1 files changed, 117 insertions, 22 deletions
diff --git a/README.md b/README.md
index db088ddf6..175ba70b6 100644
--- a/README.md
+++ b/README.md
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
+### jailtest
+`````
+JAILTEST(1)                    JAILTEST man page                   JAILTEST(1)
+NAME
+       jailtest - Simple utility program to test running sandboxes
+SYNOPSIS
+       sudo jailtest [OPTIONS] [directory]
+DESCRIPTION
+       WORK IN PROGRESS!  jailtest attaches itself to all sandboxes started by
+       the user and performs some basic tests on the sandbox filesystem:
+       1. Virtual directories
+              jailtest extracts a list with the main virtual  directories  in‐
+              stalled by the sandbox.  These directories are build by firejail
+              at startup using --private* and --whitelist commands.
+       2. Noexec test
+              jailtest inserts executable programs  in  /home/username,  /tmp,
+              and  /var/tmp  directories and tries to run them form inside the
+              sandbox, thus testing if the directory is executable or not.
+       3. Read access test
+              jailtest creates test files in the directories specified by  the
+              user and tries to read them from inside the sandbox.
+       4. AppArmor test
+       5. Seccomp test
+       The program is started as root using sudo.
+OPTIONS
+       --debug
+              Print debug messages
+       -?, --help
+              Print options end exit.
+       --version
+              Print program version and exit.
+       [directory]
+              One  or  more  directories in user home to test for read access.
+              ~/.ssh and ~/.gnupg are tested by default.
+OUTPUT
+       For each sandbox detected we print the following line:
+            PID:USER:Sandbox Name:Command
+       It is followed by relevant sandbox information, such as the virtual di‐
+       rectories and various warnings.
+EXAMPLE
+       $ sudo jailtest
+       2014:netblue::firejail /usr/bin/gimp
+          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+          Warning: I can run programs in /home/netblue
+       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
+          Warning: I can read ~/.ssh
+       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
+       pimage
+          Virtual dirs: /tmp, /var/tmp, /dev,
+       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+                        /run/user/1000,
+       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+          Warning: AppArmor not enabled
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+                        /usr/share, /run/user/1000,
+          Warning: I can run programs in /home/netblue
+LICENSE
+       This program is free software; you can redistribute it and/or modify it
+       under  the  terms of the GNU General Public License as published by the
+       Free Software Foundation; either version 2 of the License, or (at  your
+       option) any later version.
+       Homepage: https://firejail.wordpress.com
+SEE ALSO
+       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
+       gin(5), firejail-users(5),
+0.9.65                             Feb 2021                        JAILTEST(1)
+`````
 ### Profile Statistics
@@ -210,31 +303,33 @@ $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 Stats:
-    profiles                    1064
+    profiles                    1077
-    include local profile       1064   (include profile-name.local)
+    include local profile       1077   (include profile-name.local)
-    include globals             1064   (include globals.local)
+    include globals             1077   (include globals.local)
-    blacklist ~/.ssh            959   (include disable-common.inc)
+    blacklist ~/.ssh            971   (include disable-common.inc)
-    seccomp                     975
+    seccomp                     988
-    capabilities                1063
+    capabilities                1076
-    noexec                      944   (include disable-exec.inc)
+    noexec                      960   (include disable-exec.inc)
-    memory-deny-write-execute   229
+    memory-deny-write-execute   231
-    apparmor                    605
+    apparmor                    621
-    private-bin                 564
+    private-bin                 571
-    private-dev                 932
+    private-dev                 949
-    private-etc                 462
+    private-etc                 470
-    private-tmp                 823
+    private-tmp                 835
-    whitelist home directory    502
+    whitelist home directory    508
-    whitelist var               744   (include whitelist-var-common.inc)
+    whitelist var               758   (include whitelist-var-common.inc)
-    whitelist run/user          461   (include whitelist-runuser-common.inc
+    whitelist run/user          539   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         451   (include whitelist-usr-share-common.inc
+    whitelist usr/share         526   (include whitelist-usr-share-common.inc
-    net none                    345
+    net none                    354
-    dbus-user none              564
+    dbus-user none              573
-    dbus-user filter            85
+    dbus-user filter            86
-    dbus-system none            696
+    dbus-system none            706
    dbus-system filter          7
 ```
 ### New profiles:
-vmware-view, display-im6.q16
+vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
+avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
+pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2

diff --git a/README.md b/README.md index db088ddf6..175ba70b6 100644 --- a/README.md +++ b/README.md
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
198	Milestone page: https://github.com/netblue30/firejail/milestone/1	198	Milestone page: https://github.com/netblue30/firejail/milestone/1
199	Release discussion: https://github.com/netblue30/firejail/issues/3696	199	Release discussion: https://github.com/netblue30/firejail/issues/3696
200		200
		201	### jailtest
		202	`````
		203	JAILTEST(1) JAILTEST man page JAILTEST(1)
		204
		205	NAME
		206	jailtest - Simple utility program to test running sandboxes
		207
		208	SYNOPSIS
		209	sudo jailtest [OPTIONS] [directory]
		210
		211	DESCRIPTION
		212	WORK IN PROGRESS! jailtest attaches itself to all sandboxes started by
		213	the user and performs some basic tests on the sandbox filesystem:
		214
		215	1. Virtual directories
		216	jailtest extracts a list with the main virtual directories in‐
		217	stalled by the sandbox. These directories are build by firejail
		218	at startup using --private* and --whitelist commands.
