diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_profile.c | 44 | ||||
-rw-r--r-- | src/fbuilder/main.c | 12 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 90 | ||||
-rw-r--r-- | src/profstats/main.c | 11 |
4 files changed, 133 insertions, 24 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index fb53f70a6..1726b4dbb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -145,9 +145,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | 145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); |
146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | 146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); |
147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); | 147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); |
148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n"); | 148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); |
149 | 149 | ||
150 | fprintf(fp, "\n# Firejail profile for %s\n", argv[index]); | 150 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); |
151 | fprintf(fp, "# Persistent local customizations\n"); | 151 | fprintf(fp, "# Persistent local customizations\n"); |
152 | fprintf(fp, "#include %s.local\n", argv[index]); | 152 | fprintf(fp, "#include %s.local\n", argv[index]); |
153 | fprintf(fp, "# Persistent global definitions\n"); | 153 | fprintf(fp, "# Persistent global definitions\n"); |
@@ -164,6 +164,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
164 | fprintf(fp, "#include disable-interpreters.inc\n"); | 164 | fprintf(fp, "#include disable-interpreters.inc\n"); |
165 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
166 | fprintf(fp, "include disable-programs.inc\n"); | 166 | fprintf(fp, "include disable-programs.inc\n"); |
167 | fprintf(fp, "#include disable-shell.inc\n"); | ||
167 | fprintf(fp, "#include disable-xdg.inc\n"); | 168 | fprintf(fp, "#include disable-xdg.inc\n"); |
168 | fprintf(fp, "\n"); | 169 | fprintf(fp, "\n"); |
169 | 170 | ||
@@ -171,29 +172,27 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
171 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); | 172 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); |
172 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); | 173 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); |
173 | build_home(trace_output, fp); | 174 | build_home(trace_output, fp); |
175 | fprintf(fp, "\n"); | ||
174 | 176 | ||
175 | fprintf(fp, "\n### The Rest of the Filesystem ###\n"); | 177 | fprintf(fp, "### Filesystem Whitelisting ###\n"); |
176 | build_share(trace_output, fp); | 178 | build_share(trace_output, fp); |
179 | //todo: include whitelist-runuser-common.inc | ||
177 | build_var(trace_output, fp); | 180 | build_var(trace_output, fp); |
178 | build_bin(trace_output, fp); | 181 | fprintf(fp, "\n"); |
179 | build_dev(trace_output, fp); | ||
180 | fprintf(fp, "#nodvd\n"); | ||
181 | fprintf(fp, "#noinput\n"); | ||
182 | fprintf(fp, "#notv\n"); | ||
183 | fprintf(fp, "#nou2f\n"); | ||
184 | fprintf(fp, "#novideo\n"); | ||
185 | build_etc(trace_output, fp); | ||
186 | build_tmp(trace_output, fp); | ||
187 | 182 | ||
188 | fprintf(fp, "\n### Security Filters ###\n"); | ||
189 | fprintf(fp, "#apparmor\n"); | 183 | fprintf(fp, "#apparmor\n"); |
190 | fprintf(fp, "caps.drop all\n"); | 184 | fprintf(fp, "caps.drop all\n"); |
185 | fprintf(fp, "ipc-namespace\n"); | ||
191 | fprintf(fp, "netfilter\n"); | 186 | fprintf(fp, "netfilter\n"); |
187 | fprintf(fp, "#nodvd\n"); | ||
192 | fprintf(fp, "#nogroups\n"); | 188 | fprintf(fp, "#nogroups\n"); |
193 | fprintf(fp, "#noroot\n"); | 189 | fprintf(fp, "#noinput\n"); |
194 | fprintf(fp, "nonewprivs\n"); | 190 | fprintf(fp, "nonewprivs\n"); |
191 | fprintf(fp, "noroot\n"); | ||
192 | fprintf(fp, "#notv\n"); | ||
193 | fprintf(fp, "#nou2f\n"); | ||
194 | fprintf(fp, "#novideo\n"); | ||
195 | build_protocol(trace_output, fp); | 195 | build_protocol(trace_output, fp); |
196 | |||
197 | fprintf(fp, "seccomp\n"); | 196 | fprintf(fp, "seccomp\n"); |
