aboutsummaryrefslogtreecommitdiffstats
path: root/src/fbuilder/build_profile.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r--src/fbuilder/build_profile.c73
1 files changed, 46 insertions, 27 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 96a83954d..1726b4dbb 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -141,6 +141,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
141 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { 141 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
142 if (fp == stdout) 142 if (fp == stdout)
143 printf("--- Built profile beings after this line ---\n"); 143 printf("--- Built profile beings after this line ---\n");
144 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
145 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
146 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
147 fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
148 fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n");
149
144 fprintf(fp, "# Firejail profile for %s\n", argv[index]); 150 fprintf(fp, "# Firejail profile for %s\n", argv[index]);
145 fprintf(fp, "# Persistent local customizations\n"); 151 fprintf(fp, "# Persistent local customizations\n");
146 fprintf(fp, "#include %s.local\n", argv[index]); 152 fprintf(fp, "#include %s.local\n", argv[index]);
@@ -148,56 +154,69 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
148 fprintf(fp, "#include globals.local\n"); 154 fprintf(fp, "#include globals.local\n");
149 fprintf(fp, "\n"); 155 fprintf(fp, "\n");
150 156
151 fprintf(fp, "### basic blacklisting\n"); 157 fprintf(fp, "### Basic Blacklisting ###\n");
158 fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
159 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
160 fprintf(fp, "### and /tmp directories non-executable.\n");
152 fprintf(fp, "include disable-common.inc\n"); 161 fprintf(fp, "include disable-common.inc\n");
153 fprintf(fp, "# include disable-devel.inc\n"); 162 fprintf(fp, "#include disable-devel.inc\n");
154 fprintf(fp, "# include disable-exec.inc\n"); 163 fprintf(fp, "#include disable-exec.inc\n");
155 fprintf(fp, "# include disable-interpreters.inc\n"); 164 fprintf(fp, "#include disable-interpreters.inc\n");
156 fprintf(fp, "include disable-passwdmgr.inc\n"); 165 fprintf(fp, "include disable-passwdmgr.inc\n");
157 fprintf(fp, "# include disable-programs.inc\n"); 166 fprintf(fp, "include disable-programs.inc\n");
158 fprintf(fp, "# include disable-xdg.inc\n"); 167 fprintf(fp, "#include disable-shell.inc\n");
168 fprintf(fp, "#include disable-xdg.inc\n");
159 fprintf(fp, "\n"); 169 fprintf(fp, "\n");
160 170
161 fprintf(fp, "### home directory whitelisting\n"); 171 fprintf(fp, "### Home Directory Whitelisting ###\n");
172 fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
173 fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
162 build_home(trace_output, fp); 174 build_home(trace_output, fp);
163 fprintf(fp, "\n"); 175 fprintf(fp, "\n");
164 176
165 fprintf(fp, "### filesystem\n"); 177 fprintf(fp, "### Filesystem Whitelisting ###\n");
166 fprintf(fp, "# /usr/share:\n");
167 build_share(trace_output, fp); 178 build_share(trace_output, fp);
168 fprintf(fp, "# /var:\n"); 179 //todo: include whitelist-runuser-common.inc
169 build_var(trace_output, fp); 180 build_var(trace_output, fp);
170 fprintf(fp, "\n"); 181 fprintf(fp, "\n");
171 fprintf(fp, "# $PATH:\n");
172 build_bin(trace_output, fp);
173 fprintf(fp, "# /dev:\n");
174 build_dev(trace_output, fp);
175 fprintf(fp, "# /etc:\n");
176 build_etc(trace_output, fp);
177 fprintf(fp, "# /tmp:\n");
178 build_tmp(trace_output, fp);
179 fprintf(fp, "\n");
180 182
181 fprintf(fp, "### security filters\n"); 183 fprintf(fp, "#apparmor\n");
182 fprintf(fp, "caps.drop all\n"); 184 fprintf(fp, "caps.drop all\n");
185 fprintf(fp, "ipc-namespace\n");
186 fprintf(fp, "netfilter\n");
187 fprintf(fp, "#nodvd\n");
188 fprintf(fp, "#nogroups\n");
189 fprintf(fp, "#noinput\n");
183 fprintf(fp, "nonewprivs\n"); 190 fprintf(fp, "nonewprivs\n");
191 fprintf(fp, "noroot\n");
192 fprintf(fp, "#notv\n");
193 fprintf(fp, "#nou2f\n");
194 fprintf(fp, "#novideo\n");
195 build_protocol(trace_output, fp);
184 fprintf(fp, "seccomp\n"); 196 fprintf(fp, "seccomp\n");
185 if (!have_strace) { 197 if (!have_strace) {
186 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); 198 fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
187 fprintf(fp, "# whitelisted seccomp filter.\n"); 199 fprintf(fp, "### whitelisted seccomp filter.\n");
188 } 200 }
189 else if (!have_yama_permission) 201 else if (!have_yama_permission)
190 fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); 202 fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
191 else 203 else
192 build_seccomp(strace_output, fp); 204 build_seccomp(strace_output, fp);
205 fprintf(fp, "shell none\n");
206 fprintf(fp, "#tracelog\n");
193 fprintf(fp, "\n"); 207 fprintf(fp, "\n");
194 208
195 fprintf(fp, "### network\n"); 209 fprintf(fp, "#disable-mnt\n");
196 build_protocol(trace_output, fp); 210 build_bin(trace_output, fp);
211 fprintf(fp, "#private-lib\n");
212 build_dev(trace_output, fp);
213 build_etc(trace_output, fp);
214 build_tmp(trace_output, fp);
197 fprintf(fp, "\n"); 215 fprintf(fp, "\n");
198 216
199 fprintf(fp, "### environment\n"); 217 fprintf(fp, "#dbus-user none\n");
200 fprintf(fp, "shell none\n"); 218 fprintf(fp, "#dbus-system none\n");
219 fprintf(fp, "#memory-deny-write-execute\n");
201 220
202 if (!arg_debug) { 221 if (!arg_debug) {
203 unlink(trace_output); 222 unlink(trace_output);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-02 22:37:45 +0000