | // if full_path is a symbolic link, mount will follow it |
118 | return; | 145 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0) |
119 | ptr++; | 146 | errExit("mount bind"); |
120 | if (*ptr == '\0') | 147 | free(dest); |
121 | return; | 148 | dir_cnt++; |
149 | } | ||
122 | 150 | ||
123 | char *name; | 151 | static void fslib_mount_file(const char *full_path) { |
124 | if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1) | 152 | // create new file and mount the original on top of it |
125 | errExit("asprintf"); | 153 | char *dest = build_dest_name(full_path); |
126 | if (stat(name, &s) == 0) { | 154 | int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); |
127 | free(name); | 155 | if (fd == -1) { |
128 | return; | 156 | if (errno == EEXIST) { // file has been mounted already, nothing to do |
157 | free(dest); | ||
158 | return; | ||
159 | } | ||
160 | errExit("open"); | ||
129 | } | 161 | } |
130 | free(name); | 162 | close(fd); |
131 | 163 | ||
132 | if (arg_debug || arg_debug_private_lib) | 164 | if (arg_debug || arg_debug_private_lib) |
133 | printf(" copying %s to private %s\n", full_path, dest_dir); | 165 | printf(" mounting %s on %s\n", full_path, dest); |
134 | 166 | // if full_path is a symbolic link, mount will follow it | |
135 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); | 167 | if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0) |
136 | report_duplication(full_path); | 168 | errExit("mount bind"); |
169 | free(dest); | ||
137 | lib_cnt++; | 170 | lib_cnt++; |
138 | } | 171 | } |
139 | 172 | ||
173 | void fslib_mount(const char *full_path) { | ||
174 | assert(full_path); | ||
175 | struct stat s; | ||
176 | |||
177 | if (!valid_full_path(full_path) || | ||
178 | access(full_path, F_OK) != 0 || | ||
179 | stat(full_path, &s) != 0 || | ||
180 | s.st_uid != 0) | ||
181 | return; | ||
182 | |||
183 | if (S_ISDIR(s.st_mode)) | ||
184 | fslib_mount_dir(full_path); | ||
185 | else if (S_ISREG(s.st_mode) && is_lib_64(full_path)) | ||
186 | fslib_mount_file(full_path); | ||
187 | } | ||
140 | 188 | ||
141 | // requires full path for lib | 189 | // requires full path for lib |
142 | // it could be a library or an executable | 190 | // it could be a library or an executable |
143 | // lib is not copied, only libraries used by it | 191 | // lib is not copied, only libraries used by it |
144 | void fslib_copy_libs(const char *full_path) { | 192 | void fslib_mount_libs(const char *full_path, unsigned user) { |
145 | assert(full_path); | 193 | assert(full_path); |
146 | if (arg_debug || arg_debug_private_lib) | ||
147 | printf(" fslib_copy_libs %s\n", full_path); | ||
148 | |||
149 | // if library/executable does not exist or the user does not have read access to it | 194 | // if library/executable does not exist or the user does not have read access to it |
150 | // print a warning and exit the function. | 195 | // print a warning and exit the function. |
151 | if (access(full_path, R_OK)) { | 196 | if (user && access(full_path, R_OK)) { |
152 | if (arg_debug || arg_debug_private_lib) | 197 | if (arg_debug || arg_debug_private_lib) |
153 | printf("cannot find %s for private-lib, skipping...\n", full_path); | 198 | printf("Cannot read %s, skipping...\n", full_path); |
154 | return; | 199 | return; |
155 | } | 200 | } |
156 | 201 | ||
202 | if (arg_debug || arg_debug_private_lib) | ||
203 | printf(" fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root"); | ||
157 | // create an empty RUN_LIB_FILE and allow the user to write to it | 204 | // create an empty RUN_LIB_FILE and allow the user to write to it |
158 | unlink(RUN_LIB_FILE); // in case is there | 205 | unlink(RUN_LIB_FILE); // in case is there |
159 | create_empty_file_as_root(RUN_LIB_FILE, 0644); | 206 | create_empty_file_as_root(RUN_LIB_FILE, 0644); |
160 | if (chown(RUN_LIB_FILE, getuid(), getgid())) | 207 | if (user && chown(RUN_LIB_FILE, getuid(), getgid())) |
161 | errExit("chown"); | 208 | errExit("chown"); |
162 | 209 | ||
163 | // run fldd to extract the list of files | 210 | // run fldd to extract the list of files |
164 | if (arg_debug || arg_debug_private_lib) | 211 | if (arg_debug || arg_debug_private_lib) |
165 | printf(" running fldd %s\n", full_path); | 212 | printf(" running fldd %s\n", full_path); |
166 | sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | 213 | unsigned mask; |
214 | if (user) | ||
215 | mask = SBOX_USER; | ||
216 | else | ||
217 | mask = SBOX_ROOT; | ||
218 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | ||
167 | 219 | ||
168 | // open the list of libraries and install them on by one | 220 | // open the list of libraries and install them on by one |
169 | FILE *fp = fopen(RUN_LIB_FILE, "r"); | 221 | FILE *fp = fopen(RUN_LIB_FILE, "r"); |
@@ -176,68 +228,30 @@ void fslib_copy_libs(const char *full_path) { | |||
176 | char *ptr = strchr(buf, '\n'); | 228 | char *ptr = strchr(buf, '\n'); |
177 | if (ptr) | 229 | if (ptr) |
178 | *ptr = '\0'; | 230 | *ptr = '\0'; |
179 | fslib_duplicate(buf); | 231 | |
232 | fslib_mount(buf); | ||
180 | } | 233 | } |
181 | fclose(fp); | 234 | fclose(fp); |
182 | unlink(RUN_LIB_FILE); | 235 | unlink(RUN_LIB_FILE); |
183 | } | 236 | } |
184 | 237 | ||
185 | 238 | // fname should be a valid full path at this point | |
186 | void fslib_copy_dir(const char *full_path) { | ||
187 | assert(full_path); | ||
188 | if (arg_debug || arg_debug_private_lib) | ||
189 | printf(" fslib_copy_dir %s\n", full_path); | ||
190 | |||
191 | // do nothing if the directory does not exist or is not owned by root | ||
192 | struct stat s; | ||
193 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) | ||
194 | return; | ||
195 | |||
196 | char *dir_name = strrchr(full_path, '/'); | ||
197 | assert(dir_name); | ||
198 | dir_name++; | ||
199 | assert(*dir_name != '\0'); | ||
200 | |||
201 | // do nothing if the directory is already there | ||
202 | char *dest; | ||
203 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) | ||
204 | errExit("asprintf"); | ||
205 | if (stat(dest, &s) == 0) { | ||
206 | free(dest); | ||
207 | return; | ||
208 | } | ||
209 | |||
210 | // create new directory and mount the original on top of it | ||
211 | mkdir_attr(dest, 0755, 0, 0); | ||
212 | |||
213 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
214 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
215 | errExit("mount bind"); | ||
216 | fs_logger2("clone", full_path); | ||
217 | fs_logger2("mount", full_path); | ||
218 | dir_cnt++; | ||
219 | free(dest); | ||
220 | } | ||
221 | |||
222 | // fname should be a vallid full path at this point | ||
223 | static void load_library(const char *fname) { | 239 | static void load_library(const char *fname) { |
224 | assert(fname); | 240 | assert(fname); |
225 | assert(*fname == '/'); | 241 | assert(*fname == '/'); |
226 | 242 | ||
227 | // existing file owned by root, read access | 243 | // existing file owned by root |
228 | struct stat s; | 244 | struct stat s; |
229 | if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) { | 245 | if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) { |
230 | // load directories, regular 64 bit libraries, and 64 bit executables | 246 | // load directories, regular 64 bit libraries, and 64 bit executables |
231 | if (is_dir(fname) || is_lib_64(fname)) { | 247 | if (S_ISDIR(s.st_mode)) |
232 | if (is_dir(fname)) | 248 | fslib_mount(fname); |
233 | fslib_copy_dir(fname); | 249 | else if (S_ISREG(s.st_mode) && is_lib_64(fname)) { |
234 | else { | 250 | if (strstr(fname, ".so") || |
235 | if (strstr(fname, ".so") || | 251 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries |
236 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries | 252 | fslib_mount(fname); |
237 | fslib_duplicate(fname); | 253 | |
238 | 254 | fslib_mount_libs(fname, 1); // parse as user | |
239 | fslib_copy_libs(fname); | ||
240 | } | ||
241 | } | 255 | } |
242 | } | 256 | } |
243 | } | 257 | } |
@@ -293,7 +307,6 @@ static void install_list_entry(const char *lib) { | |||
293 | return; | 307 | return; |
294 | } | 308 | } |
295 | 309 | ||
296 | |||
297 | void fslib_install_list(const char *lib_list) { | 310 | void fslib_install_list(const char *lib_list) { |
298 | assert(lib_list); | 311 | assert(lib_list); |
299 | if (arg_debug || arg_debug_private_lib) | 312 | if (arg_debug || arg_debug_private_lib) |
@@ -316,34 +329,20 @@ void fslib_install_list(const char *lib_list) { | |||
316 | fs_logger_print(); | 329 | fs_logger_print(); |
317 | } | 330 | } |
318 | 331 | ||
319 | |||
320 | |||
321 | static void mount_directories(void) { | 332 | static void mount_directories(void) { |
322 | if (arg_debug || arg_debug_private_lib) | 333 | fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself |
323 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); | 334 | |
324 | 335 | int i = 0; | |
325 | if (is_dir("/lib")) { | 336 | while (masked_lib_dirs[i]) { |
326 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 337 | if (is_dir(masked_lib_dirs[i])) { |
327 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 338 | if (arg_debug || arg_debug_private_lib) |
328 | errExit("mount bind"); | 339 | printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]); |
329 | fs_logger2("tmpfs", "/lib"); | 340 | if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
330 | fs_logger("mount /lib"); | 341 | errExit("mount bind"); |
331 | } | 342 | fs_logger2("tmpfs", masked_lib_dirs[i]); |
332 | 343 | fs_logger2("mount", masked_lib_dirs[i]); | |
333 | if (is_dir("/lib64")) { | 344 | } |
334 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | 345 | i++; |
335 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
336 | errExit("mount bind"); | ||
337 | fs_logger2("tmpfs", "/lib64"); | ||
338 | fs_logger("mount /lib64"); | ||
339 | } | ||
340 | |||
341 | if (is_dir("/usr/lib")) { | ||
342 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
343 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
344 | errExit("mount bind"); | ||
345 | fs_logger2("tmpfs", "/usr/lib"); | ||
346 | fs_logger("mount /usr/lib"); | ||
347 | } | 346 | } |
348 | 347 | ||
349 | // for amd64 only - we'll deal with i386 later | 348 | // for amd64 only - we'll deal with i386 later |
@@ -379,25 +378,12 @@ void fs_private_lib(void) { | |||
379 | printf("Installing standard C library\n"); | 378 | printf("Installing standard C library\n"); |
380 | fslib_install_stdc(); | 379 | fslib_install_stdc(); |
381 | 380 | ||
382 | // start timetrace | 381 | // install other libraries needed by firejail |
383 | timetrace_start(); | ||
384 | |||
385 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
386 | if (arg_debug || arg_debug_private_lib) | 382 | if (arg_debug || arg_debug_private_lib) |
387 | printf("Installing Firejail libraries\n"); | 383 | printf("Installing Firejail libraries\n"); |
388 | fslib_install_list(PATH_FIREJAIL); | 384 | fslib_install_firejail(); |
389 | |||
390 | // bring in firejail directory | ||
391 | fslib_install_list(LIBDIR "/firejail"); | ||
392 | |||
393 | // bring in dhclient libraries | ||
394 | if (any_dhcp()) { | ||
395 | if (arg_debug || arg_debug_private_lib) | ||
396 | printf("Installing dhclient libraries\n"); | ||
397 | fslib_install_list(RUN_MNT_DIR "/dhclient"); | ||
398 | } | ||
399 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | ||
400 | 385 | ||
386 | // start timetrace | ||
401 | timetrace_start(); | 387 | timetrace_start(); |
402 | 388 | ||
403 | // copy the libs in the new lib directory for the main exe | 389 | // copy the libs in the new lib directory for the main exe |
@@ -426,7 +412,6 @@ void fs_private_lib(void) { | |||
426 | fslib_install_list(cfg.shell); | 412 | fslib_install_list(cfg.shell); |
427 | // a shell is useless without some basic commands | 413 | // a shell is useless without some basic commands |
428 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); | 414 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); |
429 | |||
430 | } | 415 | } |
431 | 416 | ||
432 | // for the listed libs and directories | 417 | // for the listed libs and directories |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 95e10ee05..c69bf7c98 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -21,9 +21,8 @@ | |||
21 | #include <dirent.h> | 21 | #include <dirent.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | 23 | ||
24 | extern void fslib_duplicate(const char *full_path); | 24 | extern void fslib_mount_libs(const char *full_path, unsigned user); |
25 | extern void fslib_copy_libs(const char *full_path); | 25 | extern void fslib_mount(const char *full_path); |
26 | extern void fslib_copy_dir(const char *full_path); | ||
27 | 26 | ||
28 | //*************************************************************** | 27 | //*************************************************************** |
29 | // Standard C library | 28 | // Standard C library |
@@ -97,7 +96,8 @@ static void stdc(const char *dirname) { | |||
97 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) | 96 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) |
98 | errExit("asprintf"); | 97 | errExit("asprintf"); |
99 | 98 | ||
100 | fslib_duplicate(fname); | 99 | fslib_mount(fname); |
100 | free(fname); | ||
101 | } | 101 | } |
102 | } | 102 | } |
103 | closedir(dir); | 103 | closedir(dir); |
@@ -118,11 +118,56 @@ void fslib_install_stdc(void) { | |||
118 | 118 | ||
119 | // install locale | 119 | // install locale |
120 | if (stat("/usr/lib/locale", &s) == 0) | 120 | if (stat("/usr/lib/locale", &s) == 0) |
121 | fslib_copy_dir("/usr/lib/locale"); | 121 | fslib_mount("/usr/lib/locale"); |
122 | 122 | ||
123 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); | 123 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); |
124 | } | 124 | } |
125 | 125 | ||
126 | //*************************************************************** | ||
127 | // Firejail libraries | ||
128 | //*************************************************************** | ||
129 | |||
130 | static void fdir(void) { | ||
131 | // firejail directory itself | ||
132 | fslib_mount(LIBDIR "/firejail"); | ||
133 | |||
134 | // executables and libraries from firejail directory | ||
135 | static const char * const fbin[] = { | ||
136 | PATH_FCOPY, // currently sufficient to find all needed libraries | ||
137 | // PATH_FSECCOMP, | ||
138 | // PATH_FSEC_OPTIMIZE, | ||
139 | // PATH_FSEC_PRINT, | ||
140 | // RUN_FIREJAIL_LIB_DIR "/libtrace.so", | ||
141 | // RUN_FIREJAIL_LIB_DIR "/libtracelog.so", | ||
142 | // RUN_FIREJAIL_LIB_DIR "/libpostexecseccomp.so", | ||
143 | NULL, | ||
144 | }; | ||
145 | |||
146 | // need to parse as root user, unprivileged users have no read permission on executables | ||
147 | int i; | ||
148 | for (i = 0; fbin[i]; i++) | ||
149 | fslib_mount_libs(fbin[i], 0); | ||
150 | } | ||
151 | |||
152 | void fslib_install_firejail(void) { | ||
153 | timetrace_start(); | ||
154 | // bring in firejail executable libraries, in case we are redirected here | ||
155 | // by a firejail symlink from /usr/local/bin/firejail | ||
156 | fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user | ||
157 | |||
158 | // bring in firejail directory | ||
159 | fdir(); | ||
160 | |||
161 | // bring in dhclient libraries | ||
162 | if (any_dhcp()) | ||
163 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user | ||
164 | |||
165 | // bring in xauth libraries | ||
166 | if (arg_x11_xorg) | ||
167 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user | ||
168 | |||
169 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | ||
170 | } | ||
126 | 171 | ||
127 | //*************************************************************** | 172 | //*************************************************************** |
128 | // various system libraries | 173 | // various system libraries |
@@ -268,8 +313,8 @@ void fslib_install_system(void) { | |||
268 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) | 313 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) |
269 | errExit("asprintf"); | 314 | errExit("asprintf"); |
270 | if (access(name, R_OK) == 0) { | 315 | if (access(name, R_OK) == 0) { |
271 | fslib_copy_libs(name); | 316 | fslib_mount_libs(name, 1); // parse as user |
272 | fslib_copy_dir(name); | 317 | fslib_mount(name); |
273 | } | 318 | } |
274 | else { | 319 | else { |
275 | free(name); | 320 | free(name); |
@@ -277,8 +322,8 @@ void fslib_install_system(void) { | |||
277 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) | 322 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) |
278 | errExit("asprintf"); | 323 | errExit("asprintf"); |
279 | if (access(name, R_OK) == 0) { | 324 | if (access(name, R_OK) == 0) { |
280 | fslib_copy_libs(name); | 325 | fslib_mount_libs(name, 1); // parse as user |
281 | fslib_copy_dir(name); | 326 | fslib_mount(name); |
282 | } | 327 | } |
283 | } | 328 | } |
284 | free(name); | 329 | free(name); |
@@ -288,8 +333,8 @@ void fslib_install_system(void) { | |||
288 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) | 333 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) |
289 | errExit("asprintf"); | 334 | errExit("asprintf"); |
290 | if (access(name, R_OK) == 0) { | 335 | if (access(name, R_OK) == 0) { |
291 | fslib_copy_libs(name); | 336 | fslib_mount_libs(name, 1); // parse as user |
292 | fslib_copy_dir(name); | 337 | fslib_mount(name); |
293 | } | 338 | } |
294 | else { | 339 | else { |
295 | free(name); | 340 | free(name); |
@@ -297,8 +342,8 @@ void fslib_install_system(void) { | |||
297 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) | 342 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) |
298 | errExit("asprintf"); | 343 | errExit("asprintf"); |
299 | if (access(name, R_OK) == 0) { | 344 | if (access(name, R_OK) == 0) { |
300 | fslib_copy_libs(name); | 345 | fslib_mount_libs(name, 1); // parse as user |
301 | fslib_copy_dir(name); | 346 | fslib_mount(name); |
302 | } | 347 | } |
303 | } | 348 | } |
304 | free(name); | 349 | free(name); |
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 892c91e3f..67ad4b52e 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 0e213f2f8..8cfeea582 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -46,7 +46,7 @@ static void mkdir_recursive(char *path) { | |||
46 | struct stat s; | 46 | struct stat s; |
47 | 47 | ||
48 | if (chdir("/")) { | 48 | if (chdir("/")) { |
49 | fprintf(stderr, "Error: can't chdir to /"); | 49 | fprintf(stderr, "Error: can't chdir to /\n"); |
50 | return; | 50 | return; |
51 | } | 51 | } |
52 | 52 | ||
@@ -63,7 +63,7 @@ static void mkdir_recursive(char *path) { | |||
63 | return; | 63 | return; |
64 | } | 64 | } |
65 | if (chdir(subdir)) { | 65 | if (chdir(subdir)) { |
66 | fprintf(stderr, "Error: can't chdir to %s", subdir); | 66 | fprintf(stderr, "Error: can't chdir to %s\n", subdir); |
67 | return; | 67 | return; |
68 | } | 68 | } |
69 | 69 | ||
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 1894784a8..8f939b5f5 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index cafe9fa49..f07581cd8 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index d60c57fec..698d47b69 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/join.c b/src/firejail/join.c index bdd0f286c..1575a7469 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
411 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
412 | 412 | ||
413 | int shfd = -1; | 413 | int shfd = -1; |
414 | if (!arg_shell_none && !arg_audit) | 414 | if (!arg_shell_none) |
415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
416 | 416 | ||
417 | EUID_ROOT(); | 417 | EUID_ROOT(); |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index e61edf427..63ef2309b 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 2623d794f..7f2f6dbf3 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 982a4c7a6..b3524fcf5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | |||
130 | int arg_writable_run_user = 0; // writable /run/user | 130 | int arg_writable_run_user = 0; // writable /run/user |
131 | int arg_writable_var_log = 0; // writable /var/log | 131 | int arg_writable_var_log = 0; // writable /var/log |
132 | int arg_appimage = 0; // appimage | 132 | int arg_appimage = 0; // appimage |
133 | int arg_audit = 0; // audit | ||
134 | char *arg_audit_prog = NULL; // audit | ||
135 | int arg_apparmor = 0; // apparmor | 133 | int arg_apparmor = 0; // apparmor |
136 | int arg_allow_debuggers = 0; // allow debuggers | 134 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 135 | int arg_x11_block = 0; // block X11 |
@@ -297,7 +295,7 @@ static void check_network(Bridge *br) { | |||
297 | else if (br->ipsandbox) { // for macvlan check network range | 295 | else if (br->ipsandbox) { // for macvlan check network range |
298 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); | 296 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); |
299 | if (rv) { | 297 | if (rv) { |
300 | fprintf(stderr, "%s", rv); | 298 | fprintf(stderr, "%s\n", rv); |
301 | exit(1); | 299 | exit(1); |
302 | } | 300 | } |
303 | } | 301 | } |
@@ -1008,7 +1006,7 @@ int main(int argc, char **argv, char **envp) { | |||
1008 | 1006 | ||
1009 | // sanity check for environment variables | 1007 | // sanity check for environment variables |
1010 | if (i >= MAX_ENVS) { | 1008 | if (i >= MAX_ENVS) { |
1011 | fprintf(stderr, "Error: too many environment variables, please use --rmenv\n"); | 1009 | fprintf(stderr, "Error: too many environment variables\n"); |
1012 | exit(1); | 1010 | exit(1); |
1013 | } | 1011 | } |
1014 | 1012 | ||
@@ -1022,9 +1020,6 @@ int main(int argc, char **argv, char **envp) { | |||
1022 | fprintf(stderr, "Error: too long arguments\n"); | 1020 | fprintf(stderr, "Error: too long arguments\n"); |
1023 | exit(1); | 1021 | exit(1); |
1024 | } | 1022 | } |
1025 | // Also remove requested environment variables | ||
1026 | if (strncmp(argv[i], "--rmenv=", 8) == 0) | ||
1027 | env_store(argv[i] + 8, RMENV); | ||
1028 | } | 1023 | } |
1029 | 1024 | ||
1030 | // Reapply a minimal set of environment variables | 1025 | // Reapply a minimal set of environment variables |
@@ -1236,10 +1231,12 @@ int main(int argc, char **argv, char **envp) { | |||
1236 | #endif | 1231 | #endif |
1237 | } | 1232 | } |
1238 | } | 1233 | } |
1234 | #ifdef HAVE_OUTPUT | ||
1239 | else { | 1235 | else { |
1240 | // check --output option and execute it; | 1236 | // check --output option and execute it; |
1241 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found | 1237 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found |
1242 | } | 1238 | } |
1239 | #endif | ||
1243 | EUID_ASSERT(); | 1240 | EUID_ASSERT(); |
1244 | 1241 | ||
1245 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1242 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
@@ -1288,15 +1285,10 @@ int main(int argc, char **argv, char **envp) { | |||
1288 | #endif | 1285 | #endif |
1289 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1286 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1290 | if (checkcfg(CFG_SECCOMP)) { | 1287 | if (checkcfg(CFG_SECCOMP)) { |
1291 | if (cfg.protocol) { | 1288 | const char *add = argv[i] + 11; |
1292 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); | 1289 | profile_list_augment(&cfg.protocol, add); |
1293 | } | 1290 | if (arg_debug) |
1294 | else { | 1291 | fprintf(stderr, "[option] combined protocol list: \"%s\"\n", cfg.protocol); |
1295 | // store list | ||
1296 | cfg.protocol = strdup(argv[i] + 11); | ||
1297 | if (!cfg.protocol) | ||
1298 | errExit("strdup"); | ||
1299 | } | ||
1300 | } | 1292 | } |
1301 | else | 1293 | else |
1302 | exit_err_feature("seccomp"); | 1294 | exit_err_feature("seccomp"); |
@@ -1592,7 +1584,26 @@ int main(int argc, char **argv, char **envp) { | |||
1592 | profile_add(line); | 1584 | profile_add(line); |
1593 | } | 1585 | } |
1594 | #endif | 1586 | #endif |
1595 | 1587 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | |
1588 | char *line; | ||
1589 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) | ||
1590 | errExit("asprintf"); | ||
1591 | /* Note: Applied both immediately in profile_check_line() | ||
1592 | * and later on via fs_blacklist(). | ||
1593 | */ | ||
1594 | profile_check_line(line, 0, NULL); | ||
1595 | profile_add(line); | ||
1596 | } | ||
1597 | else if (strncmp(argv[i], "--mkfile=", 9) == 0) { | ||
1598 | char *line; | ||
1599 | if (asprintf(&line, "mkfile %s", argv[i] + 9) == -1) | ||
1600 | errExit("asprintf"); | ||
1601 | /* Note: Applied both immediately in profile_check_line() | ||
1602 | * and later on via fs_blacklist(). | ||
1603 | */ | ||
1604 | profile_check_line(line, 0, NULL); | ||
1605 | profile_add(line); | ||
1606 | } | ||
1596 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | 1607 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { |
1597 | char *line; | 1608 | char *line; |
1598 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) | 1609 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) |
@@ -2595,28 +2606,6 @@ int main(int argc, char **argv, char **envp) { | |||
2595 | //************************************* | 2606 | //************************************* |
2596 | else if (strncmp(argv[i], "--timeout=", 10) == 0) | 2607 | else if (strncmp(argv[i], "--timeout=", 10) == 0) |
2597 | cfg.timeout = extract_timeout(argv[i] + 10); | 2608 | cfg.timeout = extract_timeout(argv[i] + 10); |
2598 | else if (strcmp(argv[i], "--audit") == 0) { | ||
2599 | arg_audit_prog = LIBDIR "/firejail/faudit"; | ||
2600 | profile_add_ignore("shell none"); | ||
2601 | arg_audit = 1; | ||
2602 | } | ||
2603 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | ||
2604 | if (strlen(argv[i] + 8) == 0) { | ||
2605 | fprintf(stderr, "Error: invalid audit program\n"); | ||
2606 | exit(1); | ||
2607 | } | ||
2608 | arg_audit_prog = strdup(argv[i] + 8); | ||
2609 | if (!arg_audit_prog) | ||
2610 | errExit("strdup"); | ||
2611 | |||
2612 | struct stat s; | ||
2613 | if (stat(arg_audit_prog, &s) != 0) { | ||
2614 | fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); | ||
2615 | exit(1); | ||
2616 | } | ||
2617 | profile_add_ignore("shell none"); | ||
2618 | arg_audit = 1; | ||
2619 | } | ||
2620 | else if (strcmp(argv[i], "--appimage") == 0) | 2609 | else if (strcmp(argv[i], "--appimage") == 0) |
2621 | arg_appimage = 1; | 2610 | arg_appimage = 1; |
2622 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2611 | else if (strcmp(argv[i], "--shell=none") == 0) { |
@@ -2801,7 +2790,7 @@ int main(int argc, char **argv, char **envp) { | |||
2801 | if (arg_debug) | 2790 | if (arg_debug) |
2802 | printf("Configuring appimage environment\n"); | 2791 | printf("Configuring appimage environment\n"); |