198 | if (!have_strace) { | 197 | if (!have_strace) { |
199 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); | 198 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); |
@@ -203,8 +202,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
203 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); | 202 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); |
204 | else | 203 | else |
205 | build_seccomp(strace_output, fp); | 204 | build_seccomp(strace_output, fp); |
206 | fprintf(fp, "#shell none\n"); | 205 | fprintf(fp, "shell none\n"); |
207 | fprintf(fp, "#tracelog\n"); | 206 | fprintf(fp, "#tracelog\n"); |
207 | fprintf(fp, "\n"); | ||
208 | |||
209 | fprintf(fp, "#disable-mnt\n"); | ||
210 | build_bin(trace_output, fp); | ||
211 | fprintf(fp, "#private-lib\n"); | ||
212 | build_dev(trace_output, fp); | ||
213 | build_etc(trace_output, fp); | ||
214 | build_tmp(trace_output, fp); | ||
215 | fprintf(fp, "\n"); | ||
216 | |||
217 | fprintf(fp, "#dbus-user none\n"); | ||
218 | fprintf(fp, "#dbus-system none\n"); | ||
219 | fprintf(fp, "#memory-deny-write-execute\n"); | ||
208 | 220 | ||
209 | if (!arg_debug) { | 221 | if (!arg_debug) { |
210 | unlink(trace_output); | 222 | unlink(trace_output); |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index f4917aefc..35ec49519 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -58,10 +58,16 @@ printf("\n"); | |||
58 | exit(1); | 58 | exit(1); |
59 | } | 59 | } |
60 | 60 | ||
61 | // don't run if the file exists | ||
62 | if (access(argv[i] + 8, F_OK) == 0) { | ||
63 | fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); | ||
64 | exit(1); | ||
65 | } | ||
66 | |||
61 | // check file access | 67 | // check file access |
62 | fp = fopen(argv[i] + 8, "w"); | 68 | fp = fopen(argv[i] + 8, "w"); |
63 | if (!fp) { | 69 | if (!fp) { |
64 | fprintf(stderr, "Error fbuild: cannot open profile file.\n"); | 70 | fprintf(stderr, "Error: cannot open profile file.\n"); |
65 | exit(1); | 71 | exit(1); |
66 | } | 72 | } |
67 | prof_file = 1; | 73 | prof_file = 1; |
@@ -69,7 +75,7 @@ printf("\n"); | |||
69 | } | 75 | } |
70 | else { | 76 | else { |
71 | if (*argv[i] == '-') { | 77 | if (*argv[i] == '-') { |
72 | fprintf(stderr, "Error fbuilder: invalid program\n"); | 78 | fprintf(stderr, "Error: invalid program\n"); |
73 | usage(); | 79 | usage(); |
74 | exit(1); | 80 | exit(1); |
75 | } | 81 | } |
@@ -79,7 +85,7 @@ printf("\n"); | |||
79 | } | 85 | } |
80 | 86 | ||
81 | if (prog_index == 0) { | 87 | if (prog_index == 0) { |
82 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); | 88 | fprintf(stderr, "Error : program and arguments required\n"); |
83 | usage(); | 89 | usage(); |
84 | if (prof_file) | 90 | if (prof_file) |
85 | fclose(fp); | 91 | fclose(fp); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9d11add06..9d59328f5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -1,12 +1,78 @@ | |||
1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" | 1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | profile \- Security profile file syntax for Firejail | 3 | profile \- Security profile file syntax, and information about building new application profiles. |
4 | 4 | ||
5 | .SH USAGE | 5 | .SH SYNOPSIS |
6 | |||
7 | Using a specific profile: | ||
8 | .PP | ||
9 | .RS | ||
10 | .TP | ||
11 | \fBfirejail \-\-profile=filename.profile | ||
12 | .br | ||
13 | |||
14 | .br | ||
15 | Example: | ||
16 | .br | ||
17 | $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage | ||
18 | .br | ||
19 | |||
20 | .br | ||
21 | .TP | ||
22 | \fBfirejail \-\-profile=profile_name | ||
23 | .br | ||
24 | |||
25 | .br | ||
26 | Example: | ||
27 | .br | ||
28 | $ firejail --profile=kdenlive --appimage kdenlive.appimage | ||
29 | .br | ||
30 | |||
31 | .br | ||
32 | .RE | ||
33 | .PP | ||
34 | |||
35 | |||
36 | |||
37 | Building a profile manually: | ||
38 | .PP | ||
39 | .RS | ||
40 | Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor. | ||
