diff options
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r-- | src/fbuilder/build_profile.c | 44 |
1 files changed, 28 insertions, 16 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index fb53f70a6..1726b4dbb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -145,9 +145,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | 145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); |
146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | 146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); |
147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); | 147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); |
148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n"); | 148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); |
149 | 149 | ||
150 | fprintf(fp, "\n# Firejail profile for %s\n", argv[index]); | 150 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); |
151 | fprintf(fp, "# Persistent local customizations\n"); | 151 | fprintf(fp, "# Persistent local customizations\n"); |
152 | fprintf(fp, "#include %s.local\n", argv[index]); | 152 | fprintf(fp, "#include %s.local\n", argv[index]); |
153 | fprintf(fp, "# Persistent global definitions\n"); | 153 | fprintf(fp, "# Persistent global definitions\n"); |
@@ -164,6 +164,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
164 | fprintf(fp, "#include disable-interpreters.inc\n"); | 164 | fprintf(fp, "#include disable-interpreters.inc\n"); |
165 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
166 | fprintf(fp, "include disable-programs.inc\n"); | 166 | fprintf(fp, "include disable-programs.inc\n"); |
167 | fprintf(fp, "#include disable-shell.inc\n"); | ||
167 | fprintf(fp, "#include disable-xdg.inc\n"); | 168 | fprintf(fp, "#include disable-xdg.inc\n"); |
168 | fprintf(fp, "\n"); | 169 | fprintf(fp, "\n"); |
169 | 170 | ||
@@ -171,29 +172,27 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
171 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); | 172 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); |
172 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); | 173 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); |
173 | build_home(trace_output, fp); | 174 | build_home(trace_output, fp); |
175 | fprintf(fp, "\n"); | ||
174 | 176 | ||
175 | fprintf(fp, "\n### The Rest of the Filesystem ###\n"); | 177 | fprintf(fp, "### Filesystem Whitelisting ###\n"); |
176 | build_share(trace_output, fp); | 178 | build_share(trace_output, fp); |
179 | //todo: include whitelist-runuser-common.inc | ||
177 | build_var(trace_output, fp); | 180 | build_var(trace_output, fp); |
178 | build_bin(trace_output, fp); | 181 | fprintf(fp, "\n"); |
179 | build_dev(trace_output, fp); | ||
180 | fprintf(fp, "#nodvd\n"); | ||
181 | fprintf(fp, "#noinput\n"); | ||
182 | fprintf(fp, "#notv\n"); | ||
183 | fprintf(fp, "#nou2f\n"); | ||
184 | fprintf(fp, "#novideo\n"); | ||
185 | build_etc(trace_output, fp); | ||
186 | build_tmp(trace_output, fp); | ||
187 | 182 | ||
188 | fprintf(fp, "\n### Security Filters ###\n"); | ||
189 | fprintf(fp, "#apparmor\n"); | 183 | fprintf(fp, "#apparmor\n"); |
190 | fprintf(fp, "caps.drop all\n"); | 184 | fprintf(fp, "caps.drop all\n"); |
185 | fprintf(fp, "ipc-namespace\n"); | ||
191 | fprintf(fp, "netfilter\n"); | 186 | fprintf(fp, "netfilter\n"); |
187 | fprintf(fp, "#nodvd\n"); | ||
192 | fprintf(fp, "#nogroups\n"); | 188 | fprintf(fp, "#nogroups\n"); |
193 | fprintf(fp, "#noroot\n"); | 189 | fprintf(fp, "#noinput\n"); |
194 | fprintf(fp, "nonewprivs\n"); | 190 | fprintf(fp, "nonewprivs\n"); |
191 | fprintf(fp, "noroot\n"); | ||
192 | fprintf(fp, "#notv\n"); | ||
193 | fprintf(fp, "#nou2f\n"); | ||
194 | fprintf(fp, "#novideo\n"); | ||
195 | build_protocol(trace_output, fp); | 195 | build_protocol(trace_output, fp); |
196 | |||
197 | fprintf(fp, "seccomp\n"); | 196 | fprintf(fp, "seccomp\n"); |
198 | if (!have_strace) { | 197 | if (!have_strace) { |
199 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); | 198 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); |
@@ -203,8 +202,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
203 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); | 202 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); |
204 | else | 203 | else |
205 | build_seccomp(strace_output, fp); | 204 | build_seccomp(strace_output, fp); |
206 | fprintf(fp, "#shell none\n"); | 205 | fprintf(fp, "shell none\n"); |
207 | fprintf(fp, "#tracelog\n"); | 206 | fprintf(fp, "#tracelog\n"); |
207 | fprintf(fp, "\n"); | ||
208 | |||
209 | fprintf(fp, "#disable-mnt\n"); | ||
210 | build_bin(trace_output, fp); | ||
211 | fprintf(fp, "#private-lib\n"); | ||
212 | build_dev(trace_output, fp); | ||
213 | build_etc(trace_output, fp); | ||
214 | build_tmp(trace_output, fp); | ||
215 | fprintf(fp, "\n"); | ||
216 | |||
217 | fprintf(fp, "#dbus-user none\n"); | ||
218 | fprintf(fp, "#dbus-system none\n"); | ||
219 | fprintf(fp, "#memory-deny-write-execute\n"); | ||
208 | 220 | ||
209 | if (!arg_debug) { | 221 | if (!arg_debug) { |
210 | unlink(trace_output); | 222 | unlink(trace_output); |