2803 | appimage_set(cfg.command_name); | 2792 | appimage_set(cfg.command_name); |
2804 | build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line); | 2793 | build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
2805 | } | 2794 | } |
2806 | else { | 2795 | else { |
2807 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 2796 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 34d8d1700..a700729d3 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index e0a2ce086..fc79dddec 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/netns.c b/src/firejail/netns.c index 7ccff3265..b5d6fb636 100644 --- a/src/firejail/netns.c +++ b/src/firejail/netns.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2020 Firejail Authors | 2 | * Copyright (C) 2020-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 8cdf04947..f7142cefd 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 85896e528..ee3c00872 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -120,7 +120,7 @@ void net_configure_sandbox_ip(Bridge *br) { | |||
120 | // check network range | 120 | // check network range |
121 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); | 121 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); |
122 | if (rv) { | 122 | if (rv) { |
123 | fprintf(stderr, "%s", rv); | 123 | fprintf(stderr, "%s\n", rv); |
124 | exit(1); | 124 | exit(1); |
125 | } | 125 | } |
126 | // send an ARP request and check if there is anybody on this IP address | 126 | // send an ARP request and check if there is anybody on this IP address |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 111d94333..60a82821e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -168,29 +168,17 @@ void run_no_sandbox(int argc, char **argv) { | |||
168 | errExit("setresuid"); | 168 | errExit("setresuid"); |
169 | 169 | ||
170 | // process limited subset of options | 170 | // process limited subset of options |
171 | // and find first non option arg: | ||
172 | // - first argument not starting with --, | ||
173 | // - whatever follows after -c (example: firejail -c ls) | ||
174 | int prog_index = 0; | ||
171 | int i; | 175 | int i; |
172 | for (i = 0; i < argc; i++) { | 176 | for (i = 1; i < argc; i++) { |
173 | if (strcmp(argv[i], "--debug") == 0) | 177 | if (strcmp(argv[i], "--debug") == 0) |
174 | arg_debug = 1; | 178 | arg_debug = 1; |
175 | else if (strncmp(argv[i], "--shell=", 8) == 0) | 179 | else if (strncmp(argv[i], "--shell=", 8) == 0) |
176 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); | 180 | fwarning("shell-related command line options are disregarded\n"); |
177 | } | 181 | else if (strcmp(argv[i], "-c") == 0) { |
178 | |||
179 | // use $SHELL to get shell used in sandbox, guess shell otherwise | ||
180 | cfg.shell = guess_shell(); | ||
181 | if (!cfg.shell) { | ||
182 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
183 | exit(1); | ||
184 | } | ||
185 | else if (arg_debug) | ||
186 | printf("Selecting %s as shell\n", cfg.shell); | ||
187 | |||
188 | int prog_index = 0; | ||
189 | // find first non option arg: | ||
190 | // - first argument not starting with --, | ||
191 | // - whatever follows after -c (example: firejail -c ls) | ||
192 | for (i = 1; i < argc; i++) { | ||
193 | if (strcmp(argv[i], "-c") == 0) { | ||
194 | prog_index = i + 1; | 182 | prog_index = i + 1; |
195 | if (prog_index == argc) { | 183 | if (prog_index == argc) { |
196 | fprintf(stderr, "Error: option -c requires an argument\n"); | 184 | fprintf(stderr, "Error: option -c requires an argument\n"); |
@@ -199,36 +187,36 @@ void run_no_sandbox(int argc, char **argv) { | |||
199 | break; | 187 | break; |
200 | } | 188 | } |
201 | // check first argument not starting with -- | 189 | // check first argument not starting with -- |
202 | if (strncmp(argv[i],"--",2) != 0) { | 190 | else if (strncmp(argv[i],"--",2) != 0) { |
203 | prog_index = i; | 191 | prog_index = i; |
204 | break; | 192 | break; |
205 | } | 193 | } |
206 | } | 194 | } |
207 | 195 | ||
208 | // if shell is /usr/bin/firejail, replace it with /bin/bash | ||
209 | // if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { | ||
210 | // cfg.shell = "/bin/bash"; | ||
211 | // prog_index = 0; | ||
212 | // } | ||
213 | |||
214 | if (prog_index == 0) { | 196 | if (prog_index == 0) { |
215 | assert(cfg.command_line == NULL); // runs cfg.shell | 197 | // got no command, require a shell and try to execute it |
198 | cfg.shell = guess_shell(); | ||
199 | if (!cfg.shell) { | ||
200 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | assert(cfg.command_line == NULL); | ||
216 | cfg.window_title = cfg.shell; | 205 | cfg.window_title = cfg.shell; |
217 | } else { | 206 | } else { |
207 | // this sandbox might not allow execution of a shell | ||
208 | // force --shell=none in order to not break firecfg symbolic links | ||
209 | arg_shell_none = 1; | ||
210 | |||
218 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 211 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
219 | } | 212 | } |
220 | 213 | ||
214 | fwarning("an existing sandbox was detected. " | ||
215 | "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell); | ||
216 | |||
221 | cfg.original_argv = argv; | 217 | cfg.original_argv = argv; |
222 | cfg.original_program_index = prog_index; | 218 | cfg.original_program_index = prog_index; |
223 | 219 | ||
224 | char *command; | ||
225 | if (prog_index == 0) | ||
226 | command = cfg.shell; | ||
227 | else | ||
228 | command = argv[prog_index]; | ||
229 | fwarning("an existing sandbox was detected. " | ||
230 | "%s will run without any additional sandboxing features\n", command); | ||
231 | |||
232 | arg_quiet = 1; | 220 | arg_quiet = 1; |
233 | 221 | ||
234 | start_application(1, -1, NULL); | 222 | start_application(1, -1, NULL); |
diff --git a/src/firejail/output.c b/src/firejail/output.c index 1682ee025..835dff2db 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -22,6 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | #ifdef HAVE_OUTPUT | ||
25 | void check_output(int argc, char **argv) { | 26 | void check_output(int argc, char **argv) { |
26 | EUID_ASSERT(); | 27 | EUID_ASSERT(); |
27 | 28 | ||
@@ -149,3 +150,4 @@ void check_output(int argc, char **argv) { | |||
149 | perror("execvp"); | 150 | perror("execvp"); |
150 | exit(1); | 151 | exit(1); |
151 | } | 152 | } |
153 | #endif | ||
diff --git a/src/firejail/paths.c b/src/firejail/paths.c index 981a6bc71..b800fa944 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 836526593..7f602545d 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3766ba8f0..351b760df 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -157,6 +157,10 @@ static int check_nosound(void) { | |||
157 | return arg_nosound != 0; | 157 | return arg_nosound != 0; |
158 | } | 158 | } |
159 | 159 | ||
160 | static int check_private(void) { | ||
161 | return arg_private; | ||
162 | } | ||
163 | |||
160 | static int check_x11(void) { | 164 | static int check_x11(void) { |
161 | return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); | 165 | return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); |
162 | } | 166 | } |
@@ -174,6 +178,7 @@ Cond conditionals[] = { | |||
174 | {"HAS_NET", check_netoptions}, | 178 | {"HAS_NET", check_netoptions}, |
175 | {"HAS_NODBUS", check_nodbus}, | 179 | {"HAS_NODBUS", check_nodbus}, |
176 | {"HAS_NOSOUND", check_nosound}, | 180 | {"HAS_NOSOUND", check_nosound}, |
181 | {"HAS_PRIVATE", check_private}, | ||
177 | {"HAS_X11", check_x11}, | 182 | {"HAS_X11", check_x11}, |
178 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 183 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
179 | {"BROWSER_ALLOW_DRM", check_allow_drm}, | 184 | {"BROWSER_ALLOW_DRM", check_allow_drm}, |
@@ -911,15 +916,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
911 | 916 | ||
912 | if (strncmp(ptr, "protocol ", 9) == 0) { | 917 | if (strncmp(ptr, "protocol ", 9) == 0) { |
913 | if (checkcfg(CFG_SECCOMP)) { | 918 | if (checkcfg(CFG_SECCOMP)) { |
914 | if (cfg.protocol) { | 919 | const char *add = ptr + 9; |
915 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); | 920 | profile_list_augment(&cfg.protocol, add); |
916 | return 0; | 921 | if (arg_debug) |
917 | } | 922 | fprintf(stderr, "[profile] combined protocol list: \"%s\"\n", cfg.protocol); |
918 | |||
919 | // store list | ||
920 | cfg.protocol = strdup(ptr + 9); | ||
921 | if (!cfg.protocol) | ||
922 | errExit("strdup"); | ||
923 | } | 923 | } |
924 | else | 924 | else |
925 | warning_feature_disabled("seccomp"); | 925 | warning_feature_disabled("seccomp"); |
@@ -931,7 +931,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
931 | return 0; | 931 | return 0; |
932 | } | 932 | } |
933 | if (strncmp(ptr, "rmenv ", 6) == 0) { | 933 | if (strncmp(ptr, "rmenv ", 6) == 0) { |
934 | unsetenv(ptr + 6); // Remove also immediately from Firejail itself | ||
935 | env_store(ptr + 6, RMENV); | 934 | env_store(ptr + 6, RMENV); |
936 | return 0; | 935 | return 0; |
937 | } | 936 | } |
@@ -1774,3 +1773,143 @@ void profile_read(const char *fname) { | |||
1774 | } | 1773 | } |
1775 | fclose(fp); | 1774 | fclose(fp); |
1776 | } | 1775 | } |
1776 | |||
1777 | char *profile_list_normalize(char *list) | ||
1778 | { | ||
1779 | /* Remove redundant commas. | ||
1780 | * | ||
1781 | * As result is always shorter than original, | ||
1782 | * in-place copying can be used. | ||
1783 | */ | ||
1784 | size_t i = 0; | ||
1785 | size_t j = 0; | ||
1786 | int c; | ||
1787 | while (list[i] == ',') | ||
1788 | ++i; | ||
1789 | while ((c = list[i++])) { | ||
1790 | if (c == ',') { | ||
1791 | while (list[i] == ',') | ||
1792 | ++i; | ||
1793 | if (list[i] == 0) | ||
1794 | break; | ||
1795 | } | ||
1796 | list[j++] = c; | ||
1797 | } | ||
1798 | list[j] = 0; | ||
1799 | return list; | ||
1800 | } | ||
1801 | |||
1802 | char *profile_list_compress(char *list) | ||
1803 | { | ||
1804 | size_t i; | ||
1805 | |||
1806 | /* Comma separated list is processed so that: | ||
1807 | * "item" -> adds item to list | ||
1808 | * "-item" -> removes item from list | ||
1809 | * "+item" -> adds item to list | ||
1810 | * "=item" -> clear list, add item | ||
1811 | * | ||
1812 | * For example: | ||
1813 | * ,a,,,b,,,c, -> a,b,c | ||
1814 | * a,,b,,,c,a -> a,b,c | ||
1815 | * a,b,c,-a -> b,c | ||
1816 | * a,b,c,-a,a -> b,c,a | ||
1817 | * a,+b,c -> a,b,c | ||
1818 | * a,b,=c,d -> c,d | ||
1819 | * a,b,c,= -> | ||
1820 | */ | ||
1821 | profile_list_normalize(list); | ||
1822 | |||
1823 | /* Count items: comma count + 1 */ | ||
1824 | size_t count = 1; | ||
1825 | for (i = 0; list[i]; ++i) { | ||
1826 | if (list[i] == ',') | ||
1827 | ++count; | ||
1828 | } | ||
1829 | |||
1830 | /* Collect items in an array */ | ||
1831 | char *in[count]; | ||
1832 | count = 0; | ||
1833 | in[count++] = list; | ||
1834 | for (i = 0; list[i]; ++i) { | ||
1835 | if (list[i] != ',') | ||
1836 | continue; | ||
1837 | list[i] = 0; | ||
1838 | in[count++] = list + i + 1; | ||
1839 | } | ||
1840 | |||
1841 | /* Filter array: add, remove, reset, filter out duplicates */ | ||
1842 | for (i = 0; i < count; ++i) { | ||
1843 | char *item = in[i]; | ||
1844 | assert(item); | ||
1845 | |||
1846 | size_t k; | ||
1847 | switch (*item) { | ||
1848 | case '-': | ||
1849 | ++item; | ||
1850 | /* Do not include this item */ | ||
1851 | in[i] = 0; | ||
1852 | /* Remove if already included */ | ||
1853 | for (k = 0; k < i; ++k) { | ||
1854 | if (in[k] && !strcmp(in[k], item)) { | ||
1855 | in[k] = 0; | ||
1856 | break; | ||
1857 | } | ||
1858 | } | ||
1859 | break; | ||
1860 | case '+': | ||
1861 | /* Allow +/- symmetry */ | ||
1862 | in[i] = ++item; | ||
1863 | /* FALLTHRU */ | ||
1864 | default: | ||
1865 | /* Adding empty item is a NOP */ | ||
1866 | if (!*item) { | ||
1867 | in[i] = 0; | ||
1868 | break; | ||
1869 | } | ||
1870 | /* Include item unless it is already included */ | ||
1871 | for (k = 0; k < i; ++k) { | ||
1872 | if (in[k] && !strcmp(in[k], item)) { | ||
1873 | in[i] = 0; | ||
1874 | break; | ||
1875 | } | ||
1876 | } | ||
1877 | break; | ||
1878 | case '=': | ||
1879 | in[i] = ++item; | ||
1880 | /* Include non-empty item */ | ||
1881 | if (!*item) | ||
1882 | in[i] = 0; | ||
1883 | /* Remove all allready included items */ | ||
1884 | for (k = 0; k < i; ++k) | ||
1885 | in[k] = 0; | ||
1886 | break; | ||
1887 | } | ||
1888 | } | ||
1889 | |||
1890 | /* Copying back using in-place data works because the | ||
1891 | * original order is retained and no item gets longer | ||
1892 | * than what it used to be. | ||
1893 | */ | ||
1894 | char *pos = list; | ||
1895 | for (i = 0; i < count; ++i) { | ||
1896 | char *item = in[i]; | ||
1897 | if (!item) | ||
1898 | continue; | ||
1899 | if (pos > list) | ||
1900 | *pos++ = ','; | ||
1901 | while (*item) | ||
1902 | *pos++ = *item++; | ||
1903 | } | ||
1904 | *pos = 0; | ||
1905 | return list; | ||
1906 | } | ||
1907 | |||
1908 | void profile_list_augment(char **list, const char *items) | ||
1909 | { | ||
1910 | char *tmp = 0; | ||
1911 | if (asprintf(&tmp, "%s,%s", *list ?: "", items ?: "") < 0) | ||
1912 | errExit("asprintf"); | ||
1913 | free(*list); | ||
1914 | *list = profile_list_compress(tmp); | ||
1915 | } | ||
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index cd54eb72d..926af7967 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 5df3d9cd3..4b9203c36 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -80,8 +80,6 @@ static void pulseaudio_fallback(const char *path) { | |||
80 | 80 | ||
81 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); | 81 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); |
82 | env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV); | 82 | env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV); |
83 | if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) | ||
84 | errExit("setenv"); | ||
85 | } | 83 | } |
86 | 84 | ||
87 | // disable shm in pulseaudio (issue #69) | 85 | // disable shm in pulseaudio (issue #69) |
@@ -176,8 +174,7 @@ void pulseaudio_init(void) { | |||
176 | char *p; | 174 | char *p; |
177 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | 175 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) |
178 | errExit("asprintf"); | 176 | errExit("asprintf"); |
179 | if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0) | 177 | env_store_name_val("PULSE_CLIENTCONFIG", p, SETENV); |
180 | errExit("setenv"); | ||
181 | fs_logger2("create", p); | 178 | fs_logger2("create", p); |
182 | free(p); | 179 | free(p); |
183 | 180 | ||
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index a007312a6..a0ca4c02c 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -72,7 +72,7 @@ static void sanitize_home(void) { | |||
72 | 72 | ||
73 | if (arg_debug) | 73 | if (arg_debug) |
74 | printf("Cleaning /home directory\n"); | 74 | printf("Cleaning /home directory\n"); |
75 | // keep a copy of the user home directory | 75 | // open user home directory in order to keep it around |
76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
77 | if (fd == -1) | 77 | if (fd == -1) |
78 | goto errout; | 78 | goto errout; |
@@ -82,47 +82,38 @@ static void sanitize_home(void) { | |||
82 | close(fd); | 82 | close(fd); |
83 | goto errout; | 83 | goto errout; |
84 | } | 84 | } |
85 | char *proc; | ||
86 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
87 | errExit("asprintf"); | ||
88 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
89 | errExit("mkdir"); | ||
90 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
91 | errExit("mount bind"); | ||
92 | free(proc); | ||
93 | close(fd); | ||
94 | 85 | ||
95 | // mount tmpfs in the new home | 86 | // mount tmpfs on /home |
96 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 87 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
97 | errExit("mount tmpfs"); | 88 | errExit("mount tmpfs"); |
98 | selinux_relabel_path("/home", "/home"); | 89 | selinux_relabel_path("/home", "/home"); |
99 | fs_logger("tmpfs /home"); | 90 | fs_logger("tmpfs /home"); |
100 | 91 | ||
101 | // create user home directory | 92 | // create new user home directory |
102 | if (mkdir(cfg.homedir, 0755) == -1) { | 93 | if (mkdir(cfg.homedir, 0755) == -1) { |
103 | if (mkpath_as_root(cfg.homedir)) | 94 | if (mkpath_as_root(cfg.homedir) == -1) |
104 | errExit("mkpath"); | 95 | errExit("mkpath"); |
105 | if (mkdir(cfg.homedir, 0755) == -1) | 96 | if (mkdir(cfg.homedir, 0755) == -1) |
106 | errExit("mkdir"); | 97 | errExit("mkdir"); |
107 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
108 | } | 98 | } |
109 | fs_logger2("mkdir", cfg.homedir); | 99 | fs_logger2("mkdir", cfg.homedir); |
110 | 100 | ||
111 | // set mode and ownership | 101 | // set mode and ownership |
112 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) | 102 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
113 | errExit("set_perms"); | 103 | errExit("set_perms"); |
104 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
114 | 105 | ||
115 | // mount user home directory | 106 | // bring back real user home directory |
116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 107 | char *proc; |
108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
109 | errExit("asprintf"); | ||
110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
117 | errExit("mount bind"); | 111 | errExit("mount bind"); |
112 | free(proc); | ||
113 | close(fd); | ||
118 | 114 | ||
119 | // mask home dir under /run | ||
120 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
121 | errExit("mount tmpfs"); | ||
122 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | ||
123 | if (!arg_private) | 115 | if (!arg_private) |
124 | fs_logger2("whitelist", cfg.homedir); | 116 | fs_logger2("whitelist", cfg.homedir); |
125 | |||
126 | return; | 117 | return; |
127 | 118 | ||
128 | errout: | 119 | errout: |
@@ -137,22 +128,15 @@ static void sanitize_run(void) { | |||
137 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | 128 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) |
138 | errExit("asprintf"); | 129 | errExit("asprintf"); |
139 | 130 | ||
140 | struct stat s; | 131 | // open /run/user/$UID directory in order to keep it around |
141 | if (stat(runuser, &s) == -1) { | 132 | int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
142 | // cannot find /user/run/$UID directory, just return | 133 | if (fd == -1) { |
143 | if (arg_debug) | 134 | if (arg_debug) |
144 | printf("Cannot find %s directory\n", runuser); | 135 | printf("Cannot open %s directory\n", runuser); |
145 | free(runuser); | 136 | free(runuser); |
146 | return; | 137 | return; |
147 | } | 138 | } |
148 | 139 | ||
149 | if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) | ||
150 | errExit("mkdir"); | ||
151 | |||
152 | // keep a copy of the /run/user/$UID directory | ||
153 | if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mount bind"); | ||
155 | |||
156 | // mount tmpfs on /run/user | 140 | // mount tmpfs on /run/user |
157 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 141 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
158 | errExit("mount tmpfs"); | 142 | errExit("mount tmpfs"); |
@@ -162,22 +146,23 @@ static void sanitize_run(void) { | |||
162 | // create new user directory | 146 | // create new user directory |
163 | if (mkdir(runuser, 0700) == -1) | 147 | if (mkdir(runuser, 0700) == -1) |
164 | errExit("mkdir"); | 148 | errExit("mkdir"); |
165 | selinux_relabel_path(runuser, runuser); | ||
166 | fs_logger2("mkdir", runuser); | 149 | fs_logger2("mkdir", runuser); |
167 | 150 | ||
168 | // set mode and ownership | 151 | // set mode and ownership |
169 | if (set_perms(runuser, getuid(), getgid(), 0700)) | 152 | if (set_perms(runuser, getuid(), getgid(), 0700)) |
170 | errExit("set_perms"); | 153 | errExit("set_perms"); |
154 | selinux_relabel_path(runuser, runuser); | ||
171 | 155 | ||
172 | // mount /run/user/$UID directory | 156 | // bring back real run/user/$UID directory |
173 | if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | 157 | char *proc; |
158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
159 | errExit("asprintf"); | ||
160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
174 | errExit("mount bind"); | 161 | errExit("mount bind"); |
162 | free(proc); | ||
163 | close(fd); | ||
175 | 164 | ||
176 | // mask mirrored /run/user/$UID directory | 165 | fs_logger2("whitelist", runuser); |
177 | if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
178 | errExit("mount tmpfs"); | ||
179 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); | ||
180 | |||
181 | free(runuser); | 166 | free(runuser); |
182 | } | 167 | } |
183 | 168 | ||
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index b80d4ae55..ae453f4f1 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index 0ca4a34df..78f00bc63 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index b9c80c459..cd44f745f 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 5bf27fc6d..77fac5438 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1f94d86cd..743d84b43 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -462,10 +462,10 @@ static int ok_to_run(const char *program) { | |||
462 | 462 | ||
463 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 463 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
464 | // set environment | 464 | // set environment |
465 | if (no_sandbox == 0) { | 465 | if (no_sandbox == 0) |
466 | env_defaults(); | 466 | env_defaults(); |
467 | env_apply_all(); | 467 | env_apply_all(); |
468 | } | 468 | |
469 | // restore original umask | 469 | // restore original umask |
470 | umask(orig_umask); | 470 | umask(orig_umask); |
471 | 471 | ||
@@ -475,23 +475,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
475 | } | 475 | } |
476 | 476 | ||
477 | //**************************************** | 477 | //**************************************** |
478 | // audit | ||
479 | //**************************************** | ||
480 | if (arg_audit) { | ||
481 | assert(arg_audit_prog); | ||
482 | |||
483 | #ifdef HAVE_GCOV | ||
484 | __gcov_dump(); | ||
485 | #endif | ||
486 | seccomp_install_filters(); | ||
487 | if (set_sandbox_status) | ||
488 | *set_sandbox_status = SANDBOX_DONE; | ||
489 | execl(arg_audit_prog, arg_audit_prog, NULL); | ||
490 | } | ||
491 | //**************************************** | ||
492 | // start the program without using a shell | 478 | // start the program without using a shell |
493 | //**************************************** | 479 | //**************************************** |
494 | else if (arg_shell_none) { | 480 | if (arg_shell_none) { |
495 | if (arg_debug) { | 481 | if (arg_debug) { |
496 | int i; | 482 | int i; |
497 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 483 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
@@ -589,12 +575,12 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
589 | } | 575 | } |
590 | 576 | ||
591 | static void enforce_filters(void) { | 577 | static void enforce_filters(void) { |
578 | fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n"); | ||
592 | // enforce NO_NEW_PRIVS | 579 | // enforce NO_NEW_PRIVS |
593 | arg_nonewprivs = 1; | 580 | arg_nonewprivs = 1; |
594 | force_nonewprivs = 1; | 581 | force_nonewprivs = 1; |
595 | 582 | ||
596 | // disable all capabilities | 583 | // disable all capabilities |
597 | fmessage("\n** Warning: dropping all Linux capabilities **\n\n"); | ||
598 | arg_caps_drop_all = 1; | 584 | arg_caps_drop_all = 1; |
599 | 585 | ||
600 | // drop all supplementary groups; /etc/group file inside chroot | 586 | // drop all supplementary groups; /etc/group file inside chroot |
@@ -795,14 +781,18 @@ int sandbox(void* sandbox_arg) { | |||
795 | exit(rv); | 781 | exit(rv); |
796 | } | 782 | } |
797 | 783 | ||
798 | // need ld.so.preload if tracing or seccomp with any non-default lists | 784 | #ifdef HAVE_FORCE_NONEWPRIVS |
799 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 785 | bool always_enforce_filters = true; |
786 | #else | ||
787 | bool always_enforce_filters = false; | ||
788 | #endif | ||
800 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 789 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
801 | // and drop all capabilities | 790 | // and drop all capabilities |
802 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | 791 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) |
803 | enforce_filters(); | 792 | enforce_filters(); |
804 | need_preload = arg_trace || arg_tracelog; | 793 | |
805 | } | 794 | // need ld.so.preload if tracing or seccomp with any non-default lists |
795 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | ||
806 | 796 | ||
807 | // trace pre-install | 797 | // trace pre-install |
808 | if (need_preload) | 798 | if (need_preload) |
@@ -835,6 +825,11 @@ int sandbox(void* sandbox_arg) { | |||
835 | fs_basic_fs(); | 825 | fs_basic_fs(); |
836 | 826 | ||
837 | //**************************** | 827 | //**************************** |
828 | // appimage | ||
829 | //**************************** | ||
830 | appimage_mount(); | ||
831 | |||
832 | //**************************** | ||
838 | // private mode | 833 | // private mode |
839 | //**************************** | 834 | //**************************** |
840 | if (arg_private) { | 835 | if (arg_private) { |
@@ -969,11 +964,35 @@ int sandbox(void* sandbox_arg) { | |||
969 | else if (arg_overlay) | 964 | else if (arg_overlay) |
970 | fwarning("private-etc feature is disabled in overlay\n"); | 965 | fwarning("private-etc feature is disabled in overlay\n"); |
971 | else { | 966 | else { |
972 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | 967 | /* Current /etc/passwd and /etc/group files are bind |
973 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE | 968 | * mounted filtered versions of originals. Leaving |
969 | * them underneath private-etc mount causes problems | ||
970 | * in devices with older kernels, e.g. attempts to | ||
971 | * update the real /etc/passwd file yield EBUSY. | ||
972 | * | ||
973 | * As we do want to retain filtered /etc content: | ||
974 | * 1. duplicate /etc content to RUN_ETC_DIR | ||
975 | * 2. unmount bind mounts from /etc | ||
976 | * 3. mount RUN_ETC_DIR at /etc | ||
977 | */ | ||
978 | timetrace_start(); | ||
979 | fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | ||
980 | |||
981 | if (umount2("/etc/group", MNT_DETACH) == -1) | ||
982 | fprintf(stderr, "/etc/group: unmount: %s\n", strerror(errno)); | ||
983 | if (umount2("/etc/passwd", MNT_DETACH) == -1) | ||
984 | fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno)); | ||
985 | |||
986 | fs_private_dir_mount("/etc", RUN_ETC_DIR); | ||
987 | fmessage("Private /etc installed in %0.2f ms\n", timetrace_end()); | ||
988 | |||
974 | // create /etc/ld.so.preload file again | 989 | // create /etc/ld.so.preload file again |
975 | if (need_preload) | 990 | if (need_preload) |
976 | fs_trace_preload(); | 991 | fs_trace_preload(); |
992 | |||
993 | // openSUSE configuration is split between /etc and /usr/etc | ||
994 | // process private-etc a second time | ||
995 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); | ||
977 | } | 996 | } |
978 | } | 997 | } |
979 | 998 | ||
@@ -1015,23 +1034,11 @@ int sandbox(void* sandbox_arg) { | |||
1015 | fs_dev_disable_video(); | 1034 | fs_dev_disable_video(); |
1016 | 1035 | ||
1017 | //**************************** | 1036 | //**************************** |
1018 | // install trace | ||
1019 | //**************************** | ||
1020 | if (need_preload) | ||
1021 | fs_trace(); | ||
1022 | |||
1023 | //**************************** | ||
1024 | // set dns | 1037 | // set dns |
1025 | //**************************** | 1038 | //**************************** |
1026 | fs_resolvconf(); | 1039 | fs_resolvconf(); |
1027 | 1040 | ||
1028 | //**************************** | 1041 | //**************************** |
1029 | // fs post-processing | ||
1030 | //**************************** | ||
1031 | fs_logger_print(); | ||
1032 | fs_logger_change_owner(); | ||
1033 | |||
1034 | //**************************** | ||
1035 | // start dhcp client | 1042 | // start dhcp client |
1036 | //**************************** | 1043 | //**************************** |
1037 | dhcp_start(); | 1044 | dhcp_start(); |
@@ -1080,6 +1087,12 @@ int sandbox(void* sandbox_arg) { | |||
1080 | save_umask(); | 1087 | save_umask(); |
1081 | 1088 | ||
1082 | //**************************** | 1089 | //**************************** |
1090 | // fs post-processing | ||
1091 | //**************************** | ||
1092 | fs_logger_print(); | ||
1093 | fs_logger_change_owner(); | ||
1094 | |||
1095 | //**************************** | ||
1083 | // set security filters | 1096 | // set security filters |
1084 | //**************************** | 1097 | //**************************** |
1085 | // save state of nonewprivs | 1098 | // save state of nonewprivs |
@@ -1136,13 +1149,21 @@ int sandbox(void* sandbox_arg) { | |||
1136 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); | 1149 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); |
1137 | seccomp_debug(); | 1150 | seccomp_debug(); |
1138 | 1151 | ||
1152 | //**************************** | ||
1153 | // install trace - still need capabilities | ||
1154 | //**************************** | ||
1155 | if (need_preload) | ||
1156 | fs_trace(); | ||
1157 | |||
1158 | //**************************** | ||
1159 | // continue security filters | ||
1160 | //**************************** | ||
1139 | // set capabilities | 1161 | // set capabilities |
1140 | set_caps(); | 1162 | set_caps(); |
1141 | 1163 | ||
1142 | //**************************************** | 1164 | //**************************************** |
1143 | // relay status information to join option | 1165 | // relay status information to join option |
1144 | //**************************************** | 1166 | //**************************************** |
1145 | |||
1146 | char *set_sandbox_status = create_join_file(); | 1167 | char *set_sandbox_status = create_join_file(); |
1147 | 1168 | ||
1148 | //**************************************** | 1169 | //**************************************** |
@@ -1203,7 +1224,6 @@ int sandbox(void* sandbox_arg) { | |||
1203 | //**************************************** | 1224 | //**************************************** |
1204 | // set cpu affinity | 1225 | // set cpu affinity |
1205 | //**************************************** | 1226 | //**************************************** |
1206 | |||
1207 | if (cfg.cpus) | 1227 | if (cfg.cpus) |
1208 | set_cpu_affinity(); | 1228 | set_cpu_affinity(); |
1209 | 1229 | ||
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index baf99c5b9..f9c41f661 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -203,15 +203,16 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
203 | } | 203 | } |
204 | } | 204 | } |
205 | 205 | ||
206 | if (filtermask & SBOX_ROOT) { | 206 | if (filtermask & SBOX_USER) |
207 | drop_privs(1); | ||
208 | else if (filtermask & SBOX_ROOT) { | ||
207 | // elevate privileges in order to get grsecurity working | 209 | // elevate privileges in order to get grsecurity working |
208 | if (setreuid(0, 0)) | 210 | if (setreuid(0, 0)) |
209 | errExit("setreuid"); | 211 | errExit("setreuid"); |
210 | if (setregid(0, 0)) | 212 | if (setregid(0, 0)) |
211 | errExit("setregid"); | 213 | errExit("setregid"); |
212 | } | 214 | } |
213 | else if (filtermask & SBOX_USER) | 215 | else assert(0); |
214 | drop_privs(1); | ||
215 | 216 | ||
216 | if (arg[0]) { // get rid of scan-build warning | 217 | if (arg[0]) { // get rid of scan-build warning |
217 | int fd = open(arg[0], O_PATH | O_CLOEXEC); | 218 | int fd = open(arg[0], O_PATH | O_CLOEXEC); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 808dd4c37..785c29517 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index dd776fcce..06189d7f6 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2020 Firejail and systemd authors | 2 | * Copyright (C) 2020-2021 Firejail and systemd authors |
3 | * | 3 | * |
4 | * This file is part of firejail project, from systemd selinux-util.c | 4 | * This file is part of firejail project, from systemd selinux-util.c |
5 | * | 5 | * |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 7e9628007..8fb03d0a6 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d58bbb409..397150158 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -33,7 +33,6 @@ static char *usage_str = | |||
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 35 | " --appimage - sandbox an AppImage application.\n" |
36 | " --audit[=test-program] - audit the sandbox.\n" | ||
37 | #ifdef HAVE_NETWORK | 36 | #ifdef HAVE_NETWORK |
38 | " --bandwidth=name|pid - set bandwidth limits.\n" | 37 | " --bandwidth=name|pid - set bandwidth limits.\n" |
39 | #endif | 38 | #endif |
@@ -56,6 +55,7 @@ static char *usage_str = | |||
56 | #endif | 55 | #endif |
57 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 56 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
58 | " --cpu.print=name|pid - print the cpus in use.\n" | 57 | " --cpu.print=name|pid - print the cpus in use.\n" |
58 | #ifdef HAVE_DBUSPROXY | ||
59 | " --dbus-log=file - set DBus log file location.\n" | 59 | " --dbus-log=file - set DBus log file location.\n" |
60 | " --dbus-system=filter|none - set system DBus access policy.\n" | 60 | " --dbus-system=filter|none - set system DBus access policy.\n" |
61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" | 61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" |
@@ -71,6 +71,7 @@ static char *usage_str = | |||
71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" | 71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" |
72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" | 72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" |
73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
74 | #endif | ||
74 | " --debug - print sandbox debug messages.\n" | 75 | " --debug - print sandbox debug messages.\n" |
75 | " --debug-blacklists - debug blacklisting.\n" | 76 | " --debug-blacklists - debug blacklisting.\n" |
76 | " --debug-caps - print all recognized capabilities.\n" | 77 | " --debug-caps - print all recognized capabilities.\n" |
@@ -125,6 +126,8 @@ static char *usage_str = | |||
125 | " --machine-id - preserve /etc/machine-id\n" | 126 | " --machine-id - preserve /etc/machine-id\n" |
126 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" | 127 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
127 | "\tmemory mappings that are both writable and executable.\n" | 128 | "\tmemory mappings that are both writable and executable.\n" |
129 | " --mkdir=dirname - create a directory.\n" | ||
130 | " --mkfile=filename - create a file.\n" | ||
128 | #ifdef HAVE_NETWORK | 131 | #ifdef HAVE_NETWORK |
129 | " --mtu=number - set interface MTU.\n" | 132 | " --mtu=number - set interface MTU.\n" |
130 | #endif | 133 | #endif |
@@ -161,14 +164,18 @@ static char *usage_str = | |||
161 | " --novideo - disable video devices.\n" | 164 | " --novideo - disable video devices.\n" |
162 | " --nou2f - disable U2F devices.\n" | 165 | " --nou2f - disable U2F devices.\n" |
163 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | 166 | " --nowhitelist=filename - disable whitelist for file or directory.\n" |
167 | #ifdef HAVE_OUTPUT | ||
164 | " --output=logfile - stdout logging and log rotation.\n" | 168 | " --output=logfile - stdout logging and log rotation.\n" |
165 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 169 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
170 | #endif | ||
171 | #ifdef HAVE_OVERLAYFS | ||
166 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" | 172 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" |
167 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" | 173 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" |
168 | "\tfilesystem, and store it in name directory.\n" | 174 | "\tfilesystem, and store it in name directory.\n" |
169 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" | 175 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" |
170 | "\tcurrent filesystem.\n" | 176 | "\tcurrent filesystem.\n" |
171 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" | 177 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" |
178 | #endif | ||
172 | " --private - temporary home directory.\n" | 179 | " --private - temporary home directory.\n" |
173 | " --private=directory - use directory as user home.\n" | 180 | " --private=directory - use directory as user home.\n" |
174 | " --private-cache - temporary ~/.cache directory.\n" | 181 | " --private-cache - temporary ~/.cache directory.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 911c8bd94..2ad85acd6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -400,6 +400,8 @@ void touch_file_as_user(const char *fname, mode_t mode) { | |||
400 | SET_PERMS_STREAM(fp, -1, -1, mode); | 400 | SET_PERMS_STREAM(fp, -1, -1, mode); |
401 | fclose(fp); | 401 | fclose(fp); |
402 | } | 402 | } |
403 | else | ||
404 | fwarning("cannot create %s\n", fname); | ||
403 | #ifdef HAVE_GCOV | 405 | #ifdef HAVE_GCOV |
404 | __gcov_flush(); | 406 | __gcov_flush(); |
405 | #endif | 407 | #endif |
@@ -439,35 +441,22 @@ int is_dir(const char *fname) { | |||
439 | return 0; | 441 | return 0; |
440 | } | 442 | } |
441 | 443 | ||
442 | |||
443 | // return 1 if the file is a link | 444 | // return 1 if the file is a link |
444 | int is_link(const char *fname) { | 445 | int is_link(const char *fname) { |
445 | assert(fname); | 446 | assert(fname); |
446 | if (*fname == '\0') | 447 | if (*fname == '\0') |
447 | return 0; | 448 | return 0; |
448 | 449 | ||
449 | char *dup = NULL; | 450 | char *dup = strdup(fname); |
450 | struct stat s; | 451 | if (!dup) |
451 | if (lstat(fname, &s) == 0) { | 452 | errExit("strdup"); |
452 | if (S_ISLNK(s.st_mode)) | 453 | trim_trailing_slash_or_dot(dup); |
453 | return 1; | 454 | |
454 | if (S_ISDIR(s.st_mode)) { | 455 | char c; |
455 | // remove trailing slashes and single dots and try again | 456 | ssize_t rv = readlink(dup, &c, 1); |
456 | dup = strdup(fname); | ||
457 | if (!dup) | ||
458 | errExit("strdup"); | ||
459 | trim_trailing_slash_or_dot(dup); | ||
460 | if (lstat(dup, &s) == 0) { | ||
461 | if (S_ISLNK(s.st_mode)) { | ||
462 | free(dup); | ||
463 | return 1; | ||
464 | } | ||
465 | } | ||
466 | } | ||
467 | } | ||
468 | 457 | ||
469 | free(dup); | 458 | free(dup); |
470 | return 0; | 459 | return (rv != -1); |
471 | } | 460 | } |
472 | 461 | ||
473 | // remove all slashes and single dots from the end of a path | 462 | // remove all slashes and single dots from the end of a path |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 1121ec84e..1dabf272e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index 9ee798fe9..a1b6692aa 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: firemon | 2 | all: firemon |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o | 9 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c index c34a44165..eb810a9e7 100644 --- a/src/firemon/apparmor.c +++ b/src/firemon/apparmor.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/arp.c b/src/firemon/arp.c index 3bd59e65e..1a69a67b1 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 0e720706d..c0f305a5d 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index e0d605d10..97ba591a6 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index e97068851..91b455941 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 5ae0ed013..37870747d 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 948214d4d..5252ad34f 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 34d616647..e04b6f431 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/list.c b/src/firemon/list.c index 22a08272d..51099a75c 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index c746cc127..850959eb3 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index b64b6210d..8085d2d29 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/route.c b/src/firemon/route.c index 19c823a87..9cf5054b2 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index 7867fbad3..04111b6c0 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/top.c b/src/firemon/top.c index ba707ef19..a25e3c0d8 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/tree.c b/src/firemon/tree.c index 711066c19..899214b9f 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 0c3da00f8..baaef3111 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/x11.c b/src/firemon/x11.c index 19b54429c..97e24b2d2 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index 37b139d38..ba87d16cd 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fldd | 2 | all: fldd |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o | 9 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 55a0dfcce..9d91557c1 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index bd5fe9e7a..7447c6d3f 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fnet | 2 | all: fnet |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o | 9 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 64f177574..59798d32d 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index b9cf96c64..c0154b53e 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 62df0930e..91d91360d 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/main.c b/src/fnet/main.c index db090fb95..df8f7226c 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 777e4e07e..e09b1b1c5 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c | |||
@@ -26,7 +26,7 @@ | |||
26 | * | 26 | * |
27 | */ | 27 | */ |
28 | /* | 28 | /* |
29 | * Copyright (C) 2014-2020 Firejail Authors | 29 | * Copyright (C) 2014-2021 Firejail Authors |
30 | * | 30 | * |
31 | * This file is part of firejail project | 31 | * This file is part of firejail project |
32 | * | 32 | * |
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 6fe650a17..825262482 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fnetfilter | 2 | all: fnetfilter |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fnetfilter: $(OBJS) ../lib/common.o | 9 | fnetfilter: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 381d0d36e..979f082d0 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index cc5ac7e35..a2187e89c 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fsec-optimize | 2 | all: fsec-optimize |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o | 9 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 211111641..fc9dd7db8 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index c64587068..84bf2d4f9 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c index eb777f13b..4c02de59d 100644 --- a/src/fsec-optimize/optimizer.c +++ b/src/fsec-optimize/optimizer.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index bf39a8c77..824fb5daf 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fsec-print | 2 | all: fsec-print |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o | 9 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 337199288..75a82c11a 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index ed030db21..5bca93d50 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index eecf18832..143a7a53e 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index b776a73ce..41abfce17 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: fseccomp | 2 | all: fseccomp |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o | 9 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index e8dd083b6..97eac9ed8 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index f47efb5e8..326c29a44 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 4d261f9e5..48dda61dd 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e808538b0..99e671799 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 9e8ceb898..846c7f335 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index b8e8d0a89..540892026 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index ef76813ea..f9a6c4f06 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | TCFILE="" | 6 | TCFILE="" |
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in index 32cdc63d3..05caf81be 100644 --- a/src/ftee/Makefile.in +++ b/src/ftee/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: ftee | 2 | all: ftee |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | ftee: $(OBJS) | 9 | ftee: $(OBJS) |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h index aec64595d..a556efb75 100644 --- a/src/ftee/ftee.h +++ b/src/ftee/ftee.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/ftee/main.c b/src/ftee/main.c index a1e42ed32..4d447f2c4 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/common.h b/src/include/common.h index 5497929c7..5bcbaad88 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index d8277ade7..8d8dd95f6 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h index a8d269daa..cf17fa0cf 100644 --- a/src/include/firejail_user.h +++ b/src/include/firejail_user.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/ldd_utils.h b/src/include/ldd_utils.h index 29dd8926e..ffd6e189f 100644 --- a/src/include/ldd_utils.h +++ b/src/include/ldd_utils.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/pid.h b/src/include/pid.h index 1f15d3c68..17e51f660 100644 --- a/src/include/pid.h +++ b/src/include/pid.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 21aad66f7..d14f6782f 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -84,8 +84,6 @@ | |||
84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" | 84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" |
85 | 85 | ||
86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" | 86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" |
87 | #define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking | ||
88 | #define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking | ||
89 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting | 87 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting |
90 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting | 88 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting |
91 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" | 89 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index b3b75c2d1..43bb73a04 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/syscall.h b/src/include/syscall.h index 489da0600..015dd01b9 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/jailtest/Makefile.in b/src/jailtest/Makefile.in new file mode 100644 index 000000000..6306d24ec --- /dev/null +++ b/src/jailtest/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: jailtest | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h | ||
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
8 | |||
9 | jailtest: $(OBJS) | ||
10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | ||
11 | |||
12 | .PHONY: clean | ||
13 | clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/jailtest/access.c b/src/jailtest/access.c new file mode 100644 index 000000000..4e737dc7a --- /dev/null +++ b/src/jailtest/access.c | |||
@@ -0,0 +1,143 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | typedef struct { | ||
25 | char *tfile; | ||
26 | char *tdir; | ||
27 | } TestDir; | ||
28 | |||
29 | #define MAX_TEST_FILES 16 | ||
30 | TestDir td[MAX_TEST_FILES]; | ||
31 | static int files_cnt = 0; | ||
32 | |||
33 | void access_setup(const char *directory) { | ||
34 | // I am root! | ||
35 | assert(directory); | ||
36 | assert(user_home_dir); | ||
37 | |||
38 | if (files_cnt >= MAX_TEST_FILES) { | ||
39 | fprintf(stderr, "Error: maximum number of test directories exceded\n"); | ||
40 | exit(1); | ||
41 | } | ||
42 | |||
43 | char *fname = strdup(directory); | ||
44 | if (!fname) | ||
45 | errExit("strdup"); | ||
46 | if (strncmp(fname, "~/", 2) == 0) { | ||
47 | free(fname); | ||
48 | if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1) | ||
49 | errExit("asprintf"); | ||
50 | } | ||
51 | |||
52 | char *path = realpath(fname, NULL); | ||
53 | free(fname); | ||
54 | if (path == NULL) { | ||
55 | fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory); | ||
56 | return; | ||
57 | } | ||
58 | |||
59 | // file in home directory | ||
60 | if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { | ||
61 | fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory); | ||
62 | free(path); | ||
63 | return; | ||
64 | } | ||
65 | |||
66 | // try to open the dir as root | ||
67 | DIR *dir = opendir(path); | ||
68 | if (!dir) { | ||
69 | fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); | ||
70 | free(path); | ||
71 | return; | ||
72 | } | ||
73 | closedir(dir); | ||
74 | |||
75 | // create a test file | ||
76 | char *test_file; | ||
77 | if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1) | ||
78 | errExit("asprintf"); | ||
79 | |||
80 | FILE *fp = fopen(test_file, "w"); | ||
81 | if (!fp) { | ||
82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | ||
83 | return; | ||
84 | } | ||
85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | ||
86 | fclose(fp); | ||
87 | int rv = chown(test_file, user_uid, user_gid); | ||
88 | if (rv) | ||
89 | errExit("chown"); | ||
90 | |||
91 | char *dname = strdup(directory); | ||
92 | if (!dname) | ||
93 | errExit("strdup"); | ||
94 | td[files_cnt].tdir = dname; | ||
95 | td[files_cnt].tfile = test_file; | ||
96 | files_cnt++; | ||
97 | } | ||
98 | |||
99 | void access_destroy(void) { | ||
100 | // remove test files | ||
101 | int i; | ||
102 | |||
103 | for (i = 0; i < files_cnt; i++) { | ||
104 | int rv = unlink(td[i].tfile); | ||
105 | (void) rv; | ||
106 | } | ||
107 | files_cnt = 0; | ||
108 | } | ||
109 | |||
110 | void access_test(void) { | ||
111 | // I am root in sandbox mount namespace | ||
112 | assert(user_uid); | ||
113 | int i; | ||
114 | |||
115 | pid_t child = fork(); | ||
116 | if (child == -1) | ||
117 | errExit("fork"); | ||
118 | |||
119 | if (child == 0) { // child | ||
120 | // drop privileges | ||
121 | if (setgid(user_gid) != 0) | ||
122 | errExit("setgid"); | ||
123 | if (setuid(user_uid) != 0) | ||
124 | errExit("setuid"); | ||
125 | |||
126 | for (i = 0; i < files_cnt; i++) { | ||
127 | assert(td[i].tfile); | ||
128 | |||
129 | // try to open the file for reading | ||
130 | FILE *fp = fopen(td[i].tfile, "r"); | ||
131 | if (fp) { | ||
132 | |||
133 | printf(" Warning: I can read %s\n", td[i].tdir); | ||
134 | fclose(fp); | ||
135 | } | ||
136 | } | ||
137 | exit(0); | ||
138 | } | ||
139 | |||
140 | // wait for the child to finish | ||
141 | int status; | ||
142 | wait(&status); | ||
143 | } | ||
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c new file mode 100644 index 000000000..9ddfea3de --- /dev/null +++ b/src/jailtest/apparmor.c | |||
@@ -0,0 +1,40 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | |||
22 | #ifdef HAVE_APPARMOR | ||
23 | #include <sys/apparmor.h> | ||
24 | |||
25 | void apparmor_test(pid_t pid) { | ||
26 | char *label = NULL; | ||
27 | char *mode = NULL; | ||
28 | int rv = aa_gettaskcon(pid, &label, &mode); | ||
29 | if (rv == -1 || mode == NULL) | ||
30 | printf(" Warning: AppArmor not enabled\n"); | ||
31 | } | ||
32 | |||
33 | |||
34 | #else | ||
35 | void apparmor_test(pid_t pid) { | ||
36 | (void) pid; | ||
37 | return; | ||
38 | } | ||
39 | #endif | ||
40 | |||
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h new file mode 100644 index 000000000..0c4883061 --- /dev/null +++ b/src/jailtest/jailtest.h | |||
@@ -0,0 +1,62 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef JAILTEST_H | ||
21 | #define JAILTEST_H | ||
22 | |||
23 | #include "../include/common.h" | ||
24 | |||
25 | // main.c | ||
26 | extern uid_t user_uid; | ||
27 | extern gid_t user_gid; | ||
28 | extern char *user_name; | ||
29 | extern char *user_home_dir; | ||
30 | extern char *user_run_dir; | ||
31 | |||
32 | // access.c | ||
33 | void access_setup(const char *directory); | ||
34 | void access_test(void); | ||
35 | void access_destroy(void); | ||
36 | |||
37 | // noexec.c | ||
38 | void noexec_setup(void); | ||
39 | void noexec_test(const char *msg); | ||
40 | |||
41 | // sysfiles.c | ||
42 | void sysfiles_setup(const char *file); | ||
43 | void sysfiles_test(void); | ||
44 | |||
45 | // virtual.c | ||
46 | void virtual_setup(const char *directory); | ||
47 | void virtual_destroy(void); | ||
48 | void virtual_test(void); | ||
49 | |||
50 | // apparmor.c | ||
51 | void apparmor_test(pid_t pid); | ||
52 | |||
53 | // seccomp.c | ||
54 | void seccomp_test(pid_t pid); | ||
55 | |||
56 | // utils.c | ||
57 | char *get_sudo_user(void); | ||
58 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | ||
59 | int find_child(pid_t pid); | ||
60 | pid_t switch_to_child(pid_t pid); | ||
61 | |||
62 | #endif \ No newline at end of file | ||
diff --git a/src/jailtest/main.c b/src/jailtest/main.c new file mode 100644 index 000000000..3369dca39 --- /dev/null +++ b/src/jailtest/main.c | |||
@@ -0,0 +1,192 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include "../include/firejail_user.h" | ||
22 | #include "../include/pid.h" | ||
23 | #include <sys/wait.h> | ||
24 | |||
25 | uid_t user_uid = 0; | ||
26 | gid_t user_gid = 0; | ||
27 | char *user_name = NULL; | ||
28 | char *user_home_dir = NULL; | ||
29 | char *user_run_dir = NULL; | ||
30 | int arg_debug = 0; | ||
31 | |||
32 | static char *usage_str = | ||