41 | To integrate the program in your desktop environment copy the profile file in ~/.config/firejail | ||
42 | directory and run "sudo firecfg". | ||
43 | .RE | ||
44 | .PP | ||
45 | |||
46 | Aliases and redirections: | ||
47 | .PP | ||
48 | .RS | ||
49 | In some cases the same profile can be used for several applications. | ||
50 | One such example is LibreOffice. | ||
51 | Build a regular profile for the main application, and for the rest use | ||
52 | /usr/share/doc/firejail/redirect_alias-profile.template. | ||
53 | .RE | ||
54 | .PP | ||
55 | |||
56 | Running the profile builder: | ||
57 | .PP | ||
58 | .RS | ||
6 | .TP | 59 | .TP |
7 | firejail \-\-profile=filename.profile | 60 | \fBfirejail \-\-build=appname.profile appname |
61 | .br | ||
62 | |||
63 | .br | ||
64 | Example: | ||
65 | .br | ||
66 | $ firejail --build=blobby.profile blobby | ||
67 | .br | ||
68 | |||
69 | .br | ||
70 | Run the program in "firejail \-\-build" and try to exercise as many program features as possible. | ||
71 | The profile is extracted and saved in the current directory. Open it in a text editor and add or remove | ||
72 | sandboxing options as necessary. Test again after modifying the profile. To integrate the program | ||
73 | in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg". | ||
8 | .RE | 74 | .RE |
9 | firejail \-\-profile=profile_name | 75 | .PP |
10 | 76 | ||
11 | .SH DESCRIPTION | 77 | .SH DESCRIPTION |
12 | Several command line options can be passed to the program using | 78 | Several command line options can be passed to the program using |
@@ -891,7 +957,21 @@ Join the sandbox identified by name or start a new one. | |||
891 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 957 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
892 | 958 | ||
893 | .SH FILES | 959 | .SH FILES |
894 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 960 | .TP |
961 | \fB/etc/firejail/appname.profile | ||
962 | Global Firejail configuration consisting mainly of profiles for each application supported by default. | ||
963 | |||
964 | .TP | ||
965 | \fB$HOME/.config/firejail/appname.profile | ||
966 | User application profiles, will take precedence over the global profiles. | ||
967 | |||
968 | .TP | ||
969 | \fB/usr/share/doc/firejail/profile.template | ||
970 | Template for building new profiles. | ||
971 | |||
972 | .TP | ||
973 | \fB/usr/share/doc/firejail/redirect_alias-profile.template | ||
974 | Template for aliasing/redirecting profiles. | ||
895 | 975 | ||
896 | .SH LICENSE | 976 | .SH LICENSE |
897 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 977 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 5035280b1..10e44bd65 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -46,6 +46,7 @@ static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | |||
46 | static int cnt_ssh = 0; | 46 | static int cnt_ssh = 0; |
47 | static int cnt_mdwx = 0; | 47 | static int cnt_mdwx = 0; |
48 | static int cnt_whitelisthome = 0; | 48 | static int cnt_whitelisthome = 0; |
49 | static int cnt_noroot = 0; | ||
49 | 50 | ||
50 | static int level = 0; | 51 | static int level = 0; |
51 | static int arg_debug = 0; | 52 | static int arg_debug = 0; |
@@ -65,6 +66,7 @@ static int arg_mdwx = 0; | |||
65 | static int arg_dbus_system_none = 0; | 66 | static int arg_dbus_system_none = 0; |
66 | static int arg_dbus_user_none = 0; | 67 | static int arg_dbus_user_none = 0; |
67 | static int arg_whitelisthome = 0; | 68 | static int arg_whitelisthome = 0; |
69 | static int arg_noroot = 0; | ||
68 | 70 | ||
69 | 71 | ||
70 | static char *profile = NULL; | 72 | static char *profile = NULL; |
@@ -80,6 +82,7 @@ static void usage(void) { | |||
80 | printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); | 82 | printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); |
81 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | 83 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); |
82 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | 84 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); |