		219
		220	2. Noexec test
		221	jailtest inserts executable programs in /home/username, /tmp,
		222	and /var/tmp directories and tries to run them form inside the
		223	sandbox, thus testing if the directory is executable or not.
		224
		225	3. Read access test
		226	jailtest creates test files in the directories specified by the
		227	user and tries to read them from inside the sandbox.
		228
		229	4. AppArmor test
		230
		231	5. Seccomp test
		232
		233	The program is started as root using sudo.
		234
		235	OPTIONS
		236	--debug
		237	Print debug messages
		238
		239	-?, --help
		240	Print options end exit.
		241
		242	--version
		243	Print program version and exit.
201		244
		245	[directory]
		246	One or more directories in user home to test for read access.
		247	~/.ssh and ~/.gnupg are tested by default.
		248
		249	OUTPUT
		250	For each sandbox detected we print the following line:
		251
		252	PID:USER:Sandbox Name:Command
		253
		254	It is followed by relevant sandbox information, such as the virtual di‐
		255	rectories and various warnings.
		256
		257	EXAMPLE
		258	$ sudo jailtest
		259	2014:netblue::firejail /usr/bin/gimp
		260	Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
		261	Warning: I can run programs in /home/netblue
		262
		263	2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
		264	Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
		265	Warning: I can read ~/.ssh
		266
		267	2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
		268	pimage
		269	Virtual dirs: /tmp, /var/tmp, /dev,
		270
		271	26090:netblue::/usr/bin/firejail /opt/firefox/firefox
		272	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
		273	/run/user/1000,
		274
		275	26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
		276	Warning: AppArmor not enabled
		277	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
		278	/usr/share, /run/user/1000,
		279	Warning: I can run programs in /home/netblue
		280
		281	LICENSE
		282	This program is free software; you can redistribute it and/or modify it
		283	under the terms of the GNU General Public License as published by the
		284	Free Software Foundation; either version 2 of the License, or (at your
		285	option) any later version.
		286
		287	Homepage: https://firejail.wordpress.com
		288
		289	SEE ALSO
		290	firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
		291	gin(5), firejail-users(5),
		292
		293	0.9.65 Feb 2021 JAILTEST(1)
		294	`````
202		295
203	### Profile Statistics	296	### Profile Statistics
204		297
@@ -210,31 +303,33 @@ $ ./profstats *.profile
210	Warning: multiple caps in transmission-daemon.profile	303	Warning: multiple caps in transmission-daemon.profile
211		304
212	Stats:	305	Stats:
213	profiles 1064	306	profiles 1077
214	include local profile 1064 (include profile-name.local)	307	include local profile 1077 (include profile-name.local)
215	include globals 1064 (include globals.local)	308	include globals 1077 (include globals.local)
216	blacklist ~/.ssh 959 (include disable-common.inc)	309	blacklist ~/.ssh 971 (include disable-common.inc)
217	seccomp 975	310	seccomp 988
218	capabilities 1063	311	capabilities 1076
219	noexec 944 (include disable-exec.inc)	312	noexec 960 (include disable-exec.inc)
220	memory-deny-write-execute 229	313	memory-deny-write-execute 231
221	apparmor 605	314	apparmor 621
222	private-bin 564	315	private-bin 571
223	private-dev 932	316	private-dev 949
224	private-etc 462	317	private-etc 470
225	private-tmp 823	318	private-tmp 835
226	whitelist home directory 502	319	whitelist home directory 508
227	whitelist var 744 (include whitelist-var-common.inc)	320	whitelist var 758 (include whitelist-var-common.inc)
228	whitelist run/user 461 (include whitelist-runuser-common.inc	321	whitelist run/user 539 (include whitelist-runuser-common.inc
229	or blacklist ${RUNUSER})	322	or blacklist ${RUNUSER})
230	whitelist usr/share 451 (include whitelist-usr-share-common.inc	323	whitelist usr/share 526 (include whitelist-usr-share-common.inc
231	net none 345	324	net none 354
232	dbus-user none 564	325	dbus-user none 573
233	dbus-user filter 85	326	dbus-user filter 86
234	dbus-system none 696	327	dbus-system none 706
235	dbus-system filter 7	328	dbus-system filter 7
236	```	329	```
237		330
238	### New profiles:	331	### New profiles:
239		332
240	vmware-view, display-im6.q16	333	vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
		334	avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
		335	pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2