33 | "Usage: jailtest [options] directory [directory]\n\n" | ||
34 | "Options:\n" | ||
35 | " --debug - print debug messages.\n" | ||
36 | " --help, -? - this help screen.\n" | ||
37 | " --version - print program version and exit.\n"; | ||
38 | |||
39 | |||
40 | static void usage(void) { | ||
41 | printf("firetest - version %s\n\n", VERSION); | ||
42 | puts(usage_str); | ||
43 | } | ||
44 | |||
45 | static void cleanup(void) { | ||
46 | // running only as root | ||
47 | if (getuid() == 0) { | ||
48 | if (arg_debug) | ||
49 | printf("cleaning up!\n"); | ||
50 | access_destroy(); | ||
51 | virtual_destroy(); | ||
52 | } | ||
53 | } | ||
54 | |||
55 | int main(int argc, char **argv) { | ||
56 | int i; | ||
57 | int findex = 0; | ||
58 | |||
59 | for (i = 1; i < argc; i++) { | ||
60 | if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) { | ||
61 | usage(); | ||
62 | return 0; | ||
63 | } | ||
64 | else if (strcmp(argv[i], "--version") == 0) { | ||
65 | printf("firetest version %s\n\n", VERSION); | ||
66 | return 0; | ||
67 | } | ||
68 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test | ||
69 | printf(" Warning: I can run programs in %s\n", argv[i] + 8); | ||
70 | return 0; | ||
71 | } | ||
72 | else if (strcmp(argv[i], "--debug") == 0) | ||
73 | arg_debug = 1; | ||
74 | else if (strncmp(argv[i], "--", 2) == 0) { | ||
75 | fprintf(stderr, "Error: invalid option\n"); | ||
76 | return 1; | ||
77 | } | ||
78 | else { | ||
79 | findex = i; | ||
80 | break; | ||
81 | } | ||
82 | } | ||
83 | |||
84 | // user setup | ||
85 | if (getuid() != 0) { | ||
86 | fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); | ||
87 | exit(1); | ||
88 | } | ||
89 | user_name = get_sudo_user(); | ||
90 | assert(user_name); | ||
91 | user_home_dir = get_homedir(user_name, &user_uid, &user_gid); | ||
92 | if (user_uid == 0) { | ||
93 | fprintf(stderr, "Error: root user not supported\n"); | ||
94 | exit(1); | ||
95 | } | ||
96 | if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) | ||
97 | errExit("asprintf"); | ||
98 | |||
99 | // test setup | ||
100 | atexit(cleanup); | ||
101 | access_setup("~/.ssh"); | ||
102 | access_setup("~/.gnupg"); | ||
103 | if (findex > 0) { | ||
104 | for (i = findex; i < argc; i++) | ||
105 | access_setup(argv[i]); | ||
106 | } | ||
107 | |||
108 | noexec_setup(); | ||
109 | virtual_setup(user_home_dir); | ||
110 | virtual_setup("/tmp"); | ||
111 | virtual_setup("/var/tmp"); | ||
112 | virtual_setup("/dev"); | ||
113 | virtual_setup("/etc"); | ||
114 | virtual_setup("/bin"); | ||
115 | virtual_setup("/usr/share"); | ||
116 | virtual_setup(user_run_dir); | ||
117 | // basic sysfiles | ||
118 | sysfiles_setup("/etc/shadow"); | ||
119 | sysfiles_setup("/etc/gshadow"); | ||
120 | sysfiles_setup("/usr/bin/mount"); | ||
121 | sysfiles_setup("/usr/bin/su"); | ||
122 | sysfiles_setup("/usr/bin/ksu"); | ||
123 | sysfiles_setup("/usr/bin/sudo"); | ||
124 | sysfiles_setup("/usr/bin/strace"); | ||
125 | // X11 | ||
126 | sysfiles_setup("/usr/bin/xev"); | ||
127 | sysfiles_setup("/usr/bin/xinput"); | ||
128 | // compilers | ||
129 | sysfiles_setup("/usr/bin/gcc"); | ||
130 | sysfiles_setup("/usr/bin/clang"); | ||
131 | // networking | ||
132 | sysfiles_setup("/usr/bin/dig"); | ||
133 | sysfiles_setup("/usr/bin/nslookup"); | ||
134 | sysfiles_setup("/usr/bin/resolvectl"); | ||
135 | sysfiles_setup("/usr/bin/nc"); | ||
136 | sysfiles_setup("/usr/bin/ncat"); | ||
137 | sysfiles_setup("/usr/bin/nmap"); | ||
138 | sysfiles_setup("/usr/sbin/tcpdump"); | ||
139 | // terminals | ||
140 | sysfiles_setup("/usr/bin/gnome-terminal"); | ||
141 | sysfiles_setup("/usr/bin/xfce4-terminal"); | ||
142 | sysfiles_setup("/usr/bin/lxterminal"); | ||
143 | |||
144 | // print processes | ||
145 | pid_read(0); | ||
146 | for (i = 0; i < max_pids; i++) { | ||
147 | if (pids[i].level == 1) { | ||
148 | uid_t uid = pid_get_uid(i); | ||
149 | if (uid != user_uid) // not interested in other user sandboxes | ||
150 | continue; | ||
151 | |||
152 | // in case the pid is that of a firejail process, use the pid of the first child process | ||
153 | uid_t pid = find_child(i); | ||
154 | printf("\n"); | ||
155 | pid_print_list(i, 0); // no wrapping | ||
156 | apparmor_test(pid); | ||
157 | seccomp_test(pid); | ||
158 | fflush(0); | ||
159 | |||
160 | pid_t child = fork(); | ||
161 | if (child == -1) | ||
162 | errExit("fork"); | ||
163 | if (child == 0) { | ||
164 | int rv = join_namespace(pid, "mnt"); | ||
165 | if (rv == 0) { | ||
166 | virtual_test(); | ||
167 | noexec_test(user_home_dir); | ||
168 | noexec_test("/tmp"); | ||
169 | noexec_test("/var/tmp"); | ||
170 | noexec_test(user_run_dir); | ||
171 | access_test(); | ||
172 | sysfiles_test(); | ||
173 | } | ||
174 | else { | ||
175 | printf(" Error: I cannot join the process mount space\n"); | ||
176 | exit(1); | ||
177 | } | ||
178 | |||
179 | // drop privileges in order not to trigger cleanup() | ||
180 | if (setgid(user_gid) != 0) | ||
181 | errExit("setgid"); | ||
182 | if (setuid(user_uid) != 0) | ||
183 | errExit("setuid"); | ||
184 | return 0; | ||
185 | } | ||
186 | int status; | ||
187 | wait(&status); | ||
188 | } | ||
189 | } | ||
190 | |||
191 | return 0; | ||
192 | } | ||
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c new file mode 100644 index 000000000..4347b7eef --- /dev/null +++ b/src/jailtest/noexec.c | |||
@@ -0,0 +1,113 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <sys/wait.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <fcntl.h> | ||
24 | |||
25 | static unsigned char *execfile = NULL; | ||
26 | static int execfile_len = 0; | ||
27 | |||
28 | void noexec_setup(void) { | ||
29 | // grab a copy of myself | ||
30 | char *self = realpath("/proc/self/exe", NULL); | ||
31 | if (self) { | ||
32 | struct stat s; | ||
33 | if (access(self, X_OK) == 0 && stat(self, &s) == 0) { | ||
34 | assert(s.st_size); | ||
35 | execfile = malloc(s.st_size); | ||
36 | |||
37 | int fd = open(self, O_RDONLY); | ||
38 | if (fd == -1) | ||
39 | errExit("open"); | ||
40 | int len = 0; | ||
41 | do { | ||
42 | int rv = read(fd, execfile + len, s.st_size - len); | ||
43 | if (rv == -1) | ||
44 | errExit("read"); | ||
45 | if (rv == 0) { | ||
46 | // something went wrong! | ||
47 | free(execfile); | ||
48 | execfile = NULL; | ||
49 | printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n"); | ||
50 | break; | ||
51 | } | ||
52 | len += rv; | ||
53 | } | ||
54 | while (len < s.st_size); | ||
55 | execfile_len = s.st_size; | ||
56 | close(fd); | ||
57 | } | ||
58 | } | ||
59 | } | ||
60 | |||
61 | |||
62 | void noexec_test(const char *path) { | ||
63 | assert(user_uid); | ||
64 | |||
65 | // I am root in sandbox mount namespace | ||
66 | if (!execfile) | ||
67 | return; | ||
68 | |||
69 | char *fname; | ||
70 | if (asprintf(&fname, "%s/jailtest-noexec-%d", path, getpid()) == -1) | ||
71 | errExit("asprintf"); | ||
72 | |||
73 | pid_t child = fork(); | ||
74 | if (child == -1) | ||
75 | errExit("fork"); | ||
76 | |||
77 | if (child == 0) { // child | ||
78 | // drop privileges | ||
79 | if (setgid(user_gid) != 0) | ||
80 | errExit("setgid"); | ||
81 | if (setuid(user_uid) != 0) | ||
82 | errExit("setuid"); | ||
83 | int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700); | ||
84 | if (fd == -1) { | ||
85 | printf(" I cannot create files in %s, skipping noexec...\n", path); | ||
86 | exit(1); | ||
87 | } | ||
88 | |||
89 | int len = 0; | ||
90 | while (len < execfile_len) { | ||
91 | int rv = write(fd, execfile + len, execfile_len - len); | ||
92 | if (rv == -1 || rv == 0) { | ||
93 | printf(" I cannot create files in %s, skipping noexec....\n", path); | ||
94 | exit(1); | ||
95 | } | ||
96 | len += rv; | ||
97 | } | ||
98 | fchmod(fd, 0700); | ||
99 | close(fd); | ||
100 | |||
101 | char *arg; | ||
102 | if (asprintf(&arg, "--hello=%s", path) == -1) | ||
103 | errExit("asprintf"); | ||
104 | int rv = execl(fname, fname, arg, NULL); | ||
105 | (void) rv; // if we get here execl failed | ||
106 | exit(0); | ||
107 | } | ||
108 | |||
109 | int status; | ||
110 | wait(&status); | ||
111 | int rv = unlink(fname); | ||
112 | (void) rv; | ||
113 | } \ No newline at end of file | ||
diff --git a/src/faudit/dev.c b/src/jailtest/seccomp.c index 9c80f99df..2cecb4b4d 100644 --- a/src/faudit/dev.c +++ b/src/jailtest/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -17,31 +17,31 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "faudit.h" | 20 | #include "jailtest.h" |
21 | #include <dirent.h> | 21 | #define MAXBUF 4096 |
22 | 22 | ||
23 | void dev_test(void) { | 23 | void seccomp_test(pid_t pid) { |
24 | DIR *dir; | 24 | char *file; |
25 | if (!(dir = opendir("/dev"))) { | 25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) |
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | 26 | errExit("asprintf"); |
27 | |||
28 | FILE *fp = fopen(file, "r"); | ||
29 | if (!fp) { | ||
30 | printf(" Error: cannot open %s\n", file); | ||
31 | free(file); | ||
27 | return; | 32 | return; |
28 | } | 33 | } |
29 | 34 | ||
30 | struct dirent *entry; | 35 | char buf[MAXBUF]; |
31 | printf("INFO: files visible in /dev directory: "); | 36 | while (fgets(buf, MAXBUF, fp)) { |
32 | int cnt = 0; | 37 | if (strncmp(buf, "Seccomp:", 8) == 0) { |
33 | while ((entry = readdir(dir)) != NULL) { | 38 | int val = -1; |
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 39 | int rv = sscanf(buf + 8, "\t%d", &val); |
35 | continue; | 40 | if (rv != 1 || val == 0) |
36 | 41 | printf(" Warning: seccomp not enabled\n"); | |
37 | printf("%s, ", entry->d_name); | 42 | break; |
38 | cnt++; | 43 | } |
39 | } | 44 | } |
40 | printf("\n"); | 45 | fclose(fp); |
41 | 46 | free(file); | |
42 | if (cnt > 20) | ||
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | ||
44 | else | ||
45 | printf("GOOD: Access to /dev directory is restricted.\n"); | ||
46 | closedir(dir); | ||
47 | } | 47 | } |
diff --git a/src/jailtest/sysfiles.c b/src/jailtest/sysfiles.c new file mode 100644 index 000000000..7e4709453 --- /dev/null +++ b/src/jailtest/sysfiles.c | |||
@@ -0,0 +1,88 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | typedef struct { | ||
25 | char *tfile; | ||
26 | } TestFile; | ||
27 | |||
28 | #define MAX_TEST_FILES 32 | ||
29 | TestFile tf[MAX_TEST_FILES]; | ||
30 | static int files_cnt = 0; | ||
31 | |||
32 | void sysfiles_setup(const char *file) { | ||
33 | // I am root! | ||
34 | assert(file); | ||
35 | |||
36 | if (files_cnt >= MAX_TEST_FILES) { | ||
37 | fprintf(stderr, "Error: maximum number of system test files exceded\n"); | ||
38 | exit(1); | ||
39 | } | ||
40 | |||
41 | if (access(file, F_OK)) { | ||
42 | // no such file | ||
43 | return; | ||
44 | } | ||
45 | |||
46 | |||
47 | char *fname = strdup(file); | ||
48 | if (!fname) | ||
49 | errExit("strdup"); | ||
50 | |||
51 | tf[files_cnt].tfile = fname; | ||
52 | files_cnt++; | ||
53 | } | ||
54 | |||
55 | void sysfiles_test(void) { | ||
56 | // I am root in sandbox mount namespace | ||
57 | assert(user_uid); | ||
58 | int i; | ||
59 | |||
60 | pid_t child = fork(); | ||
61 | if (child == -1) | ||
62 | errExit("fork"); | ||
63 | |||
64 | if (child == 0) { // child | ||
65 | // drop privileges | ||
66 | if (setgid(user_gid) != 0) | ||
67 | errExit("setgid"); | ||
68 | if (setuid(user_uid) != 0) | ||
69 | errExit("setuid"); | ||
70 | |||
71 | for (i = 0; i < files_cnt; i++) { | ||
72 | assert(tf[i].tfile); | ||
73 | |||
74 | // try to open the file for reading | ||
75 | FILE *fp = fopen(tf[i].tfile, "r"); | ||
76 | if (fp) { | ||
77 | |||
78 | printf(" Warning: I can access %s\n", tf[i].tfile); | ||
79 | fclose(fp); | ||
80 | } | ||
81 | } | ||
82 | exit(0); | ||
83 | } | ||
84 | |||
85 | // wait for the child to finish | ||
86 | int status; | ||
87 | wait(&status); | ||
88 | } | ||
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c new file mode 100644 index 000000000..41c21b753 --- /dev/null +++ b/src/jailtest/utils.c | |||
@@ -0,0 +1,102 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include "../include/pid.h" | ||
22 | #include <errno.h> | ||
23 | #include <pwd.h> | ||
24 | #include <dirent.h> | ||
25 | |||
26 | #define BUFLEN 4096 | ||
27 | |||
28 | char *get_sudo_user(void) { | ||
29 | char *user = getenv("SUDO_USER"); | ||
30 | if (!user) { | ||
31 | user = getpwuid(getuid())->pw_name; | ||
32 | if (!user) { | ||
33 | fprintf(stderr, "Error: cannot detect login user\n"); | ||
34 | exit(1); | ||
35 | } | ||
36 | } | ||
37 | |||
38 | return user; | ||
39 | } | ||
40 | |||
41 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { | ||
42 | // find home directory | ||
43 | struct passwd *pw = getpwnam(user); | ||
44 | if (!pw) | ||
45 | goto errexit; | ||
46 | |||
47 | char *home = pw->pw_dir; | ||
48 | if (!home) | ||
49 | goto errexit; | ||
50 | |||
51 | *uid = pw->pw_uid; | ||
52 | *gid = pw->pw_gid; | ||
53 | |||
54 | return home; | ||
55 | |||
56 | errexit: | ||
57 | fprintf(stderr, "Error: cannot find home directory for user %s\n", user); | ||
58 | exit(1); | ||
59 | } | ||
60 | |||
61 | // find the second child process for the specified pid | ||
62 | // return -1 if not found | ||
63 | // | ||
64 | // Example: | ||
65 | //14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
66 | // 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
67 | // 14792:netblue:/usr/bin/transmission-qt | ||
68 | // We need 14792, the first real sandboxed process | ||
69 | // duplicate from src/firemon/main.c | ||
70 | int find_child(int id) { | ||
71 | int i; | ||
72 | int first_child = -1; | ||
73 | |||
74 | // find the first child | ||
75 | for (i = 0; i < max_pids; i++) { | ||
76 | if (pids[i].level == 2 && pids[i].parent == id) { | ||
77 | // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) | ||
78 | char *cmdline = pid_proc_cmdline(i); | ||
79 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { | ||
80 | free(cmdline); | ||
81 | continue; | ||
82 | } | ||
83 | free(cmdline); | ||
84 | first_child = i; | ||
85 | break; | ||
86 | } | ||
87 | } | ||
88 | |||
89 | if (first_child == -1) | ||
90 | return -1; | ||
91 | |||
92 | // find the second-level child | ||
93 | for (i = 0; i < max_pids; i++) { | ||
94 | if (pids[i].level == 3 && pids[i].parent == first_child) | ||
95 | return i; | ||
96 | } | ||
97 | |||
98 | // if a second child is not found, return the first child pid | ||
99 | // this happens for processes sandboxed with --join | ||
100 | return first_child; | ||
101 | } | ||
102 | |||
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c new file mode 100644 index 000000000..fcdcf9720 --- /dev/null +++ b/src/jailtest/virtual.c | |||
@@ -0,0 +1,125 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | |||
25 | #define MAX_TEST_FILES 16 | ||
26 | static char *dirs[MAX_TEST_FILES]; | ||
27 | static char *files[MAX_TEST_FILES]; | ||
28 | static int files_cnt = 0; | ||
29 | |||
30 | void virtual_setup(const char *directory) { | ||
31 | // I am root! | ||
32 | assert(directory); | ||
33 | assert(*directory == '/'); | ||
34 | assert(files_cnt < MAX_TEST_FILES); | ||
35 | |||
36 | // try to open the dir as root | ||
37 | DIR *dir = opendir(directory); | ||
38 | if (!dir) { | ||
39 | fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); | ||
40 | return; | ||
41 | } | ||
42 | closedir(dir); | ||
43 | |||
44 | // create a test file | ||
45 | char *test_file; | ||
46 | if (asprintf(&test_file, "%s/jailtest-private-%d", directory, getpid()) == -1) | ||
47 | errExit("asprintf"); | ||
48 | |||
49 | FILE *fp = fopen(test_file, "w"); | ||
50 | if (!fp) { | ||
51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | ||
52 | return; | ||
53 | } | ||
54 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | ||
55 | fclose(fp); | ||
56 | if (strcmp(directory, user_home_dir) == 0) { | ||
57 | int rv = chown(test_file, user_uid, user_gid); | ||
58 | if (rv) | ||
59 | errExit("chown"); | ||
60 | } | ||
61 | |||
62 | char *dname = strdup(directory); | ||
63 | if (!dname) | ||
64 | errExit("strdup"); | ||
65 | dirs[files_cnt] = dname; | ||
66 | files[files_cnt] = test_file; | ||
67 | files_cnt++; | ||
68 | } | ||
69 | |||
70 | void virtual_destroy(void) { | ||
71 | // remove test files | ||
72 | int i; | ||
73 | |||
74 | for (i = 0; i < files_cnt; i++) { | ||
75 | int rv = unlink(files[i]); | ||
76 | (void) rv; | ||
77 | } | ||
78 | files_cnt = 0; | ||
79 | } | ||
80 | |||
81 | void virtual_test(void) { | ||
82 | // I am root in sandbox mount namespace | ||
83 | assert(user_uid); | ||
84 | int i; | ||
85 | |||
86 | int cnt = 0; | ||
87 | cnt += printf(" Virtual dirs: "); fflush(0); | ||
88 | |||
89 | for (i = 0; i < files_cnt; i++) { | ||
90 | assert(files[i]); | ||
91 | |||
92 | // I am root! | ||
93 | pid_t child = fork(); | ||
94 | if (child == -1) | ||
95 | errExit("fork"); | ||
96 | |||
97 | if (child == 0) { // child | ||
98 | // drop privileges | ||
99 | if (setgid(user_gid) != 0) | ||
100 | errExit("setgid"); | ||
101 | if (setuid(user_uid) != 0) | ||
102 | errExit("setuid"); | ||
103 | |||
104 | // try to open the file for reading | ||
105 | FILE *fp = fopen(files[i], "r"); | ||
106 | if (fp) | ||
107 | fclose(fp); | ||
108 | else { | ||
109 | if (cnt == 0) | ||
110 | cnt += printf("\n "); | ||
111 | cnt += printf("%s, ", dirs[i]); | ||
112 | if (cnt > 60) | ||
113 | cnt = 0; | ||
114 | } | ||
115 | fflush(0); | ||
116 | exit(cnt); | ||
117 | } | ||
118 | |||
119 | // wait for the child to finish | ||
120 | int status; | ||
121 | wait(&status); | ||
122 | cnt = WEXITSTATUS(status); | ||
123 | } | ||
124 | printf("\n"); | ||
125 | } | ||
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 681252832..49c8057b3 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in | |||
@@ -1,11 +1,14 @@ | |||
1 | include ../common.mk | 1 | include ../common.mk |
2 | 2 | ||
3 | .PHONY: all | ||
3 | all: $(OBJS) | 4 | all: $(OBJS) |
4 | 5 | ||
5 | %.o : %.c $(H_FILE_LIST) | 6 | %.o : %.c $(H_FILE_LIST) |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 8 | ||
9 | .PHONY: clean | ||
8 | clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist | 10 | clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist |
9 | 11 | ||
12 | .PHONY: distclean | ||
10 | distclean: clean | 13 | distclean: clean |
11 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/lib/common.c b/src/lib/common.c index ace5cb87e..f1bd7a6fe 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/lib/errno.c b/src/lib/errno.c index 881c3b27e..9edb44c22 100644 --- a/src/lib/errno.c +++ b/src/lib/errno.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 2e03ce0e0..d6a3c71ab 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index 32bfb0974..cd60d74e4 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -23,13 +23,16 @@ | |||
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
25 | 25 | ||
26 | // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c | ||
26 | const char * const default_lib_paths[] = { | 27 | const char * const default_lib_paths[] = { |
27 | "/usr/lib/x86_64-linux-gnu", // Debian & friends | 28 | "/usr/lib/x86_64-linux-gnu", // Debian & friends |
28 | "/lib/x86_64-linux-gnu", // CentOS, Fedora | 29 | "/lib/x86_64-linux-gnu", // CentOS, Fedora |
30 | "/usr/lib64", | ||
31 | "/lib64", | ||
29 | "/usr/lib", | 32 | "/usr/lib", |
30 | "/lib", | 33 | "/lib", |
31 | "/lib64", | ||
32 | LIBDIR, | 34 | LIBDIR, |
35 | "/usr/local/lib64", | ||
33 | "/usr/local/lib", | 36 | "/usr/local/lib", |
34 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory | 37 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory |
35 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory | 38 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory |
diff --git a/src/lib/pid.c b/src/lib/pid.c index cad0e5424..ca62aaa42 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 758f1ce0b..b3131ac17 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in index edd4534b8..e3e5716ca 100644 --- a/src/libpostexecseccomp/Makefile.in +++ b/src/libpostexecseccomp/Makefile.in | |||
@@ -11,6 +11,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | .PHONY: all | ||
14 | all: libpostexecseccomp.so | 15 | all: libpostexecseccomp.so |
15 | 16 | ||
16 | %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h | 17 | %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h |
@@ -19,7 +20,9 @@ all: libpostexecseccomp.so | |||
19 | libpostexecseccomp.so: $(OBJS) | 20 | libpostexecseccomp.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 21 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 22 | ||
23 | .PHONY: clean | ||
22 | clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist | 24 | clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist |
23 | 25 | ||
26 | .PHONY: distclean | ||
24 | distclean: clean | 27 | distclean: clean |
25 | rm -fr Makefile | 28 | rm -fr Makefile |
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c index c86faa329..1d1eb283b 100644 --- a/src/libpostexecseccomp/libpostexecseccomp.c +++ b/src/libpostexecseccomp/libpostexecseccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in index 5c7d0f885..095037569 100644 --- a/src/libtrace/Makefile.in +++ b/src/libtrace/Makefile.in | |||
@@ -11,6 +11,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | .PHONY: all | ||
14 | all: libtrace.so | 15 | all: libtrace.so |
15 | 16 | ||
16 | %.o : %.c $(H_FILE_LIST) | 17 | %.o : %.c $(H_FILE_LIST) |
@@ -19,8 +20,9 @@ all: libtrace.so | |||
19 | libtrace.so: $(OBJS) | 20 | libtrace.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 21 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 22 | ||
22 | 23 | .PHONY: clean | |
23 | clean:; rm -fr $(OBJS) libtrace.so *.plist | 24 | clean:; rm -fr $(OBJS) libtrace.so *.plist |
24 | 25 | ||
26 | .PHONY: distclean | ||
25 | distclean: clean | 27 | distclean: clean |
26 | rm -fr Makefile | 28 | rm -fr Makefile |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index a27fa7a03..d88512b0a 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in index b1ac9e57c..5bac19c04 100644 --- a/src/libtracelog/Makefile.in +++ b/src/libtracelog/Makefile.in | |||
@@ -11,6 +11,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | .PHONY: all | ||
14 | all: libtracelog.so | 15 | all: libtracelog.so |
15 | 16 | ||
16 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h | 17 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h |
@@ -19,8 +20,9 @@ all: libtracelog.so | |||
19 | libtracelog.so: $(OBJS) | 20 | libtracelog.so: $(OBJS) |
20 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | 21 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl |
21 | 22 | ||
22 | 23 | .PHONY: clean | |
23 | clean:; rm -fr $(OBJS) libtracelog.so *.plist | 24 | clean:; rm -fr $(OBJS) libtracelog.so *.plist |
24 | 25 | ||
26 | .PHONY: distclean | ||
25 | distclean: clean | 27 | distclean: clean |
26 | rm -fr Makefile | 28 | rm -fr Makefile |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 9102a8ef6..b946cc889 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/man/Makefile.in b/src/man/Makefile.in index 1c4444307..3711d5cec 100644 --- a/src/man/Makefile.in +++ b/src/man/Makefile.in | |||
@@ -1,10 +1,14 @@ | |||
1 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man | 1 | .PHONY: all |
2 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailtest.man | ||
3 | |||
2 | include ../common.mk | 4 | include ../common.mk |
3 | 5 | ||
4 | %.man: %.txt | 6 | %.man: %.txt |
5 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ | 7 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ |
6 | 8 | ||
9 | .PHONY: clean | ||
7 | clean:; rm -fr *.man | 10 | clean:; rm -fr *.man |
8 | 11 | ||
12 | .PHONY: distclean | ||
9 | distclean: clean | 13 | distclean: clean |
10 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 2c02aee47..dbb9397c6 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
130 | .PP | 130 | .PP |
131 | Homepage: https://firejail.wordpress.com | 131 | Homepage: https://firejail.wordpress.com |
132 | .SH SEE ALSO | 132 | .SH SEE ALSO |
133 | \&\flfirejail\fR\|(1), | 133 | .BR firejail (1), |
134 | \&\flfiremon\fR\|(1), | 134 | .BR firemon (1), |
135 | \&\flfirejail-profile\fR\|(5), | 135 | .BR firejail-profile (5), |
136 | \&\flfirejail-login\fR\|(5) | 136 | .BR firejail-login (5), |
137 | \&\flfirejail-users\fR\|(5) | 137 | .BR firejail-users (5), |
138 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 430e86cc8..1b8a4931c 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -3,7 +3,7 @@ | |||
3 | login.users \- Login file syntax for Firejail | 3 | login.users \- Login file syntax for Firejail |
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable | 6 | /etc/firejail/login.users file describes additional arguments passed to the firejail executable |
7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of | 7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of |
8 | a user name followed by the arguments passed to firejail. The format is as follows: | 8 | a user name followed by the arguments passed to firejail. The format is as follows: |
9 | 9 | ||
@@ -19,8 +19,8 @@ Wildcard patterns are accepted in the user name field: | |||
19 | 19 | ||
20 | .SH RESTRICTED SHELL | 20 | .SH RESTRICTED SHELL |
21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
22 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 22 | the /etc/passwd file for each user that needs to be restricted. Alternatively, |
23 | you can specify /usr/bin/firejail using adduser or usermod commands: | 23 | you can specify /usr/bin/firejail using the `adduser` or `usermod` commands: |
24 | 24 | ||
25 | adduser \-\-shell /usr/bin/firejail username | 25 | adduser \-\-shell /usr/bin/firejail username |
26 | .br | 26 | .br |
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
34 | .PP | 34 | .PP |
35 | Homepage: https://firejail.wordpress.com | 35 | Homepage: https://firejail.wordpress.com |
36 | .SH SEE ALSO | 36 | .SH SEE ALSO |
37 | \&\flfirejail\fR\|(1), | 37 | .BR firejail (1), |
38 | \&\flfiremon\fR\|(1), | 38 | .BR firemon (1), |
39 | \&\flfirecfg\fR\|(1), | 39 | .BR firecfg (1), |
40 | \&\flfirejail-profile\fR\|(5) | 40 | .BR firejail-profile (5), |
41 | \&\flfirejail-users\fR\|(5) | 41 | .BR firejail-users (5), |
42 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5e77b5f70..ee685da73 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
103 | 103 | ||
104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
105 | 105 | ||
106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
107 | can be enabled or disabled globally in Firejail's configuration file. | 107 | can be enabled or disabled globally in Firejail's configuration file. |
108 | 108 | ||
109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
@@ -266,7 +266,7 @@ Mount new /root and /home/user directories in temporary | |||
266 | filesystems. All modifications are discarded when the sandbox is | 266 | filesystems. All modifications are discarded when the sandbox is |
267 | closed. | 267 | closed. |
268 | .TP | 268 | .TP |
269 | \fBprivate=directory | 269 | \fBprivate directory |
270 | Use directory as user home. | 270 | Use directory as user home. |
271 | .TP | 271 | .TP |
272 | \fBprivate-bin file,file | 272 | \fBprivate-bin file,file |
@@ -666,7 +666,7 @@ Disable DVB (Digital Video Broadcasting) TV devices. | |||
666 | Disable U2F devices. | 666 | Disable U2F devices. |
667 | .TP | 667 | .TP |
668 | \fBnovideo | 668 | \fBnovideo |
669 | Disable video devices. | 669 | Disable video capture devices. |
670 | .TP | 670 | .TP |
671 | \fBshell none | 671 | \fBshell none |
672 | Run the program directly, without a shell. | 672 | Run the program directly, without a shell. |
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
889 | .PP | 889 | .PP |
890 | Homepage: https://firejail.wordpress.com | 890 | Homepage: https://firejail.wordpress.com |
891 | .SH SEE ALSO | 891 | .SH SEE ALSO |
892 | \&\flfirejail\fR\|(1), | 892 | .BR firejail (1), |
893 | \&\flfiremon\fR\|(1), | 893 | .BR firemon (1), |
894 | \&\flfirecfg\fR\|(1), | 894 | .BR firecfg (1), |
895 | \&\flfirejail-login\fR\|(5), | 895 | .BR firejail-login (5), |
896 | \&\flfirejail-users\fR\|(5), | 896 | .BR firejail-users (5), |
897 | .BR jailtest (1) | ||
898 | |||
897 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 899 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
898 | .UE | 900 | .UE |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 6fa09e05e..c5a9c1848 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o | |||
54 | .PP | 54 | .PP |
55 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
56 | .SH SEE ALSO | 56 | .SH SEE ALSO |
57 | \&\flfirejail\fR\|(1), | 57 | .BR firejail (1), |
58 | \&\flfiremon\fR\|(1), | 58 | .BR firemon (1), |
59 | \&\flfirecfg\fR\|(1), | 59 | .BR firecfg (1), |
60 | \&\flfirejail-profile\fR\|(5) | 60 | .BR firejail-profile (5), |
61 | \&\flfirejail-login\fR\|(5) | 61 | .BR firejail-login (5), |
62 | .BR jailtest (1) | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e85a02ee8..0b9b403f8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -42,6 +42,15 @@ Miscellaneous: | |||
42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} | 42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} |
43 | .RE | 43 | .RE |
44 | .SH DESCRIPTION | 44 | .SH DESCRIPTION |
45 | #ifdef HAVE_LTS | ||
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | ||
47 | LTS is usually supported for two or three years. | ||
48 | During this time only bugs and the occasional documentation problems are fixed. | ||
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | ||
50 | .br | ||
51 | |||
52 | .br | ||
53 | #endif | ||
45 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 54 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
46 | restricting the running environment of untrusted applications using Linux | 55 | restricting the running environment of untrusted applications using Linux |
47 | namespaces, seccomp-bpf and Linux capabilities. | 56 | namespaces, seccomp-bpf and Linux capabilities. |
@@ -146,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage | |||
146 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 155 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
147 | #endif | 156 | #endif |
148 | .TP | 157 | .TP |
149 | \fB\-\-audit | ||
150 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
151 | .TP | ||
152 | \fB\-\-audit=test-program | ||
153 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
154 | .TP | ||
155 | \fB\-\-bandwidth=name|pid | 158 | \fB\-\-bandwidth=name|pid |
156 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 159 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
157 | .TP | 160 | .TP |
@@ -430,7 +433,7 @@ org.freedesktop.Notifications.*@/org/freedesktop/Notifications | |||
430 | 433 | ||
431 | .TP | 434 | .TP |
432 | \fB\-\-dbus-system.log | 435 | \fB\-\-dbus-system.log |
433 | Turn on DBus logging for the system DBus. This option requires --dbus-system=log. | 436 | Turn on DBus logging for the system DBus. This option requires --dbus-system=filter. |
434 | 437 | ||
435 | .br | 438 | .br |
436 | Example: | 439 | Example: |
@@ -557,7 +560,7 @@ org.freedesktop.Notifications.*@/org/freedesktop/Notifications | |||
557 | 560 | ||
558 | .TP | 561 | .TP |
559 | \fB\-\-dbus-user.log | 562 | \fB\-\-dbus-user.log |
560 | Turn on DBus logging for the session DBus. This option requires --dbus-user=log. | 563 | Turn on DBus logging for the session DBus. This option requires --dbus-user=filter. |
561 | 564 | ||
562 | .br | 565 | .br |
563 | Example: | 566 | Example: |
@@ -818,6 +821,16 @@ $ firejail \-\-ignore=shell --ignore=seccomp firefox | |||
818 | $ firejail \-\-ignore="net eth0" firefox | 821 | $ firejail \-\-ignore="net eth0" firefox |
819 | #endif | 822 | #endif |
820 | 823 | ||
824 | .TP | ||
825 | \fB\-\-\include=file.profile | ||
826 | Include a profile file before the regular profiles are used. | ||
827 | .br | ||
828 | |||
829 | .br | ||
830 | Example: | ||
831 | .br | ||
832 | $ firejail --include=/etc/firejail/disable-devel.inc gedit | ||
833 | |||
821 | #ifdef HAVE_NETWORK | 834 | #ifdef HAVE_NETWORK |
822 | .TP | 835 | .TP |
823 | \fB\-\-interface=interface | 836 | \fB\-\-interface=interface |
@@ -1105,6 +1118,26 @@ Example: | |||
1105 | $ firejail \-\-machine-id | 1118 | $ firejail \-\-machine-id |
1106 | 1119 | ||
1107 | .TP | 1120 | .TP |
1121 | \fB\-\-mkdir=dirname | ||
1122 | Create a directory in user home. Parent directories are created as needed. | ||
1123 | .br | ||
1124 | |||
1125 | .br | ||
1126 | Example: | ||
1127 | .br | ||
1128 | $ firejail --mkdir=~/work/project | ||
1129 | |||
1130 | .TP | ||
1131 | \fB\-\-mkfile=filename | ||
1132 | Create an empty file in user home. | ||
1133 | .br | ||
1134 | |||
1135 | .br | ||
1136 | Example: | ||
1137 | .br | ||
1138 | $ firejail --mkfile=~/work/project/readme | ||
1139 | |||
1140 | .TP | ||
1108 | \fB\-\-memory-deny-write-execute | 1141 | \fB\-\-memory-deny-write-execute |
1109 | Install a seccomp filter to block attempts to create memory mappings | 1142 | Install a seccomp filter to block attempts to create memory mappings |
1110 | that are both writable and executable, to change mappings to be | 1143 | that are both writable and executable, to change mappings to be |
@@ -1622,6 +1655,7 @@ Disable video devices. | |||
1622 | \fB\-\-nowhitelist=dirname_or_filename | 1655 | \fB\-\-nowhitelist=dirname_or_filename |
1623 | Disable whitelist for this directory or file. | 1656 | Disable whitelist for this directory or file. |
1624 | 1657 | ||
1658 | #ifdef HAVE_OUTPUT | ||
1625 | .TP | 1659 | .TP |
1626 | \fB\-\-output=logfile | 1660 | \fB\-\-output=logfile |
1627 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | 1661 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log |
@@ -1652,6 +1686,7 @@ $ ls -l sandboxlog* | |||
1652 | .TP | 1686 | .TP |
1653 | \fB\-\-output-stderr=logfile | 1687 | \fB\-\-output-stderr=logfile |
1654 | Similar to \-\-output, but stderr is also stored. | 1688 | Similar to \-\-output, but stderr is also stored. |
1689 | #endif | ||
1655 | 1690 | ||
1656 | #ifdef HAVE_OVERLAYFS | 1691 | #ifdef HAVE_OVERLAYFS |
1657 | .TP | 1692 | .TP |
@@ -2451,7 +2486,7 @@ $ firejail --seccomp.print=browser | |||
2451 | $ | 2486 | $ |
2452 | 2487 | ||
2453 | .TP | 2488 | .TP |
2454 | \fB\-\-seccomp-error-action= kill | ERRNO | 2489 | \fB\-\-seccomp-error-action= kill | ERRNO | log |
2455 | By default, if a seccomp filter blocks a system call, the process gets | 2490 | By default, if a seccomp filter blocks a system call, the process gets |
2456 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2491 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2457 | number can be returned, for example ENOSYS or EACCES. The process can | 2492 | number can be returned, for example ENOSYS or EACCES. The process can |
@@ -2941,30 +2976,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2941 | $ firejail --apparmor firefox | 2976 | $ firejail --apparmor firefox |
2942 | #endif | 2977 | #endif |
2943 | 2978 | ||
2944 | .SH AUDIT | ||
2945 | Audit feature allows the user to point out gaps in security profiles. The | ||
2946 | implementation replaces the program to be sandboxed with a test program. By | ||
2947 | default, we use faudit program distributed with Firejail. A custom test program | ||
2948 | can also be supplied by the user. Examples: | ||
2949 | |||
2950 | Running the default audit program: | ||
2951 | .br | ||
2952 | $ firejail --audit transmission-gtk | ||
2953 | |||
2954 | Running a custom audit program: | ||
2955 | .br | ||
2956 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
2957 | |||
2958 | In the examples above, the sandbox configures transmission-gtk profile and | ||
2959 | starts the test program. The real program, transmission-gtk, will not be | ||
2960 | started. | ||
2961 | |||
2962 | You can also audit a specific profile without specifying a program. | ||
2963 | .br | ||
2964 | $ firejail --audit --profile=/etc/firejail/zoom.profile | ||
2965 | |||
2966 | Limitations: audit feature is not implemented for --x11 commands. | ||
2967 | |||
2968 | .SH DESKTOP INTEGRATION | 2979 | .SH DESKTOP INTEGRATION |
2969 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2980 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2970 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2981 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
@@ -3332,11 +3343,13 @@ This program is free software; you can redistribute it and/or modify it under th | |||
3332 | .PP | 3343 | .PP |
3333 | Homepage: https://firejail.wordpress.com | 3344 | Homepage: https://firejail.wordpress.com |
3334 | .SH SEE ALSO | 3345 | .SH SEE ALSO |
3335 | \&\flfiremon\fR\|(1), | 3346 | .BR firemon (1), |
3336 | \&\flfirecfg\fR\|(1), | 3347 | .BR firecfg (1), |
3337 | \&\flfirejail-profile\fR\|(5), | 3348 | .BR firejail-profile (5), |
3338 | \&\flfirejail-login\fR\|(5), | 3349 | .BR firejail-login (5), |
3339 | \&\flfirejail-users\fR\|(5), | 3350 | .BR firejail-users (5), |
3351 | .BR jailtest (1) | ||
3352 | |||
3340 | .UR https://github.com/netblue30/firejail/wiki | 3353 | .UR https://github.com/netblue30/firejail/wiki |
3341 | .UE , | 3354 | .UE , |
3342 | .UR https://github.com/netblue30/firejail | 3355 | .UR https://github.com/netblue30/firejail |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index cea6c0265..64f15a1f0 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
115 | .PP | 115 | .PP |
116 | Homepage: https://firejail.wordpress.com | 116 | Homepage: https://firejail.wordpress.com |
117 | .SH SEE ALSO | 117 | .SH SEE ALSO |
118 | \&\flfirejail\fR\|(1), | 118 | .BR firejail (1), |
119 | \&\flfirecfg\fR\|(1), | 119 | .BR firecfg (1), |
120 | \&\flfirejail-profile\fR\|(5), | 120 | .BR firejail-profile (5), |
121 | \&\flfirejail-login\fR\|(5) | 121 | .BR firejail-login (5), |
122 | \&\flfirejail-users\fR\|(5) | 122 | .BR firejail-users (5), |
123 | .BR jailtest (1) | ||
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt new file mode 100644 index 000000000..b52fc5eed --- /dev/null +++ b/src/man/jailtest.txt | |||
@@ -0,0 +1,106 @@ | |||
1 | .TH JAILTEST 1 "MONTH YEAR" "VERSION" "JAILTEST man page" | ||
2 | .SH NAME | ||
3 | jailtest \- Simple utility program to test running sandboxes | ||
4 | .SH SYNOPSIS | ||
5 | sudo jailtest [OPTIONS] [directory] | ||
6 | .SH DESCRIPTION | ||
7 | WORK IN PROGRESS! | ||
8 | jailtest attaches itself to all sandboxes started by the user and performs some basic tests | ||
9 | on the sandbox filesystem: | ||
10 | .TP | ||
11 | \fB1. Virtual directories | ||
12 | jailtest extracts a list with the main virtual directories installed by the sandbox. | ||
13 | These directories are build by firejail at startup using --private* and --whitelist commands. | ||
14 | .TP | ||
15 | \fB2. Noexec test | ||
16 | jailtest inserts executable programs in /home/username, /tmp, and /var/tmp directories | ||
17 | and tries to run them from inside the sandbox, thus testing if the directory is executable or not. | ||
18 | .TP | ||
19 | \fB3. Read access test | ||
20 | jailtest creates test files in the directories specified by the user and tries to read | ||
21 | them from inside the sandbox. | ||
22 | .TP | ||
23 | \fB4. AppArmor test | ||
24 | .TP | ||
25 | \fB5. Seccomp test | ||
26 | .TP | ||
27 | The program is started as root using sudo. | ||
28 | |||
29 | .SH OPTIONS | ||
30 | .TP | ||
31 | \fB\-\-debug | ||
32 | Print debug messages. | ||
33 | .TP | ||
34 | \fB\-?\fR, \fB\-\-help\fR | ||
35 | Print options and exit. | ||
36 | .TP | ||
37 | \fB\-\-version | ||
38 | Print program version and exit. | ||
39 | .TP | ||
40 | \fB[directory] | ||
41 | One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. | ||
42 | |||
43 | .SH OUTPUT | ||
44 | For each sandbox detected we print the following line: | ||
45 | |||
46 | PID:USER:Sandbox Name:Command | ||
47 | |||
48 | It is followed by relevant sandbox information, such as the virtual directories and various warnings. | ||
49 | |||
50 | .SH EXAMPLE | ||
51 | |||
52 | $ sudo jailtest | ||
53 | .br | ||
54 | 2014:netblue::firejail /usr/bin/gimp | ||
55 | .br | ||
56 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
57 | .br | ||
58 | Warning: I can run programs in /home/netblue | ||
59 | .br | ||
60 | |||
61 | .br | ||
62 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
63 | .br | ||
64 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
65 | .br | ||
66 | Warning: I can read ~/.ssh | ||
67 | .br | ||
68 | |||
69 | .br | ||
70 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | ||
71 | .br | ||
72 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
73 | .br | ||
74 | |||
75 | .br | ||
76 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
77 | .br | ||
78 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
79 | .br | ||
80 | /run/user/1000, | ||
81 | .br | ||
82 | |||
83 | .br | ||
84 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
85 | .br | ||
86 | Warning: AppArmor not enabled | ||
87 | .br | ||
88 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
89 | .br | ||
90 | /usr/share, /run/user/1000, | ||
91 | .br | ||
92 | Warning: I can run programs in /home/netblue | ||
93 | .br | ||
94 | |||
95 | |||
96 | .SH LICENSE | ||
97 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
98 | .PP | ||
99 | Homepage: https://firejail.wordpress.com | ||
100 | .SH SEE ALSO | ||
101 | .BR firejail (1), | ||
102 | .BR firemon (1), | ||
103 | .BR firecfg (1), | ||
104 | .BR firejail-profile (5), | ||
105 | .BR firejail-login (5), | ||
106 | .BR firejail-users (5), | ||
diff --git a/src/man/preproc.awk b/src/man/preproc.awk index 1471be3ec..1ce5c82de 100755 --- a/src/man/preproc.awk +++ b/src/man/preproc.awk | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/gawk -E | 1 | #!/usr/bin/gawk -E |
2 | 2 | ||
3 | # Copyright (c) 2019,2020 rusty-snake | 3 | # Copyright (c) 2019-2021 rusty-snake |
4 | # | 4 | # |
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy | 5 | # Permission is hereby granted, free of charge, to any person obtaining a copy |
6 | # of this software and associated documentation files (the "Software"), to deal | 6 | # of this software and associated documentation files (the "Software"), to deal |
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index 2beaa3ed6..e025f5939 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in | |||
@@ -1,3 +1,4 @@ | |||
1 | .PHONY: all | ||
1 | all: profstats | 2 | all: profstats |
2 | 3 | ||
3 | include ../common.mk | 4 | include ../common.mk |
@@ -8,7 +9,9 @@ include ../common.mk | |||
8 | profstats: $(OBJS) | 9 | profstats: $(OBJS) |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
10 | 11 | ||
12 | .PHONY: clean | ||
11 | clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist | 13 | clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist |
12 | 14 | ||
15 | .PHONY: distclean | ||
13 | distclean: clean | 16 | distclean: clean |
14 | rm -fr Makefile | 17 | rm -fr Makefile |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 68f62831b..a810a11f8 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh index 34ac5993d..b7026b1cd 100755 --- a/src/tools/check-caps.sh +++ b/src/tools/check-caps.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | if [ $# -eq 0 ] | 6 | if [ $# -eq 0 ] |
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c index d76749e44..8da9c452b 100644 --- a/src/tools/extract_caps.c +++ b/src/tools/extract_caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -17,6 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include <ctype.h> | ||
20 | #include <stdio.h> | 21 | #include <stdio.h> |
21 | #include <stdlib.h> | 22 | #include <stdlib.h> |
22 | #include <string.h> | 23 | #include <string.h> |
diff --git a/src/tools/extract_errnos.sh b/src/tools/extract_errnos.sh index 286fdd767..34c416b04 100644 --- a/src/tools/extract_errnos.sh +++ b/src/tools/extract_errnos.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | echo -e "#include <errno.h>\n#include <attr/xattr.h>" | \ | 6 | echo -e "#include <errno.h>\n#include <attr/xattr.h>" | \ |
diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c index 133e65e8c..b5f92d2df 100644 --- a/src/tools/extract_seccomp.c +++ b/src/tools/extract_seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c index 83c2f65f3..9159b6576 100644 --- a/src/tools/extract_syscalls.c +++ b/src/tools/extract_syscalls.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh index b21418d5c..86d798a11 100755 --- a/src/tools/mkcoverit.sh +++ b/src/tools/mkcoverit.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # unpack firejail archive | 6 | # unpack firejail archive |
diff --git a/src/tools/testuid.c b/src/tools/testuid.c index ad3d2be5f..a18d57d5e 100644 --- a/src/tools/testuid.c +++ b/src/tools/testuid.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c index beaeb4fbe..0f72753bc 100644 --- a/src/tools/ttytest.c +++ b/src/tools/ttytest.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c index 0987deb7a..c4ecabca7 100644 --- a/src/tools/unixsocket.c +++ b/src/tools/unixsocket.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/zsh_completion/Makefile.in b/src/zsh_completion/Makefile.in new file mode 100644 index 000000000..a83cccf6c --- /dev/null +++ b/src/zsh_completion/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: _firejail | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | _firejail: _firejail.in | ||
7 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | ||
8 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | ||
9 | rm $@.tmp | ||
10 | |||
11 | .PHONY: clean | ||
12 | clean: | ||
13 | rm -fr _firejail | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in new file mode 100644 index 000000000..fd27bb35f --- /dev/null +++ b/src/zsh_completion/_firejail.in | |||
@@ -0,0 +1,283 @@ | |||
1 | #compdef firejail | ||
2 | |||
3 | # Documentation: man 1 zshcompsys | ||
4 | # HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org | ||
5 | |||
6 | _all_firejails() { | ||
7 | local -a _all_firejails_list | ||
8 | for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do | ||
9 | _all_firejails_list+=${jail%% *} | ||
10 | done | ||
11 | _describe 'firejails list' _all_firejails_list | ||
12 | } | ||
13 | |||
14 | _all_cpus() { | ||
15 | _cpu_count=$(getconf _NPROCESSORS_ONLN) | ||
16 | for i in {0..$((_cpu_count-1))} ; do | ||
17 | print $i | ||
18 | done | ||
19 | } | ||
20 | |||
21 | _profiles() { | ||
22 | print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" | ||
23 | } | ||
24 | _profiles_with_ext() { | ||
25 | print $1/*.profile | ||
26 | } | ||
27 | |||
28 | _all_profiles() { | ||
29 | _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) | ||
30 | } | ||
31 | |||
32 | _session_bus_names() { | ||
33 | _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) | ||
34 | # Alternatives to hack on for non-systemd systems: | ||
35 | # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames | ||
36 | # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service | ||
37 | } | ||
38 | |||
39 | _system_bus_names() { | ||
40 | _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) | ||
41 | } | ||
42 | |||
43 | _caps() { | ||
44 | _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') | ||
45 | } | ||
46 | |||
47 | _firejail_args=( | ||
48 | '*::arguments:_normal' | ||
49 | |||
50 | '--appimage[sandbox an AppImage application]' | ||
51 | '--build[build a whitelisted profile for the application and print it on stdout]' | ||
52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' | ||
53 | # Ignore that you can do -? too as it's the only short option | ||
54 | '--help[this help screen]' | ||
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | ||
56 | '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' | ||
57 | '--list[list all sandboxes]' | ||
58 | '(--profile)--noprofile[do not use a security profile]' | ||
59 | '(--noprofile)--profile=-[use a custom profile]: :_all_profiles' | ||
60 | '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' | ||
61 | '--top[monitor the most CPU-intensive sandboxes]' | ||
62 | '--tree[print a tree of all sandboxed processes]' | ||
63 | '--version[print program version and exit]' | ||
64 | |||
65 | '--debug[print sandbox debug messages]' | ||
66 | '--debug-blacklists[debug blacklisting]' | ||
67 | '--debug-caps[print all recognized capabilities]' | ||
68 | '--debug-errnos[print all recognized error numbers]' | ||
69 | '--debug-private-lib[debug for --private-lib option]' | ||
70 | '--debug-protocols[print all recognized protocols]' | ||
71 | '--debug-syscalls[print all recognized system calls]' | ||
72 | '--debug-syscalls32[print all recognized 32 bit system calls]' | ||
73 | '--debug-whitelists[debug whitelisting]' | ||
74 | |||
75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | ||
76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | ||
77 | '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' | ||
78 | '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' | ||
79 | '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' | ||
80 | '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' | ||
81 | |||
82 | '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' | ||
83 | '--allusers[all user home directories are visible inside the sandbox]' | ||
84 | # Should be _files, a comma and files or files -/ | ||
85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | ||
86 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
87 | '--caps[enable default Linux capabilities filter]' | ||
88 | '--caps.drop=all[drop all capabilities]' | ||
89 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | ||
90 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | ||
91 | '--cgroup=-[place the sandbox in the specified control group]: :' | ||
92 | '--cpu=-[set cpu affinity]: :->cpus' | ||
93 | "--deterministic-exit-code[always exit with first child's status code]" | ||
94 | '*--dns=-[set DNS server]: :' | ||
95 | '*--env=-[set environment variable]: :' | ||
96 | '--hostname=-[set sandbox hostname]: :' | ||
97 | '--hosts-file=-[use file as /etc/hosts]: :_files' | ||
98 | '*--ignore=-[ignore command in profile files]: :' | ||
99 | '--ipc-namespace[enable a new IPC namespace]' | ||
100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | ||
101 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | ||
102 | '--keep-var-tmp[/var/tmp directory is untouched]' | ||
103 | '--machine-id[preserve /etc/machine-id]' | ||
104 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | ||
105 | '*--mkdir=-[create a directory]:' | ||
106 | '*--mkfile=-[create a file]:' | ||
107 | '--name=-[set sandbox name]: :' | ||
108 | '--net=none[enable a new, unconnected network namespace]' | ||
109 | # Sample values as I don't think | ||
110 | # many would enjoy getting a list from -20..20 | ||
111 | '--nice=-[set nice value]: :(1 10 15 20)' | ||
112 | '--no3d[disable 3D hardware acceleration]' | ||
113 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
114 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | ||
115 | '--nodbus[disable D-Bus access]' | ||
116 | '--nodvd[disable DVD and audio CD devices]' | ||
117 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | ||
118 | '--nogroups[disable supplementary groups]' | ||
119 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | ||
120 | '--nosound[disable sound system]' | ||
121 | '--nou2f[disable U2F devices]' | ||
122 | '--novideo[disable video devices]' | ||
123 | '--private[temporary home directory]' | ||
124 | '--private=-[use directory as user home]: :_files -/' | ||
125 | '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' | ||
126 | '--private-cwd[do not inherit working directory inside jail]' | ||
127 | '--private-cwd=-[set working directory inside jail]: :_files -/' | ||
128 | '--private-dev[create a new /dev directory with a small number of common device files]' | ||
129 | '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' | ||
130 | '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' | ||
131 | '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' | ||
132 | '--private-tmp[mount a tmpfs on top of /tmp directory]' | ||
133 | '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' | ||
134 | "--quiet[turn off Firejail's output.]" | ||
135 | '*--read-only=-[set directory or file read-only]: :_files' | ||
136 | '*--read-write=-[set directory or file read-write]: :_files' | ||
137 | "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" | ||
138 | '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' | ||
139 | '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' | ||
140 | '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' | ||
141 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | ||
142 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | ||
143 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | ||
144 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | ||
145 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' | ||
146 | '--seccomp.block-secondary[build only the native architecture filters]' | ||
147 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' | ||
148 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' | ||
149 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | ||
150 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | ||
151 | # FIXME: Add errnos | ||
152 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | ||
153 | '--shell=none[run the program directly without a user shell]' | ||
154 | '--shell=-[set default user shell]: :_values $(cat /etc/shells)' | ||
155 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | ||
156 | #'(--tracelog)--trace[trace open, access and connect system calls]' | ||
157 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | ||
158 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | ||
159 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | ||
160 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | ||
161 | '--writable-var[/var directory is mounted read-write]' | ||
162 | '--writable-var-log[use the real /var/log directory, not a clone]' | ||
163 | |||
164 | #ifdef HAVE_APPARMOR | ||
165 | '--apparmor[enable AppArmor confinement]' | ||
166 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' | ||
167 | #endif | ||
168 | |||
169 | #ifdef HAVE_CHROOT | ||
170 | '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/' | ||
171 | #endif | ||
172 | |||
173 | #ifdef HAVE_DBUSPROXY | ||
174 | # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. | ||
175 | # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl | ||
176 | '--dbus-log=-[set DBus log file location]: :_files' | ||
177 | '--dbus-system=-[set system DBus access policy]: :(filter none)' | ||
178 | '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' | ||
179 | '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' | ||
180 | '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' | ||
181 | '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' | ||
182 | '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' | ||
183 | '--dbus-user=-[set session DBus access policy or none]: :(filter none)' | ||
184 | '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' | ||
185 | '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' | ||
186 | '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' | ||
187 | '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' | ||
188 | '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' | ||
189 | #endif | ||
190 | |||
191 | #ifdef HAVE_FILE_TRANSFER | ||
192 | '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' | ||
193 | '--get=-[get a file from sandbox container name|pid]: :_all_firejails' | ||
194 | # --put=name|pid src-filename dest-filename - put a file in sandbox container. | ||
195 | '--put=-[put a file in sandbox container]: :' | ||
196 | '--ls=-[list files in sandbox container name|pid]: :_all_firejails' | ||
197 | #endif | ||
198 | |||
199 | #ifdef HAVE_FIRETUNNEL | ||
200 | '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' | ||
201 | #endif | ||
202 | |||
203 | #ifdef HAVE_NETWORK | ||
204 | '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' | ||
205 | '--defaultgw=[configure default gateway]: :' | ||
206 | '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' | ||
207 | '--join-network=-[join the network namespace name|pid]: :_all_firejails' | ||
208 | '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' | ||
209 | '--mtu=-[set interface MTU]: :' | ||
210 | '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' | ||
211 | '--net.print=-[print network interface configuration name|pid]: :_all_firejails' | ||
212 | '--netfilter=-[enable firewall]: :' | ||
213 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' | ||
214 | '--netfilter6=-[enable IPv6 firewall]: :' | ||
215 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' | ||
216 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' | ||
217 | '--netns=-[Run the program in a named, persistent network namespace]: :' | ||
218 | '--netstats[monitor network statistics]' | ||
219 | '--interface=-[move interface in sandbox]: :' | ||
220 | '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' | ||
221 | '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' | ||
222 | '--iprange=-[configure an IP address in this range]: :' | ||
223 | '--scan[ARP-scan all the networks from inside a network namespace]' | ||
224 | '--veth-name=-[use this name for the interface connected to the bridge]: :' | ||
225 | #endif | ||
226 | |||
227 | #ifdef HAVE_OUTPUT | ||
228 | '--output=-[stdout logging and log rotation]: :_files' | ||
229 | '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' | ||
230 | #endif | ||
231 | |||
232 | #ifdef HAVE_OVERLAYFS | ||
233 | '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]' | ||
234 | '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' | ||
235 | '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' | ||
236 | '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' | ||
237 | #endif | ||
238 | |||
239 | #ifdef HAVE_PRIVATE_HOME | ||
240 | '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' | ||
241 | #endif | ||
242 | |||
243 | #ifdef HAVE_USERNS | ||
244 | '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]' | ||
245 | #endif | ||
246 | |||
247 | #ifdef HAVE_USERTMPFS | ||
248 | '--private-cache[temporary ~/.cache directory]' | ||
249 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | ||
250 | #endif | ||
251 | |||
252 | #ifdef HAVE_WHITELIST | ||
253 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | ||
254 | '*--whitelist=-[whitelist directory or file]: :_files' | ||
255 | #endif | ||
256 | |||
257 | #ifdef HAVE_X11 | ||
258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | ||
259 | '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' | ||
260 | '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' | ||
261 | #endif | ||
262 | ) | ||
263 | |||
264 | |||
265 | _firejail() { | ||
266 | _arguments -S $_firejail_args | ||
267 | case "$state" in | ||
268 | cpus) | ||
269 | _values -s "," 'cpus' $(_all_cpus) | ||
270 | ;; | ||
271 | net_or_none) | ||
272 | local netdevs=($(ip link | awk '{print $2}' | grep '^.*:$' | tr -d ':')) | ||
273 | local net_and_none=(none $netdevs) | ||
274 | _values 'net' $net_and_none | ||
275 | ;; | ||
276 | seccomp) | ||
277 | # TODO: syscall groups | ||
278 | _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) | ||
279 | ;; | ||
280 | esac | ||
281 | } | ||
282 | |||
283 | # vim: ft=zsh sw=4 ts=4 et sts=4 ai | ||
diff --git a/test/Makefile.in b/test/Makefile.in index d41ab39d1..264314a3b 100644 --- a/test/Makefile.in +++ b/test/Makefile.in | |||
@@ -1,13 +1,14 @@ | |||
1 | TESTS=$(patsubst %/,%,$(wildcard */)) | 1 | TESTS=$(patsubst %/,%,$(wildcard */)) |
2 | 2 | ||
3 | .PHONY: $(TESTS) | 3 | .PHONY: $(TESTS) |
4 | |||
5 | $(TESTS): | 4 | $(TESTS): |
6 | cd $@ && ./$@.sh 2>&1 | tee $@.log | 5 | cd $@ && ./$@.sh 2>&1 | tee $@.log |
7 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log | 6 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log |
8 | 7 | ||
8 | .PHONY: clean | ||
9 | clean: | 9 | clean: |
10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | 10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done |
11 | 11 | ||
12 | .PHONY: distclean | ||
12 | distclean: clean | 13 | distclean: clean |
13 | rm -f Makefile | 14 | rm -f Makefile |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index cee01d509..eecb9bf82 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -96,7 +96,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
96 | set spawn_id $appimage_id | 96 | set spawn_id $appimage_id |
97 | expect { | 97 | expect { |
98 | timeout {puts "shutdown\n";exit} | 98 | timeout {puts "shutdown\n";exit} |
99 | "AppImage unmounted" | 99 | "AppImage detached" |
100 | } | 100 | } |
101 | 101 | ||
102 | after 100 | 102 | after 100 |
diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp index 07a0aac0d..2f67eb531 100755 --- a/test/appimage/appimage-trace.exp +++ b/test/appimage/appimage-trace.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -31,7 +31,7 @@ expect { | |||
31 | } | 31 | } |
32 | expect { | 32 | expect { |
33 | timeout {puts "shutdown\n"} | 33 | timeout {puts "shutdown\n"} |
34 | "AppImage unmounted" | 34 | "AppImage detached" |
35 | } | 35 | } |
36 | sleep 1 | 36 | sleep 1 |
37 | 37 | ||
@@ -58,7 +58,7 @@ expect { | |||
58 | } | 58 | } |
59 | expect { | 59 | expect { |
60 | timeout {puts "shutdown\n"} | 60 | timeout {puts "shutdown\n"} |
61 | "AppImage unmounted" | 61 | "AppImage detached" |
62 | } | 62 | } |
63 | sleep 1 | 63 | sleep 1 |
64 | 64 | ||
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 80e228145..b8b6e0c96 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -84,7 +84,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
84 | set spawn_id $appimage_id | 84 | set spawn_id $appimage_id |
85 | expect { | 85 | expect { |
86 | timeout {puts "shutdown\n"} | 86 | timeout {puts "shutdown\n"} |
87 | "AppImage unmounted" | 87 | "AppImage detached" |
88 | } | 88 | } |
89 | 89 | ||
90 | after 100 | 90 | after 100 |
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index ccdeae0aa..243824f75 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
83 | set spawn_id $appimage_id | 83 | set spawn_id $appimage_id |
84 | expect { | 84 | expect { |
85 | timeout {puts "shutdown\n"} | 85 | timeout {puts "shutdown\n"} |
86 | "AppImage unmounted" | 86 | "AppImage detached" |
87 | } | 87 | } |
88 | 88 | ||
89 | after 100 | 89 | after 100 |
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index fa1a53195..e766b1acd 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
@@ -20,4 +20,4 @@ echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" | |||
20 | ./appimage-args.exp | 20 | ./appimage-args.exp |
21 | 21 | ||
22 | echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" | 22 | echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" |
23 | ./appimage-args.exp | 23 | ./appimage-trace.exp |
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp index e4c7d3a95..54d8d722d 100755 --- a/test/appimage/filename.exp +++ b/test/appimage/filename.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -17,7 +17,7 @@ after 100 | |||
17 | send -- "firejail --appimage /etc/shadow\r" | 17 | send -- "firejail --appimage /etc/shadow\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 2\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
20 | "cannot access" | 20 | "cannot read" |
21 | } | 21 | } |
22 | after 100 | 22 | after 100 |
23 | 23 | ||
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh index 568dee85d..7f37914aa 100755 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ b/test/apps-x11-xorg/apps-x11-xorg.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index 8322e2d0e..12fcc13ce 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp index 24549e6c8..5c810c517 100755 --- a/test/apps-x11-xorg/thunderbird.exp +++ b/test/apps-x11-xorg/thunderbird.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index b688bc619..e0f519c00 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11-xorg/transmission-qt.exp b/test/apps-x11-xorg/transmission-qt.exp index 5864bb845..02a015968 100755 --- a/test/apps-x11-xorg/transmission-qt.exp +++ b/test/apps-x11-xorg/transmission-qt.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 609eb5dc9..9954cb736 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 14f8ff616..92739048c 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp index 8de9d939b..69efc79d9 100755 --- a/test/apps-x11/firefox.exp +++ b/test/apps-x11/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/thunderbird.exp b/test/apps-x11/thunderbird.exp index 73133fa1b..7cfc957b7 100755 --- a/test/apps-x11/thunderbird.exp +++ b/test/apps-x11/thunderbird.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp index a8ce1d940..53e396a9e 100755 --- a/test/apps-x11/transmission-gtk.exp +++ b/test/apps-x11/transmission-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp index 3f56a3072..b45751aa7 100755 --- a/test/apps-x11/x11-none.exp +++ b/test/apps-x11/x11-none.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp index 4efdbc4f0..3da0e1a46 100755 --- a/test/apps-x11/x11-xephyr.exp +++ b/test/apps-x11/x11-xephyr.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp index 7dc193110..5edbadad9 100755 --- a/test/apps-x11/xterm-xephyr.exp +++ b/test/apps-x11/xterm-xephyr.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp index 893306830..a2a027729 100755 --- a/test/apps-x11/xterm-xorg.exp +++ b/test/apps-x11/xterm-xorg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp index 0b35a7009..0f1458d15 100755 --- a/test/apps-x11/xterm-xpra.exp +++ b/test/apps-x11/xterm-xpra.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 1e5f0f8c5..c332fe416 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index d6375323e..d65bc93a9 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index 92f50fc8a..25c98623c 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index 55f7dd49f..67301c1d2 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp index 9952a4d29..da37f1eff 100755 --- a/test/apps/filezilla.exp +++ b/test/apps/filezilla.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 9869972f0..2a6f18276 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 1d00cdd9b..564220d95 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp index 9fba8a98e..569adcd34 100755 --- a/test/apps/gthumb.exp +++ b/test/apps/gthumb.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index b933e1edb..adea02216 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/kcalc.exp b/test/apps/kcalc.exp index ae743cf23..aaeb5221d 100755 --- a/test/apps/kcalc.exp +++ b/test/apps/kcalc.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/ktorrent.exp b/test/apps/ktorrent.exp index ef177bd08..8693f5f1d 100755 --- a/test/apps/ktorrent.exp +++ b/test/apps/ktorrent.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/midori.exp b/test/apps/midori.exp index 78a55313f..fae41e6da 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/opera.exp b/test/apps/opera.exp index b88368ec6..990476ed5 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp index 67dfa73c7..bc0386335 100755 --- a/test/apps/qbittorrent.exp +++ b/test/apps/qbittorrent.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/thunderbird.exp b/test/apps/thunderbird.exp index 319ebbccf..10d0bb2f6 100755 --- a/test/apps/thunderbird.exp +++ b/test/apps/thunderbird.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 4aec7d094..fec18a8bf 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp index 397c63846..caa4063b9 100755 --- a/test/apps/uget-gtk.exp +++ b/test/apps/uget-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index 8110a6d93..ce3df1ba6 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/wine.exp b/test/apps/wine.exp index af8c5dca8..982a0c6d9 100755 --- a/test/apps/wine.exp +++ b/test/apps/wine.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index 1d88ef7e4..9ed75d821 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh deleted file mode 100755 index 12e2aac6d..000000000 --- a/test/arguments/arguments.sh +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export LC_ALL=C | ||
7 | |||
8 | if [ -f /etc/debian_version ]; then | ||
9 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") | ||
10 | export PATH="$PATH:$libdir" | ||
11 | fi | ||
12 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | ||
13 | |||
14 | echo "TESTING: 1. regular bash session" | ||
15 | ./bashrun.exp | ||
16 | sleep 1 | ||
17 | |||
18 | echo "TESTING: 2. symbolic link to firejail" | ||
19 | ./symrun.exp | ||
20 | rm -fr symtest | ||
21 | sleep 1 | ||
22 | |||
23 | echo "TESTING: 3. --join option" | ||
24 | ./joinrun.exp | ||
25 | sleep 1 | ||
26 | |||
27 | echo "TESTING: 4. --output option" | ||
28 | ./outrun.exp | ||
29 | rm out | ||
30 | rm out.* | ||
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp deleted file mode 100755 index 782484cad..000000000 --- a/test/arguments/bashrun.exp +++ /dev/null | |||
@@ -1,89 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./bashrun.sh\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1.1.1\n";exit} | ||
13 | "Arguments:" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1.1.2\n";exit} | ||
17 | "#arg1#" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1.1.3\n";exit} | ||
21 | "#arg2#" | ||
22 | } | ||
23 | |||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 1.2.1\n";exit} | ||
26 | "Arguments:" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1.2.2\n";exit} | ||
30 | "#arg1 tail#" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 1.2.3\n";exit} | ||
34 | "#arg2 tail#" | ||
35 | } | ||
36 | |||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.3.1\n";exit} | ||
39 | "Arguments:" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 1.3.2\n";exit} | ||
43 | "#arg1 tail#" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 1.3.3\n";exit} | ||
47 | "#arg2 tail#" | ||
48 | } | ||
49 | |||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 1.4.1\n";exit} | ||
52 | "Arguments:" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 1.4.2\n";exit} | ||
56 | "#arg1 tail#" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 1.4.3\n";exit} | ||
60 | "#arg2 tail#" | ||
61 | } | ||
62 | |||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 1.5.1\n";exit} | ||
65 | "Arguments:" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 1.5.2\n";exit} | ||
69 | "#arg1&tail#" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 1.5.3\n";exit} | ||
73 | "#arg2&tail#" | ||
74 | } | ||
75 | |||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 1.6.1\n";exit} | ||
78 | "Arguments:" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 1.6.2\n";exit} | ||
82 | "#arg1&tail#" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 1.6.3\n";exit} | ||
86 | "#arg2&tail#" | ||
87 | } | ||
88 | |||
89 | puts "\nall done\n" | ||
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh deleted file mode 100755 index 433d92436..000000000 --- a/test/arguments/bashrun.sh +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | echo "TESTING: 1.1 - simple args" | ||
7 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1 arg2 | ||
8 | |||
9 | # simple quotes, testing spaces in file names | ||
10 | echo "TESTING: 1.2 - args with space and \"" | ||
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail" | ||
12 | |||
13 | echo "TESTING: 1.3 - args with space and '" | ||
14 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail' | ||
15 | |||
16 | # escaped space in file names | ||
17 | echo "TESTING: 1.4 - args with space and \\" | ||
18 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail | ||
19 | |||
20 | # & char appears in URLs - URLs should be quoted | ||
21 | echo "TESTING: 1.5 - args with & and \"" | ||
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail" | ||
23 | |||
24 | echo "TESTING: 1.6 - args with & and '" | ||
25 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp deleted file mode 100755 index 8359b4819..000000000 --- a/test/arguments/joinrun.exp +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | |||
11 | send -- "firejail --name=joinrun\r" | ||
12 | sleep 2 | ||
13 | |||
14 | spawn $env(SHELL) | ||
15 | send -- "./joinrun.sh\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 3.1.1\n";exit} | ||
18 | "Arguments:" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3.1.2\n";exit} | ||
22 | "#arg1#" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.1.3\n";exit} | ||
26 | "#arg2#" | ||
27 | } | ||
28 | |||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 3.2.1\n";exit} | ||
31 | "Arguments:" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3.2.2\n";exit} | ||
35 | "#arg1 tail#" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 3.2.3\n";exit} | ||
39 | "#arg2 tail#" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 3.3.1\n";exit} | ||
43 | "Arguments:" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 3.3.2\n";exit} | ||
47 | "#arg1 tail#" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 3.3.3\n";exit} | ||
51 | "#arg2 tail#" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 3.4.1\n";exit} | ||
55 | "Arguments:" | ||
56 | } | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 3.4.2\n";exit} | ||
59 | "#arg1 tail#" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 3.4.3\n";exit} | ||
63 | "#arg2 tail#" | ||
64 | } | ||
65 | |||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 3.5.1\n";exit} | ||
68 | "Arguments:" | ||
69 | } | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 3.5.2\n";exit} | ||
72 | "#arg1&tail#" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 3.5.3\n";exit} | ||
76 | "#arg2&tail#" | ||
77 | } | ||
78 | |||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 3.6.1\n";exit} | ||
81 | "Arguments:" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 3.6.2\n";exit} | ||
85 | "#arg1&tail#" | ||
86 | } | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 3.6.3\n";exit} | ||
89 | "#arg2&tail#" | ||
90 | } | ||
91 | |||
92 | puts "\nall done\n" | ||
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh deleted file mode 100755 index 0019563be..000000000 --- a/test/arguments/joinrun.sh +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | echo "TESTING: 3.1 - simple args" | ||
7 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2 | ||
8 | |||
9 | # simple quotes, testing spaces in file names | ||
10 | echo "TESTING: 3.2 - args with space and \"" | ||
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail" | ||
12 | |||
13 | echo "TESTING: 3.3 - args with space and '" | ||
14 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail' | ||
15 | |||
16 | # escaped space in file names | ||
17 | echo "TESTING: 3.4 - args with space and \\" | ||
18 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail | ||
19 | |||
20 | # & char appears in URLs - URLs should be quoted | ||
21 | echo "TESTING: 3.5 - args with & and \"" | ||
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail" | ||
23 | |||
24 | echo "TESTING: 3.6 - args with & and '" | ||
25 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp deleted file mode 100755 index 46a226870..000000000 --- a/test/arguments/outrun.exp +++ /dev/null | |||
@@ -1,93 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./outrun.sh\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 4.1.1\n";exit} | ||
13 | "Arguments:" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 4.1.2\n";exit} | ||
17 | "#arg1#" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 4.1.3\n";exit} | ||
21 | "#arg2#" | ||
22 | } | ||
23 | |||
24 | exit | ||
25 | #*************************************************** | ||
26 | # breaking down from here on - bug to fix | ||
27 | #*************************************************** | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 4.2.1\n";exit} | ||
30 | "Arguments:" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4.2.2\n";exit} | ||
34 | "#arg1 tail#" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 4.2.3\n";exit} | ||
38 | "#arg2 tail#" | ||
39 | } | ||
40 | |||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 4.3.1\n";exit} | ||
43 | "Arguments:" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 4.3.2\n";exit} | ||
47 | "#arg1 tail#" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 4.3.3\n";exit} | ||
51 | "#arg2 tail#" | ||
52 | } | ||
53 | |||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 4.4.1\n";exit} | ||
56 | "Arguments:" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 4.4.2\n";exit} | ||
60 | "#arg1 tail#" | ||
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 4.4.3\n";exit} | ||
64 | "#arg2 tail#" | ||
65 | } | ||
66 | |||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 4.5.1\n";exit} | ||
69 | "Arguments:" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 4.5.2\n";exit} | ||
73 | "#arg1&tail#" | ||
74 | } | ||
75 | expect { | ||
76 | timeout {puts "TESTING ERROR 4.5.3\n";exit} | ||
77 | "#arg2&tail#" | ||
78 | } | ||
79 | |||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 4.6.1\n";exit} | ||
82 | "Arguments:" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 4.6.2\n";exit} | ||
86 | "#arg1&tail#" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 4.6.3\n";exit} | ||
90 | "#arg2&tail#" | ||
91 | } | ||
92 | |||
93 | puts "\nall done\n" | ||
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh deleted file mode 100755 index 4e8b52417..000000000 --- a/test/arguments/outrun.sh +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | echo "TESTING: 4.1 - simple args" | ||
7 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1 arg2 | ||
8 | |||
9 | # simple quotes, testing spaces in file names | ||
10 | echo "TESTING: 4.2 - args with space and \"" | ||
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail" | ||
12 | |||
13 | echo "TESTING: 4.3 - args with space and '" | ||
14 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail' | ||
15 | |||
16 | # escaped space in file names | ||
17 | echo "TESTING: 4.4 - args with space and \\" | ||
18 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail | ||
19 | |||
20 | # & char appears in URLs - URLs should be quoted | ||
21 | echo "TESTING: 4.5 - args with & and \"" | ||
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail" | ||
23 | |||
24 | echo "TESTING: 4.6 - args with & and '" | ||
25 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp deleted file mode 100755 index 49e0d28e0..000000000 --- a/test/arguments/symrun.exp +++ /dev/null | |||
@@ -1,74 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./symrun.sh\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 2.1.1\n";exit} | ||
13 | "Arguments:" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2.1.2\n";exit} | ||
17 | "#arg1#" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2.1.3\n";exit} | ||
21 | "#arg2#" | ||
22 | } | ||
23 | |||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2.3.1\n";exit} | ||
26 | "Arguments:" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 2.3.2\n";exit} | ||
30 | "#arg1 tail#" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2.3.3\n";exit} | ||
34 | "#arg2 tail#" | ||
35 | } | ||
36 | |||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 2.4.1\n";exit} | ||
39 | "Arguments:" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 2.4.2\n";exit} | ||
43 | "#arg1 tail#" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 2.4.3\n";exit} | ||
47 | "#arg2 tail#" | ||
48 | } | ||
49 | |||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 2.5.1\n";exit} | ||
52 | "Arguments:" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 2.5.2\n";exit} | ||
56 | "#arg1&tail#" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 2.5.3\n";exit} | ||
60 | "#arg2&tail#" | ||