85 | printf(" --noroot - print profiles without \"noroot\"\n"); | ||
83 | printf(" --private-bin - print profiles without private-bin\n"); | 86 | printf(" --private-bin - print profiles without private-bin\n"); |
84 | printf(" --private-dev - print profiles without private-dev\n"); | 87 | printf(" --private-dev - print profiles without private-dev\n"); |
85 | printf(" --private-etc - print profiles without private-etc\n"); | 88 | printf(" --private-etc - print profiles without private-etc\n"); |
@@ -128,6 +131,8 @@ void process_file(const char *fname) { | |||
128 | cnt_caps++; | 131 | cnt_caps++; |
129 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | 132 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
130 | cnt_noexec++; | 133 | cnt_noexec++; |
134 | else if (strncmp(ptr, "noroot", 6) == 0) | ||
135 | cnt_noroot++; | ||
131 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 136 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
132 | cnt_whitelistvar++; | 137 | cnt_whitelistvar++; |
133 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 138 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
@@ -212,6 +217,8 @@ int main(int argc, char **argv) { | |||
212 | arg_mdwx = 1; | 217 | arg_mdwx = 1; |
213 | else if (strcmp(argv[i], "--noexec") == 0) | 218 | else if (strcmp(argv[i], "--noexec") == 0) |
214 | arg_noexec = 1; | 219 | arg_noexec = 1; |
220 | else if (strcmp(argv[i], "--noroot") == 0) | ||
221 | arg_noroot = 1; | ||
215 | else if (strcmp(argv[i], "--private-bin") == 0) | 222 | else if (strcmp(argv[i], "--private-bin") == 0) |
216 | arg_privatebin = 1; | 223 | arg_privatebin = 1; |
217 | else if (strcmp(argv[i], "--private-dev") == 0) | 224 | else if (strcmp(argv[i], "--private-dev") == 0) |
@@ -256,6 +263,7 @@ int main(int argc, char **argv) { | |||
256 | int caps = cnt_caps; | 263 | int caps = cnt_caps; |
257 | int apparmor = cnt_apparmor; | 264 | int apparmor = cnt_apparmor; |
258 | int noexec = cnt_noexec; | 265 | int noexec = cnt_noexec; |
266 | int noroot = cnt_noroot; | ||
259 | int privatebin = cnt_privatebin; | 267 | int privatebin = cnt_privatebin; |
260 | int privatetmp = cnt_privatetmp; | 268 | int privatetmp = cnt_privatetmp; |
261 | int privatedev = cnt_privatedev; | 269 | int privatedev = cnt_privatedev; |
@@ -313,6 +321,8 @@ int main(int argc, char **argv) { | |||
313 | printf("No seccomp found in %s\n", argv[i]); | 321 | printf("No seccomp found in %s\n", argv[i]); |
314 | if (arg_noexec && noexec == cnt_noexec) | 322 | if (arg_noexec && noexec == cnt_noexec) |
315 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 323 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
324 | if (arg_noroot && noroot == cnt_noroot) | ||
325 | printf("No noroot found in %s\n", argv[i]); | ||
316 | if (arg_privatedev && privatedev == cnt_privatedev) | 326 | if (arg_privatedev && privatedev == cnt_privatedev) |
317 | printf("No private-dev found in %s\n", argv[i]); | 327 | printf("No private-dev found in %s\n", argv[i]); |
318 | if (arg_privatebin && privatebin == cnt_privatebin) | 328 | if (arg_privatebin && privatebin == cnt_privatebin) |
@@ -346,6 +356,7 @@ int main(int argc, char **argv) { | |||
346 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); | 356 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); |
347 | printf(" capabilities\t\t%d\n", cnt_caps); | 357 | printf(" capabilities\t\t%d\n", cnt_caps); |
348 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 358 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
359 | printf(" noroot\t\t\t%d\n", cnt_noroot); | ||
349 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 360 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
350 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 361 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
351 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 362 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |