diff options
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r-- | src/fbuilder/build_profile.c | 73 |
1 files changed, 46 insertions, 27 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 96a83954d..1726b4dbb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -141,6 +141,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
141 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | 141 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { |
142 | if (fp == stdout) | 142 | if (fp == stdout) |
143 | printf("--- Built profile beings after this line ---\n"); | 143 | printf("--- Built profile beings after this line ---\n"); |
144 | fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); | ||
145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | ||
146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | ||
147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); | ||
148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); | ||
149 | |||
144 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); | 150 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); |
145 | fprintf(fp, "# Persistent local customizations\n"); | 151 | fprintf(fp, "# Persistent local customizations\n"); |
146 | fprintf(fp, "#include %s.local\n", argv[index]); | 152 | fprintf(fp, "#include %s.local\n", argv[index]); |
@@ -148,56 +154,69 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
148 | fprintf(fp, "#include globals.local\n"); | 154 | fprintf(fp, "#include globals.local\n"); |
149 | fprintf(fp, "\n"); | 155 | fprintf(fp, "\n"); |
150 | 156 | ||
151 | fprintf(fp, "### basic blacklisting\n"); | 157 | fprintf(fp, "### Basic Blacklisting ###\n"); |
158 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); | ||
159 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); | ||
160 | fprintf(fp, "### and /tmp directories non-executable.\n"); | ||
152 | fprintf(fp, "include disable-common.inc\n"); | 161 | fprintf(fp, "include disable-common.inc\n"); |
153 | fprintf(fp, "# include disable-devel.inc\n"); | 162 | fprintf(fp, "#include disable-devel.inc\n"); |
154 | fprintf(fp, "# include disable-exec.inc\n"); | 163 | fprintf(fp, "#include disable-exec.inc\n"); |
155 | fprintf(fp, "# include disable-interpreters.inc\n"); | 164 | fprintf(fp, "#include disable-interpreters.inc\n"); |
156 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
157 | fprintf(fp, "# include disable-programs.inc\n"); | 166 | fprintf(fp, "include disable-programs.inc\n"); |
158 | fprintf(fp, "# include disable-xdg.inc\n"); | 167 | fprintf(fp, "#include disable-shell.inc\n"); |
168 | fprintf(fp, "#include disable-xdg.inc\n"); | ||
159 | fprintf(fp, "\n"); | 169 | fprintf(fp, "\n"); |
160 | 170 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 171 | fprintf(fp, "### Home Directory Whitelisting ###\n"); |
172 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); | ||
173 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); | ||
162 | build_home(trace_output, fp); | 174 | build_home(trace_output, fp); |
163 | fprintf(fp, "\n"); | 175 | fprintf(fp, "\n"); |
164 | 176 | ||
165 | fprintf(fp, "### filesystem\n"); | 177 | fprintf(fp, "### Filesystem Whitelisting ###\n"); |
166 | fprintf(fp, "# /usr/share:\n"); | ||
167 | build_share(trace_output, fp); | 178 | build_share(trace_output, fp); |
168 | fprintf(fp, "# /var:\n"); | 179 | //todo: include whitelist-runuser-common.inc |
169 | build_var(trace_output, fp); | 180 | build_var(trace_output, fp); |
170 | fprintf(fp, "\n"); | 181 | fprintf(fp, "\n"); |
171 | fprintf(fp, "# $PATH:\n"); | ||
172 | build_bin(trace_output, fp); | ||
173 | fprintf(fp, "# /dev:\n"); | ||
174 | build_dev(trace_output, fp); | ||
175 | fprintf(fp, "# /etc:\n"); | ||
176 | build_etc(trace_output, fp); | ||
177 | fprintf(fp, "# /tmp:\n"); | ||
178 | build_tmp(trace_output, fp); | ||
179 | fprintf(fp, "\n"); | ||
180 | 182 | ||
181 | fprintf(fp, "### security filters\n"); | 183 | fprintf(fp, "#apparmor\n"); |
182 | fprintf(fp, "caps.drop all\n"); | 184 | fprintf(fp, "caps.drop all\n"); |
185 | fprintf(fp, "ipc-namespace\n"); | ||
186 | fprintf(fp, "netfilter\n"); | ||
187 | fprintf(fp, "#nodvd\n"); | ||
188 | fprintf(fp, "#nogroups\n"); | ||
189 | fprintf(fp, "#noinput\n"); | ||
183 | fprintf(fp, "nonewprivs\n"); | 190 | fprintf(fp, "nonewprivs\n"); |
191 | fprintf(fp, "noroot\n"); | ||
192 | fprintf(fp, "#notv\n"); | ||
193 | fprintf(fp, "#nou2f\n"); | ||
194 | fprintf(fp, "#novideo\n"); | ||
195 | build_protocol(trace_output, fp); | ||
184 | fprintf(fp, "seccomp\n"); | 196 | fprintf(fp, "seccomp\n"); |
185 | if (!have_strace) { | 197 | if (!have_strace) { |
186 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 198 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); |
187 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 199 | fprintf(fp, "### whitelisted seccomp filter.\n"); |
188 | } | 200 | } |
189 | else if (!have_yama_permission) | 201 | else if (!have_yama_permission) |
190 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | 202 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); |
191 | else | 203 | else |
192 | build_seccomp(strace_output, fp); | 204 | build_seccomp(strace_output, fp); |
205 | fprintf(fp, "shell none\n"); | ||
206 | fprintf(fp, "#tracelog\n"); | ||
193 | fprintf(fp, "\n"); | 207 | fprintf(fp, "\n"); |
194 | 208 | ||
195 | fprintf(fp, "### network\n"); | 209 | fprintf(fp, "#disable-mnt\n"); |
196 | build_protocol(trace_output, fp); | 210 | build_bin(trace_output, fp); |
211 | fprintf(fp, "#private-lib\n"); | ||
212 | build_dev(trace_output, fp); | ||
213 | build_etc(trace_output, fp); | ||
214 | build_tmp(trace_output, fp); | ||
197 | fprintf(fp, "\n"); | 215 | fprintf(fp, "\n"); |
198 | 216 | ||
199 | fprintf(fp, "### environment\n"); | 217 | fprintf(fp, "#dbus-user none\n"); |
200 | fprintf(fp, "shell none\n"); | 218 | fprintf(fp, "#dbus-system none\n"); |
219 | fprintf(fp, "#memory-deny-write-execute\n"); | ||
201 | 220 | ||
202 | if (!arg_debug) { | 221 | if (!arg_debug) { |
203 | unlink(trace_output); | 222 | unlink(trace_output); |