61 | } | ||
62 | |||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 2.6.1\n";exit} | ||
65 | "Arguments:" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 2.6.2\n";exit} | ||
69 | "#arg1&tail#" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 2.6.3\n";exit} | ||
73 | "#arg2&tail#" | ||
74 | } | ||
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh deleted file mode 100755 index 00c17df69..000000000 --- a/test/arguments/symrun.sh +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | mkdir symtest | ||
7 | ln -s /usr/bin/firejail symtest/faudit | ||
8 | |||
9 | # search for faudit in current directory | ||
10 | export PATH=$PATH:. | ||
11 | export FIREJAIL_TEST_ARGUMENTS=yes | ||
12 | |||
13 | echo "TESTING: 2.1 - simple args" | ||
14 | symtest/faudit arg1 arg2 | ||
15 | |||
16 | # simple quotes, testing spaces in file names | ||
17 | echo "TESTING: 2.2 - args with space and \"" | ||
18 | symtest/faudit "arg1 tail" "arg2 tail" | ||
19 | |||
20 | echo "TESTING: 2.3 - args with space and '" | ||
21 | symtest/faudit 'arg1 tail' 'arg2 tail' | ||
22 | |||
23 | # escaped space in file names | ||
24 | echo "TESTING: 2.4 - args with space and \\" | ||
25 | symtest/faudit arg1\ tail arg2\ tail | ||
26 | |||
27 | # & char appears in URLs - URLs should be quoted | ||
28 | echo "TESTING: 2.5 - args with & and \"" | ||
29 | symtest/faudit "arg1&tail" "arg2&tail" | ||
30 | |||
31 | echo "TESTING: 2.6 - args with & and '" | ||
32 | symtest/faudit 'arg1&tail' 'arg2&tail' | ||
33 | |||
34 | rm -fr symtest | ||
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 7f65b2188..1ac5cf47e 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/chroot/configure b/test/chroot/configure index 465092abb..747dc4383 100755 --- a/test/chroot/configure +++ b/test/chroot/configure | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # build a very small chroot | 6 | # build a very small chroot |
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index 1db8269b9..650425829 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp index 844bd7450..b88367054 100755 --- a/test/chroot/unchroot-as-root.exp +++ b/test/chroot/unchroot-as-root.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c index 4454dd1c4..643983ce4 100644 --- a/test/chroot/unchroot.c +++ b/test/chroot/unchroot.c | |||
@@ -1,5 +1,5 @@ | |||
1 | // This file is part of Firejail project | 1 | // This file is part of Firejail project |
2 | // Copyright (C) 2014-2020 Firejail Authors | 2 | // Copyright (C) 2014-2021 Firejail Authors |
3 | // License GPL v2 | 3 | // License GPL v2 |
4 | 4 | ||
5 | // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier | 5 | // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 04819d95d..101998187 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # not currently covered | 6 | # not currently covered |
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp index c2f4be64c..f660c123a 100755 --- a/test/environment/allow-debuggers.exp +++ b/test/environment/allow-debuggers.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/csh.exp b/test/environment/csh.exp index ff61e6a83..f8ced07b5 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/dash.exp b/test/environment/dash.exp index 82e2f5cad..983a527cf 100755 --- a/test/environment/dash.exp +++ b/test/environment/dash.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp index a92203b2d..1a1e53605 100755 --- a/test/environment/deterministic-exit-code.exp +++ b/test/environment/deterministic-exit-code.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 4 | 6 | set timeout 4 |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 801a7e2b1..5b06b51c0 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp index 60d4700dd..275755337 100755 --- a/test/environment/doubledash.exp +++ b/test/environment/doubledash.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/env.exp b/test/environment/env.exp index 107a41beb..4f6f8a1b7 100755 --- a/test/environment/env.exp +++ b/test/environment/env.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 0706cbd88..152975c9d 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/environment/extract_command.exp b/test/environment/extract_command.exp index 50a933ec3..f91a10fa6 100755 --- a/test/environment/extract_command.exp +++ b/test/environment/extract_command.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index be422a294..459056260 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/hostfile.exp b/test/environment/hostfile.exp index 7f5034931..6b98863e5 100755 --- a/test/environment/hostfile.exp +++ b/test/environment/hostfile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | 6 | ||
diff --git a/test/environment/ibus.exp b/test/environment/ibus.exp index 857cef38c..089736f33 100755 --- a/test/environment/ibus.exp +++ b/test/environment/ibus.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/machineid.exp b/test/environment/machineid.exp index ecfd70f55..f0b3d2942 100755 --- a/test/environment/machineid.exp +++ b/test/environment/machineid.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | 6 | ||
diff --git a/test/environment/nice.exp b/test/environment/nice.exp index b4afc28d2..80591978d 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/output.exp b/test/environment/output.exp index 0ad5250c1..dd03001d7 100755 --- a/test/environment/output.exp +++ b/test/environment/output.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/output.sh b/test/environment/output.sh index 14c20a79a..edf7dc4cb 100755 --- a/test/environment/output.sh +++ b/test/environment/output.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | i="0" | 6 | i="0" |
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp index 0a22051f5..510491738 100755 --- a/test/environment/quiet.exp +++ b/test/environment/quiet.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 4 | 6 | set timeout 4 |
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp index 35d9b4479..b838f83f4 100755 --- a/test/environment/rlimit-bad-profile.exp +++ b/test/environment/rlimit-bad-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp index 7eaac27b6..3a82ded9b 100755 --- a/test/environment/rlimit-bad.exp +++ b/test/environment/rlimit-bad.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index 63b01a38c..4071675ee 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp index c80f2857c..6fcb554a7 100755 --- a/test/environment/rlimit.exp +++ b/test/environment/rlimit.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp index aed9adbd4..507225326 100755 --- a/test/environment/shell-none.exp +++ b/test/environment/shell-none.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/sound.exp b/test/environment/sound.exp index fadad9eed..e5fa27e77 100755 --- a/test/environment/sound.exp +++ b/test/environment/sound.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | 6 | ||
diff --git a/test/environment/timeout.exp b/test/environment/timeout.exp index c8b215084..ea0dd67b7 100755 --- a/test/environment/timeout.exp +++ b/test/environment/timeout.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/umask.exp b/test/environment/umask.exp index a3b80bd1c..e1f520fcd 100755 --- a/test/environment/umask.exp +++ b/test/environment/umask.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 8c493ac23..a750ac55c 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index f0416d51e..00e44e489 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index a74ce1616..633d12d08 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # | 6 | # |
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index 96b515238..822f6a9cd 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp index 7f7fbea9e..fb911e222 100755 --- a/test/fcopy/filecopy.exp +++ b/test/fcopy/filecopy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # | 6 | # |
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp index a9b3a067f..dbc33c6a7 100755 --- a/test/fcopy/linkcopy.exp +++ b/test/fcopy/linkcopy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # | 6 | # |
diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 5cf3b724e..fe1e0f132 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # disable /boot | 6 | # disable /boot |
diff --git a/test/features/1.10.exp b/test/features/1.10.exp index b37b6c568..5dd03ecef 100755 --- a/test/features/1.10.exp +++ b/test/features/1.10.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # disable /selinux | 6 | # disable /selinux |
diff --git a/test/features/1.2.exp b/test/features/1.2.exp index c9a9480a7..f7a55b445 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # new /proc | 6 | # new /proc |
diff --git a/test/features/1.4.exp b/test/features/1.4.exp index a19589b6e..66a8c1175 100755 --- a/test/features/1.4.exp +++ b/test/features/1.4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # mask other users | 6 | # mask other users |
diff --git a/test/features/1.5.exp b/test/features/1.5.exp index cd296bbd8..ba0aea220 100755 --- a/test/features/1.5.exp +++ b/test/features/1.5.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # PID namespace | 6 | # PID namespace |
diff --git a/test/features/1.6.exp b/test/features/1.6.exp index 24951d27a..89fa29de0 100755 --- a/test/features/1.6.exp +++ b/test/features/1.6.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # new /var/log | 6 | # new /var/log |
diff --git a/test/features/1.7.exp b/test/features/1.7.exp index 701aa0ca5..3e9c0908f 100755 --- a/test/features/1.7.exp +++ b/test/features/1.7.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # new /var/tmp | 6 | # new /var/tmp |
diff --git a/test/features/1.8.exp b/test/features/1.8.exp index bd7d7add2..15936c2fb 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # disable /etc/firejail and ~/.config/firejail | 6 | # disable /etc/firejail and ~/.config/firejail |
diff --git a/test/features/2.1.exp b/test/features/2.1.exp index 4ad3f3bff..6e741a1c2 100755 --- a/test/features/2.1.exp +++ b/test/features/2.1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # hostname | 6 | # hostname |
diff --git a/test/features/2.2.exp b/test/features/2.2.exp index c8c6461dd..3f30d0bad 100755 --- a/test/features/2.2.exp +++ b/test/features/2.2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # DNS | 6 | # DNS |
diff --git a/test/features/2.3.exp b/test/features/2.3.exp index ccc2bd168..6c520fdba 100755 --- a/test/features/2.3.exp +++ b/test/features/2.3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # mac-vlan | 6 | # mac-vlan |
diff --git a/test/features/2.4.exp b/test/features/2.4.exp index fb64d84c1..74b7881f0 100755 --- a/test/features/2.4.exp +++ b/test/features/2.4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # bridge | 6 | # bridge |
diff --git a/test/features/2.5.exp b/test/features/2.5.exp index 74f47e1a1..bc3e44e8f 100755 --- a/test/features/2.5.exp +++ b/test/features/2.5.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # interface | 6 | # interface |
diff --git a/test/features/2.6.exp b/test/features/2.6.exp index 27347d43d..7c763e6f1 100755 --- a/test/features/2.6.exp +++ b/test/features/2.6.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # default gateway | 6 | # default gateway |
diff --git a/test/features/3.1.exp b/test/features/3.1.exp index c1167f296..6ba56517a 100755 --- a/test/features/3.1.exp +++ b/test/features/3.1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # private | 6 | # private |
diff --git a/test/features/3.10.exp b/test/features/3.10.exp index fdec33d1b..4797c765b 100755 --- a/test/features/3.10.exp +++ b/test/features/3.10.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # whitelist tmp | 6 | # whitelist tmp |
diff --git a/test/features/3.11.exp b/test/features/3.11.exp index 27daaf752..b26d7b888 100755 --- a/test/features/3.11.exp +++ b/test/features/3.11.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # mkdir | 6 | # mkdir |
diff --git a/test/features/3.2.exp b/test/features/3.2.exp index eae820dd7..df73b9786 100755 --- a/test/features/3.2.exp +++ b/test/features/3.2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # read-only | 6 | # read-only |
diff --git a/test/features/3.3.exp b/test/features/3.3.exp index 9f58a1e1a..499718dbd 100755 --- a/test/features/3.3.exp +++ b/test/features/3.3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # blacklist | 6 | # blacklist |
diff --git a/test/features/3.4.exp b/test/features/3.4.exp index 343f2a37c..e59ff8a38 100755 --- a/test/features/3.4.exp +++ b/test/features/3.4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # whitelist home | 6 | # whitelist home |
diff --git a/test/features/3.5.exp b/test/features/3.5.exp index 37e492ea4..8c37aebb3 100755 --- a/test/features/3.5.exp +++ b/test/features/3.5.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # private-dev | 6 | # private-dev |
diff --git a/test/features/3.6.exp b/test/features/3.6.exp index ca76f6a38..0149a04cd 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # private-etc | 6 | # private-etc |
diff --git a/test/features/3.7.exp b/test/features/3.7.exp index 532c157af..9d3e7265c 100755 --- a/test/features/3.7.exp +++ b/test/features/3.7.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # private-tmp | 6 | # private-tmp |
diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 80cdf7306..5546ef15b 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # private-bin | 6 | # private-bin |
diff --git a/test/features/3.9.exp b/test/features/3.9.exp index 56a1fc006..6029160a6 100755 --- a/test/features/3.9.exp +++ b/test/features/3.9.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # whitelist dev | 6 | # whitelist dev |
diff --git a/test/features/test.sh b/test/features/test.sh index 431a6491b..392e6c159 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export LC_ALL=C | 6 | export LC_ALL=C |
diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp index 32edba72a..f20326fe0 100755 --- a/test/filters/apparmor.exp +++ b/test/filters/apparmor.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp index 5b80b2b48..4f3a2832d 100755 --- a/test/filters/caps-join.exp +++ b/test/filters/caps-join.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp index e78ab5275..e8465aee1 100755 --- a/test/filters/caps-print.exp +++ b/test/filters/caps-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/caps.exp b/test/filters/caps.exp index b9aa8d22e..8776e83d4 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/debug.exp b/test/filters/debug.exp index 4a5a11639..b2ca95191 100755 --- a/test/filters/debug.exp +++ b/test/filters/debug.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index fba90522d..a9f06b60a 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index c7062b395..59f812d6d 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp index d7fad9091..1aeaacc82 100755 --- a/test/filters/memwrexe-32.exp +++ b/test/filters/memwrexe-32.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index e68176b42..4fbf05f78 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c | |||
@@ -1,5 +1,5 @@ | |||
1 | // This file is part of Firejail project | 1 | // This file is part of Firejail project |
2 | // Copyright (C) 2014-2020 Firejail Authors | 2 | // Copyright (C) 2014-2021 Firejail Authors |
3 | // License GPL v2 | 3 | // License GPL v2 |
4 | 4 | ||
5 | #include <stdio.h> | 5 | #include <stdio.h> |
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp index 244f2477f..2b170803c 100755 --- a/test/filters/memwrexe.exp +++ b/test/filters/memwrexe.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index e9f01443f..64f72f610 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 0fecd645d..071460e4c 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 269ea1a40..5e7c8e1b5 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 22392f882..5587e056c 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index c72a68c82..0d01d4ff2 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp index f6094c965..0a19229b4 100755 --- a/test/filters/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp index 08e590041..677ca4e30 100755 --- a/test/filters/seccomp-debug-32.exp +++ b/test/filters/seccomp-debug-32.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index c3ba9c084..852abf822 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index b6204fc64..e655be848 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 1 | 6 | set timeout 1 |
diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp index 81411218f..3baa7f0c6 100755 --- a/test/filters/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index d125a90dc..6c7c63e88 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp index bb693e94d..9a8767ed7 100755 --- a/test/filters/seccomp-join.exp +++ b/test/filters/seccomp-join.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-numeric.exp b/test/filters/seccomp-numeric.exp index 6e8402cfa..59fc26884 100755 --- a/test/filters/seccomp-numeric.exp +++ b/test/filters/seccomp-numeric.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp index 164230482..18263520a 100755 --- a/test/filters/seccomp-postexec.exp +++ b/test/filters/seccomp-postexec.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index 39cd6a393..ec8ab615c 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp index 5f468cf24..1e3827f0f 100755 --- a/test/filters/seccomp-run-files.exp +++ b/test/filters/seccomp-run-files.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 6a3d99916..4bd8b5e93 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c index f153e8b3f..55ee31afb 100644 --- a/test/filters/syscall_test.c +++ b/test/filters/syscall_test.c | |||
@@ -1,5 +1,5 @@ | |||
1 | // This file is part of Firejail project | 1 | // This file is part of Firejail project |
2 | // Copyright (C) 2014-2020 Firejail Authors | 2 | // Copyright (C) 2014-2021 Firejail Authors |
3 | // License GPL v2 | 3 | // License GPL v2 |
4 | 4 | ||
5 | #include <stdlib.h> | 5 | #include <stdlib.h> |
diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp index 944fcda52..16e8ccb81 100755 --- a/test/fnetfilter/cmdline.exp +++ b/test/fnetfilter/cmdline.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fnetfilter/copy.exp b/test/fnetfilter/copy.exp index 4702a5d02..6c672141f 100755 --- a/test/fnetfilter/copy.exp +++ b/test/fnetfilter/copy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp index 2b5bdbb69..fee9fb5f3 100755 --- a/test/fnetfilter/default.exp +++ b/test/fnetfilter/default.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh index 636a9d086..9fac92d39 100755 --- a/test/fnetfilter/fnetfilter.sh +++ b/test/fnetfilter/fnetfilter.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp index 03a8d6229..0ff09a024 100755 --- a/test/fnetfilter/template.exp +++ b/test/fnetfilter/template.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index dd24f5922..591fc1a06 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index 5f1013339..04e6e2383 100755 --- a/test/fs/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp index 762027b5b..3ea98c3e3 100755 --- a/test/fs/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index 886e773d8..004425719 100755 --- a/test/fs/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fscheck-bindnoroot.exp b/test/fs/fscheck-bindnoroot.exp index eff8c4fad..53a3922ee 100755 --- a/test/fs/fscheck-bindnoroot.exp +++ b/test/fs/fscheck-bindnoroot.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fscheck-private.exp b/test/fs/fscheck-private.exp index 2cf985a9a..ab39b43e1 100755 --- a/test/fs/fscheck-private.exp +++ b/test/fs/fscheck-private.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fscheck-readonly.exp b/test/fs/fscheck-readonly.exp index c591e4670..5d4821dea 100755 --- a/test/fs/fscheck-readonly.exp +++ b/test/fs/fscheck-readonly.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp index 818549fe2..8dd08aa72 100755 --- a/test/fs/fscheck-tmpfs.exp +++ b/test/fs/fscheck-tmpfs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp index bfefcec68..7c4797976 100755 --- a/test/fs/invalid_filename.exp +++ b/test/fs/invalid_filename.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp index 8ae520836..209cb8d3b 100755 --- a/test/fs/kmsg.exp +++ b/test/fs/kmsg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/macro.exp b/test/fs/macro.exp index fd9928222..45e892088 100755 --- a/test/fs/macro.exp +++ b/test/fs/macro.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp index 61029ec18..8b787f114 100755 --- a/test/fs/mkdir.exp +++ b/test/fs/mkdir.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 3 | 6 | set timeout 3 |
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp index 82dab1ddf..eddc6ebfb 100755 --- a/test/fs/mkdir_mkfile.exp +++ b/test/fs/mkdir_mkfile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/noblacklist-blacklist-noexec.exp b/test/fs/noblacklist-blacklist-noexec.exp index 31f5ab054..9f5794a7d 100755 --- a/test/fs/noblacklist-blacklist-noexec.exp +++ b/test/fs/noblacklist-blacklist-noexec.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/noblacklist-blacklist-readonly.exp b/test/fs/noblacklist-blacklist-readonly.exp index 367d835b0..558d3ac9c 100755 --- a/test/fs/noblacklist-blacklist-readonly.exp +++ b/test/fs/noblacklist-blacklist-readonly.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp index f74d4e994..08b892121 100755 --- a/test/fs/option_bind_user.exp +++ b/test/fs/option_bind_user.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp index f703c0f79..6ee2b07ca 100755 --- a/test/fs/option_blacklist.exp +++ b/test/fs/option_blacklist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp index 3c2a6c3df..b0bcc741b 100755 --- a/test/fs/option_blacklist_file.exp +++ b/test/fs/option_blacklist_file.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp index 8afdeff5f..ee79eabf4 100755 --- a/test/fs/option_blacklist_glob.exp +++ b/test/fs/option_blacklist_glob.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index 3f74a196f..b5d205780 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp index 6e4c6bd1b..3244c21c1 100755 --- a/test/fs/private-cache.exp +++ b/test/fs/private-cache.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp index d439e2c1e..54804a6a6 100755 --- a/test/fs/private-cwd.exp +++ b/test/fs/private-cwd.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index f6c5405bf..9be18f9bd 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index e727eee5c..c9a74f96e 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index bf4296010..75ac5aea5 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index a46071b3a..2f297e93f 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp index 36d61786e..78fb705ec 100755 --- a/test/fs/private-homedir.exp +++ b/test/fs/private-homedir.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp index 574ca7ab4..f32affabb 100755 --- a/test/fs/private-lib.exp +++ b/test/fs/private-lib.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | 6 | ||
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index c988bce7f..1879a3d54 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private.exp b/test/fs/private.exp index e59f64085..d4f7fc893 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index 2ff4cda7c..ad51c2db1 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp index 60e935a4c..de7fadf6c 100755 --- a/test/fs/sys_fs.exp +++ b/test/fs/sys_fs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index 0db5b571c..ad5c54a9c 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 90cfbaf11..5ce9d8ad7 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index c4810963f..dbc04cf30 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 30 | 6 | set timeout 30 |
diff --git a/test/fs/whitelist-noexec.exp b/test/fs/whitelist-noexec.exp index ee601c12d..e1c39b66f 100755 --- a/test/fs/whitelist-noexec.exp +++ b/test/fs/whitelist-noexec.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-readonly.exp b/test/fs/whitelist-readonly.exp index 0e5794a17..e5c9cc400 100755 --- a/test/fs/whitelist-readonly.exp +++ b/test/fs/whitelist-readonly.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-whitespace.exp b/test/fs/whitelist-whitespace.exp index 9534568c4..1b1c4c1cb 100755 --- a/test/fs/whitelist-whitespace.exp +++ b/test/fs/whitelist-whitespace.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 11dfa98c8..27ee2433e 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index 4e191ffd6..d608128f8 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index a613b3e54..586dfcba9 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index b8497d936..d73669ebe 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/configure b/test/network/configure index 64d098931..f75e9b23f 100755 --- a/test/network/configure +++ b/test/network/configure | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | brctl addbr br0 | 6 | brctl addbr br0 |
diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp index a002daeca..5ee4c0d19 100755 --- a/test/network/dns-print.exp +++ b/test/network/dns-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp index 70d129165..8e0a0b1b0 100755 --- a/test/network/firemon-arp.exp +++ b/test/network/firemon-arp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp index 17b9f7535..494496a26 100755 --- a/test/network/firemon-interfaces.exp +++ b/test/network/firemon-interfaces.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp index fe2f5a952..a1ded08c1 100755 --- a/test/network/firemon-route.exp +++ b/test/network/firemon-route.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 205ae8078..825f1f6cf 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/interface.exp b/test/network/interface.exp index 35b22daaf..78178e233 100755 --- a/test/network/interface.exp +++ b/test/network/interface.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # interface | 6 | # interface |
diff --git a/test/network/ip6.exp b/test/network/ip6.exp index e1583c22f..ed29964c6 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/iprange.exp b/test/network/iprange.exp index 5d270166f..2690a128a 100755 --- a/test/network/iprange.exp +++ b/test/network/iprange.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp index 5b170bad5..84912cddd 100755 --- a/test/network/net_arp.exp +++ b/test/network/net_arp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index 4e20f9040..b09f4d192 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 9093c7ad4..19dd94dbd 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index 3ecb1cb51..4f5864822 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index fe745d326..dc3589c3c 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index e67dfd587..098eed758 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_local.exp b/test/network/net_local.exp index c1794f200..d5d4170e8 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index d62a78e39..e067f604f 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp index 80c85a788..1f67f059e 100755 --- a/test/network/net_macvlan2.exp +++ b/test/network/net_macvlan2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index 19a488376..439e05334 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index bce067c43..8a949c22b 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index 46ef6f9fb..53b719f6c 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index 579661fbc..aa74d6ba8 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 6ec4187d3..c8787c342 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index f31527984..e7c6530df 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp index 6cd3804be..b9260925a 100755 --- a/test/network/net_scan.exp +++ b/test/network/net_scan.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_unconfigured.exp b/test/network/net_unconfigured.exp index 349d4c042..d2b60d73c 100755 --- a/test/network/net_unconfigured.exp +++ b/test/network/net_unconfigured.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index ada2d7bd9..cd4e64e24 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp index 72dfa1653..dadea1430 100755 --- a/test/network/netfilter-template.exp +++ b/test/network/netfilter-template.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/netns.exp b/test/network/netns.exp index cec3151ef..9ef4ed554 100755 --- a/test/network/netns.exp +++ b/test/network/netns.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/netstats.exp b/test/network/netstats.exp index 4b47c389d..e15e2f42d 100755 --- a/test/network/netstats.exp +++ b/test/network/netstats.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/network.sh b/test/network/network.sh index a216f5563..9f2b9e1cd 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/network/tcpserver.c b/test/network/tcpserver.c index f7f8a41bc..72730b674 100644 --- a/test/network/tcpserver.c +++ b/test/network/tcpserver.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2020 Firejail Authors | 2 | * Copyright (C) 2014-2021 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp index 4ad5f868c..1790381e3 100755 --- a/test/network/veth-name.exp +++ b/test/network/veth-name.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp index 395a91a1f..ecb9288b0 100755 --- a/test/overlay/firefox-x11-xorg.exp +++ b/test/overlay/firefox-x11-xorg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp index 1b3f779bb..5b7b1bec3 100755 --- a/test/overlay/firefox-x11.exp +++ b/test/overlay/firefox-x11.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp index fd3c73d32..25c6e5e07 100755 --- a/test/overlay/firefox.exp +++ b/test/overlay/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp index abfddabc3..df1dfc244 100755 --- a/test/overlay/fs-named.exp +++ b/test/overlay/fs-named.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/fs-tmpfs.exp b/test/overlay/fs-tmpfs.exp index 130159ad0..5bd2b25fc 100755 --- a/test/overlay/fs-tmpfs.exp +++ b/test/overlay/fs-tmpfs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp index f8c8150d3..3314e849d 100755 --- a/test/overlay/fs.exp +++ b/test/overlay/fs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh index 3d4ec06d4..f1daba935 100755 --- a/test/overlay/overlay.sh +++ b/test/overlay/overlay.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/private-lib/atril.exp b/test/private-lib/atril.exp index effdf0b7f..679799f02 100755 --- a/test/private-lib/atril.exp +++ b/test/private-lib/atril.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/dig.exp b/test/private-lib/dig.exp index a15d5e44a..39f3f6d49 100755 --- a/test/private-lib/dig.exp +++ b/test/private-lib/dig.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp index 85f9b3e3d..ac6ecfff7 100755 --- a/test/private-lib/eog.exp +++ b/test/private-lib/eog.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp index a8caf1b01..47e749712 100755 --- a/test/private-lib/eom.exp +++ b/test/private-lib/eom.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/evince.exp b/test/private-lib/evince.exp index 184d9e6e6..1e270a2ef 100755 --- a/test/private-lib/evince.exp +++ b/test/private-lib/evince.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/galculator.exp b/test/private-lib/galculator.exp index 2fc05772e..68ff9f834 100755 --- a/test/private-lib/galculator.exp +++ b/test/private-lib/galculator.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp index 00ecfb184..67be5c215 100755 --- a/test/private-lib/gedit.exp +++ b/test/private-lib/gedit.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp index 31c139738..67712bd67 100755 --- a/test/private-lib/gnome-calculator.exp +++ b/test/private-lib/gnome-calculator.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/gnome-logs.exp b/test/private-lib/gnome-logs.exp index c143f5c99..f671effe4 100755 --- a/test/private-lib/gnome-logs.exp +++ b/test/private-lib/gnome-logs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/gnome-nettool.exp b/test/private-lib/gnome-nettool.exp index 09841c4a8..a68084776 100755 --- a/test/private-lib/gnome-nettool.exp +++ b/test/private-lib/gnome-nettool.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/gnome-system-log.exp b/test/private-lib/gnome-system-log.exp index 3a81cff8f..c3b1f2377 100755 --- a/test/private-lib/gnome-system-log.exp +++ b/test/private-lib/gnome-system-log.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp index cb8b2b040..b438c6de3 100755 --- a/test/private-lib/gpicview.exp +++ b/test/private-lib/gpicview.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/leafpad.exp b/test/private-lib/leafpad.exp index 9ef36641a..fbe8e284c 100755 --- a/test/private-lib/leafpad.exp +++ b/test/private-lib/leafpad.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/mousepad.exp b/test/private-lib/mousepad.exp index 3bd0f4b77..f47dfe464 100755 --- a/test/private-lib/mousepad.exp +++ b/test/private-lib/mousepad.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/pavucontrol.exp b/test/private-lib/pavucontrol.exp index 078c29592..7b8883ade 100755 --- a/test/private-lib/pavucontrol.exp +++ b/test/private-lib/pavucontrol.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp index ac274cbfc..99d4299fb 100755 --- a/test/private-lib/pluma.exp +++ b/test/private-lib/pluma.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 724fa4303..a70c3fad6 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3g | 6 | export MALLOC_CHECK_=3g |
diff --git a/test/private-lib/transmission-gtk.exp b/test/private-lib/transmission-gtk.exp index 1d4b4193e..3c5402c81 100755 --- a/test/private-lib/transmission-gtk.exp +++ b/test/private-lib/transmission-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/whois.exp b/test/private-lib/whois.exp index 19cd55d16..83dc54c76 100755 --- a/test/private-lib/whois.exp +++ b/test/private-lib/whois.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/private-lib/xcalc.exp b/test/private-lib/xcalc.exp index 46d8903ae..7cd74d3bd 100755 --- a/test/private-lib/xcalc.exp +++ b/test/private-lib/xcalc.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/conditional.exp b/test/profiles/conditional.exp index fc84581c2..b06b983c1 100755 --- a/test/profiles/conditional.exp +++ b/test/profiles/conditional.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 7c065ef5c..e7f210a46 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp index 1148fd764..240a44697 100755 --- a/test/profiles/profile_appname.exp +++ b/test/profiles/profile_appname.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp index 272f4437d..0500eac35 100755 --- a/test/profiles/profile_followlnk.exp +++ b/test/profiles/profile_followlnk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index d5f29b0ee..609364389 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp index 57f1a61a6..2046cc297 100755 --- a/test/profiles/profile_readonly.exp +++ b/test/profiles/profile_readonly.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp index 22a97c96c..c761a1039 100755 --- a/test/profiles/profile_recursivity.exp +++ b/test/profiles/profile_recursivity.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index 8d4b13f74..258089a39 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index c0d0656da..e2ec20ca5 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 2d7d2a966..a5f74f2e2 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index 51f87d51d..625cb6511 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/apache2.exp b/test/root/apache2.exp index 4d2379325..0b4b65dc7 100755 --- a/test/root/apache2.exp +++ b/test/root/apache2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 5 | 6 | set timeout 5 |
diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp index 3b7db5139..d24a39d07 100755 --- a/test/root/cgroup.exp +++ b/test/root/cgroup.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp index ff40035e3..9a4c666e1 100755 --- a/test/root/checkcfg.exp +++ b/test/root/checkcfg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index b182eee13..65ecefe5d 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp index 398342566..7bf51e2c8 100755 --- a/test/root/firemon-events.exp +++ b/test/root/firemon-events.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/isc-dhcp.exp b/test/root/isc-dhcp.exp index 13177d383..4c468c3e8 100755 --- a/test/root/isc-dhcp.exp +++ b/test/root/isc-dhcp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 5 | 6 | set timeout 5 |
diff --git a/test/root/join.exp b/test/root/join.exp index c9b9de110..d995d8aa5 100755 --- a/test/root/join.exp +++ b/test/root/join.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/login_nobody.exp b/test/root/login_nobody.exp index 448b0957a..42d8fe013 100755 --- a/test/root/login_nobody.exp +++ b/test/root/login_nobody.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/nginx.exp b/test/root/nginx.exp index 5db6a4573..924ee8afd 100755 --- a/test/root/nginx.exp +++ b/test/root/nginx.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 5 | 6 | set timeout 5 |
diff --git a/test/root/option_bind_directory.exp b/test/root/option_bind_directory.exp index 1df318be1..ac6421593 100755 --- a/test/root/option_bind_directory.exp +++ b/test/root/option_bind_directory.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/option_bind_file.exp b/test/root/option_bind_file.exp index 9631ae39d..6ead284a8 100755 --- a/test/root/option_bind_file.exp +++ b/test/root/option_bind_file.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp index ab0a9f0f1..67a678c68 100755 --- a/test/root/option_tmpfs.exp +++ b/test/root/option_tmpfs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/private.exp b/test/root/private.exp index ef4cf2ee2..373bd6cef 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp index c56b827e4..8a46d666e 100755 --- a/test/root/profile_tmpfs.exp +++ b/test/root/profile_tmpfs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/root.sh b/test/root/root.sh index 0c88e67d1..d6b60cb23 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # set a new firejail config file | 6 | # set a new firejail config file |
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp index 219c8cf60..d6f8b8bcc 100755 --- a/test/root/seccomp-chmod.exp +++ b/test/root/seccomp-chmod.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp index 80d3eb92e..daf3a5d06 100755 --- a/test/root/seccomp-chown.exp +++ b/test/root/seccomp-chown.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp index 37ae71736..0a7310fdd 100755 --- a/test/root/seccomp-umount.exp +++ b/test/root/seccomp-umount.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/snmpd.exp b/test/root/snmpd.exp index 7e6deca04..d1fc49967 100755 --- a/test/root/snmpd.exp +++ b/test/root/snmpd.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 5 | 6 | set timeout 5 |
diff --git a/test/root/unbound.exp b/test/root/unbound.exp index 87d840323..710a95bf4 100755 --- a/test/root/unbound.exp +++ b/test/root/unbound.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 5 | 6 | set timeout 5 |
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp index e5bcaac24..429a4153e 100755 --- a/test/root/whitelist.exp +++ b/test/root/whitelist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/ssh/login.exp b/test/ssh/login.exp index 67667576e..6a5086a77 100755 --- a/test/ssh/login.exp +++ b/test/ssh/login.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/ssh/scp.exp b/test/ssh/scp.exp index a6583545c..bca6a124f 100755 --- a/test/ssh/scp.exp +++ b/test/ssh/scp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/ssh/sftp.exp b/test/ssh/sftp.exp index 0d9792de8..09d3c119e 100755 --- a/test/ssh/sftp.exp +++ b/test/ssh/sftp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/ssh/ssh.sh b/test/ssh/ssh.sh index 77dc89f2f..bdad8cf87 100755 --- a/test/ssh/ssh.sh +++ b/test/ssh/ssh.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/stress/blacklist.exp b/test/stress/blacklist.exp index 149f8f3df..fae874b25 100755 --- a/test/stress/blacklist.exp +++ b/test/stress/blacklist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/stress/env.exp b/test/stress/env.exp index 2ac0c6226..d69558114 100755 --- a/test/stress/env.exp +++ b/test/stress/env.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp index b8d192d2c..a535afa2a 100755 --- a/test/stress/net_macvlan.exp +++ b/test/stress/net_macvlan.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/stress/stress.sh b/test/stress/stress.sh index f3488a0cf..d32ffe907 100755 --- a/test/stress/stress.sh +++ b/test/stress/stress.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp index 1d0d43543..4230ba375 100755 --- a/test/sysutils/cpio.exp +++ b/test/sysutils/cpio.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp index 74d5c3064..b97c0c283 100755 --- a/test/sysutils/file.exp +++ b/test/sysutils/file.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp index d81b78aba..be2222f06 100755 --- a/test/sysutils/gzip.exp +++ b/test/sysutils/gzip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index daa666c18..265b0e474 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/ping.exp b/test/sysutils/ping.exp index 58bcb6111..fac4b2ac3 100755 --- a/test/sysutils/ping.exp +++ b/test/sysutils/ping.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp index 2b6c3848a..7c91fb78a 100755 --- a/test/sysutils/strings.exp +++ b/test/sysutils/strings.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index fe931b045..96962d324 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp index 4ed7bace4..60e05f847 100755 --- a/test/sysutils/tar.exp +++ b/test/sysutils/tar.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp index 074b90076..4c6fcea9d 100755 --- a/test/sysutils/xz.exp +++ b/test/sysutils/xz.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 60 | 6 | set timeout 60 |
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp index 02621bbf0..737517d54 100755 --- a/test/sysutils/xzdec.exp +++ b/test/sysutils/xzdec.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/audit.exp b/test/utils/audit.exp deleted file mode 100755 index 6ce763e3f..000000000 --- a/test/utils/audit.exp +++ /dev/null | |||
@@ -1,167 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --audit\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Firejail Audit" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "is running in a PID namespace" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "container/sandbox firejail" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "seccomp BPF enabled" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "all capabilities are disabled" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "dev directory seems to be fully populated" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
37 | "Parent is shutting down, bye..." | ||
38 | } | ||
39 | after 100 | ||
40 | |||
41 | |||
42 | send -- "firejail --audit\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 6\n";exit} | ||
45 | "Firejail Audit" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 7\n";exit} | ||
49 | "is running in a PID namespace" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 8\n";exit} | ||
53 | "container/sandbox firejail" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 9\n";exit} | ||
57 | "seccomp BPF enabled" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 10\n";exit} | ||
61 | "all capabilities are disabled" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 11\n";exit} | ||
65 | "dev directory seems to be fully populated" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 11.1\n";exit} | ||
69 | "Parent is shutting down, bye..." | ||
70 | } | ||
71 | after 100 | ||
72 | |||
73 | send -- "firejail --audit=blablabla\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 12\n";exit} | ||
76 | "cannot find the audit program" | ||
77 | } | ||
78 | after 100 | ||
79 | |||
80 | send -- "firejail --audit=\r" | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 12\n";exit} | ||
83 | "invalid audit program" | ||
84 | } | ||
85 | after 100 | ||
86 | |||
87 | # run audit executable without a sandbox | ||
88 | send -- "faudit\r" | ||
89 | expect { | ||
90 | timeout {puts "TESTING ERROR 13\n";exit} | ||
91 | "is not running in a PID namespace" | ||
92 | } | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 14\n";exit} | ||
95 | "BAD: seccomp disabled" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 15\n";exit} | ||
99 | "BAD: the capability map is" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 16\n";exit} | ||
103 | "MAYBE: /dev directory seems to be fully populated" | ||
104 | } | ||
105 | after 100 | ||
106 | |||
107 | # test seccomp | ||
108 | send -- "firejail --seccomp.drop=mkdir --audit\r" | ||
109 | expect { | ||
110 | timeout {puts "TESTING ERROR 17\n";exit} | ||
111 | "Firejail Audit" | ||
112 | } | ||
113 | expect { | ||
114 | timeout {puts "TESTING ERROR 18\n";exit} | ||
115 | "GOOD: seccomp BPF enabled" | ||
116 | } | ||
117 | expect { | ||
118 | timeout {puts "TESTING ERROR 19\n";exit} | ||
119 | "UGLY: mount syscall permitted" | ||
120 | } | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 20\n";exit} | ||
123 | "UGLY: umount2 syscall permitted" | ||
124 | } | ||
125 | expect { | ||
126 | timeout {puts "TESTING ERROR 21\n";exit} | ||
127 | "UGLY: ptrace syscall permitted" | ||
128 | } | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 22\n";exit} | ||
131 | "UGLY: swapon syscall permitted" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 23\n";exit} | ||
135 | "UGLY: swapoff syscall permitted" | ||
136 | } | ||
137 | expect { | ||
138 | timeout {puts "TESTING ERROR 24\n";exit} | ||
139 | "UGLY: init_module syscall permitted" | ||
140 | } | ||
141 | expect { | ||
142 | timeout {puts "TESTING ERROR 25\n";exit} | ||
143 | "UGLY: delete_module syscall permitted" | ||
144 | } | ||
145 | expect { | ||
146 | timeout {puts "TESTING ERROR 26\n";exit} | ||
147 | "UGLY: chroot syscall permitted" | ||
148 | } | ||
149 | expect { | ||
150 | timeout {puts "TESTING ERROR 27\n";exit} | ||
151 | "UGLY: pivot_root syscall permitted" | ||
152 | } | ||
153 | expect { | ||
154 | timeout {puts "TESTING ERROR 28\n";exit} | ||
155 | "UGLY: iopl syscall permitted" | ||
156 | } | ||
157 | expect { | ||
158 | timeout {puts "TESTING ERROR 29\n";exit} | ||
159 | "UGLY: ioperm syscall permitted" | ||
160 | } | ||
161 | expect { | ||
162 | timeout {puts "TESTING ERROR 30\n";exit} | ||
163 | "GOOD: all capabilities are disabled" | ||
164 | } | ||
165 | after 100 | ||
166 | |||
167 | puts "\nall done\n" | ||
diff --git a/test/utils/build.exp b/test/utils/build.exp index ac4f30326..cdc2f3b7b 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp index 753511536..6b6090476 100755 --- a/test/utils/caps-print.exp +++ b/test/utils/caps-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh index e8a5205bb..28e646ddb 100755 --- a/test/utils/catchsignal-master.sh +++ b/test/utils/catchsignal-master.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | ./catchsignal.sh & | 6 | ./catchsignal.sh & |
diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh index de2c068b3..f7a501011 100755 --- a/test/utils/catchsignal.sh +++ b/test/utils/catchsignal.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | _term() { | 6 | _term() { |
diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh index 6499972d8..9ba939ef4 100755 --- a/test/utils/catchsignal2.sh +++ b/test/utils/catchsignal2.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | _term() { | 6 | _term() { |
diff --git a/test/utils/command.exp b/test/utils/command.exp index a2f7e4204..6cb52a7fa 100755 --- a/test/utils/command.exp +++ b/test/utils/command.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index 8b3b51dba..e7d709cee 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp index edbe66a51..b3b732bee 100755 --- a/test/utils/dns-print.exp +++ b/test/utils/dns-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp index a51e5a765..837d08271 100755 --- a/test/utils/firemon-caps.exp +++ b/test/utils/firemon-caps.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp index f7c6e0adb..3976b0c50 100755 --- a/test/utils/firemon-cgroup.exp +++ b/test/utils/firemon-cgroup.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp index 90bb702a3..b410c764e 100755 --- a/test/utils/firemon-cpu.exp +++ b/test/utils/firemon-cpu.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp index ff3cea8bb..0c358d129 100755 --- a/test/utils/firemon-interface.exp +++ b/test/utils/firemon-interface.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp index 88e41d96d..57729d662 100755 --- a/test/utils/firemon-name.exp +++ b/test/utils/firemon-name.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp index a8c7fc24d..d35027827 100755 --- a/test/utils/firemon-seccomp.exp +++ b/test/utils/firemon-seccomp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp index 837bf0f92..8e4e33ec0 100755 --- a/test/utils/firemon-version.exp +++ b/test/utils/firemon-version.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp index 736c309ec..4b6eac391 100755 --- a/test/utils/fs-print.exp +++ b/test/utils/fs-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/help.exp b/test/utils/help.exp index 77c2e6ec3..71bb5788c 100755 --- a/test/utils/help.exp +++ b/test/utils/help.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp index b44f44cfe..d6fcc50d7 100755 --- a/test/utils/join-profile.exp +++ b/test/utils/join-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join.exp b/test/utils/join.exp index 1f1a905b2..25dd31922 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 6c26db4e9..dada97158 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join3.exp b/test/utils/join3.exp index 74dad7070..305000e92 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join4.exp b/test/utils/join4.exp index d04cbee46..8c5e91d68 100755 --- a/test/utils/join4.exp +++ b/test/utils/join4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join5.exp b/test/utils/join5.exp index 43ca09b4d..3d365944d 100755 --- a/test/utils/join5.exp +++ b/test/utils/join5.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/list.exp b/test/utils/list.exp index fefdd4787..d7d39357d 100755 --- a/test/utils/list.exp +++ b/test/utils/list.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/ls.exp b/test/utils/ls.exp index b70f53a74..080bfdad2 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/man.exp b/test/utils/man.exp index 102701a6a..41f5a2ff8 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/name.exp b/test/utils/name.exp index 3a1dfb640..9e5367ba7 100755 --- a/test/utils/name.exp +++ b/test/utils/name.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/profile_print.exp b/test/utils/profile_print.exp index ddeeb8af6..f8f6708bb 100755 --- a/test/utils/profile_print.exp +++ b/test/utils/profile_print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp index c44a659e1..1ed92ddd6 100755 --- a/test/utils/protocol-print.exp +++ b/test/utils/protocol-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index 41a6ce778..86f1e9845 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 0867970a1..35d2750db 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 15 | 6 | set timeout 15 |
diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp index 463c2fb78..7eb3d516b 100755 --- a/test/utils/shutdown2.exp +++ b/test/utils/shutdown2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp index 9e92889dc..a543bb9e5 100755 --- a/test/utils/shutdown3.exp +++ b/test/utils/shutdown3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index e7733ca41..a9a3978ea 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/top.exp b/test/utils/top.exp index 2ef6f0375..150011bba 100755 --- a/test/utils/top.exp +++ b/test/utils/top.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/trace.exp b/test/utils/trace.exp index 5df44c1ca..3ed09565b 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 30 | 6 | set timeout 30 |
diff --git a/test/utils/tree.exp b/test/utils/tree.exp index 82045e8c9..ff834bec6 100755 --- a/test/utils/tree.exp +++ b/test/utils/tree.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 8453894a2..c021d6287 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
@@ -8,7 +8,7 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | |||
8 | export LC_ALL=C | 8 | export LC_ALL=C |
9 | 9 | ||
10 | if [ -f /etc/debian_version ]; then | 10 | if [ -f /etc/debian_version ]; then |
11 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") | 11 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") |
12 | export PATH="$PATH:$libdir" | 12 | export PATH="$PATH:$libdir" |
13 | fi | 13 | fi |
14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
@@ -18,13 +18,6 @@ echo "TESTING: build (test/utils/build.exp)" | |||
18 | rm -f ~/firejail-test-file-7699 | 18 | rm -f ~/firejail-test-file-7699 |
19 | rm -f firejail-test-file-4388 | 19 | rm -f firejail-test-file-4388 |
20 | 20 | ||
21 | if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then | ||
22 | echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" | ||
23 | else | ||
24 | echo "TESTING: audit (test/utils/audit.exp)" | ||
25 | ./audit.exp | ||
26 | fi | ||
27 | |||
28 | echo "TESTING: name (test/utils/name.exp)" | 21 | echo "TESTING: name (test/utils/name.exp)" |
29 | ./name.exp | 22 | ./name.exp |
30 | 23 | ||
diff --git a/test/utils/version.exp b/test/utils/version.exp index c78a087bb..be0d152b8 100755 --- a/test/utils/version.exp +++ b/test/utils/version.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2021 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |