diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 11 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firecfg.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 7 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 37 | ||||
-rw-r--r-- | src/man/firemon.txt | 1 | ||||
-rw-r--r-- | src/man/jailcheck.txt | 1 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
14 files changed, 73 insertions, 8 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a7a1351ff..1de107a03 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -289,6 +289,7 @@ gapplication | |||
289 | gcalccmd | 289 | gcalccmd |
290 | gcloud | 290 | gcloud |
291 | gconf-editor | 291 | gconf-editor |
292 | gdu | ||
292 | geany | 293 | geany |
293 | geary | 294 | geary |
294 | gedit | 295 | gedit |
@@ -842,6 +843,7 @@ tremulous | |||
842 | trojita | 843 | trojita |
843 | truecraft | 844 | truecraft |
844 | tshark | 845 | tshark |
846 | tuir | ||
845 | tutanota-desktop | 847 | tutanota-desktop |
846 | tuxguitar | 848 | tuxguitar |
847 | tvbrowser | 849 | tvbrowser |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 167b6a843..0a4dffb75 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -338,6 +338,7 @@ extern int arg_writable_run_user; // writable /run/user | |||
338 | extern int arg_writable_var_log; // writable /var/log | 338 | extern int arg_writable_var_log; // writable /var/log |
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | ||
341 | extern int arg_allow_debuggers; // allow debuggers | 342 | extern int arg_allow_debuggers; // allow debuggers |
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extension | 344 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 55f623138..29c25dfc5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user | |||
133 | int arg_writable_var_log = 0; // writable /var/log | 133 | int arg_writable_var_log = 0; // writable /var/log |
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | ||
136 | int arg_allow_debuggers = 0; // allow debuggers | 137 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 138 | int arg_x11_block = 0; // block X11 |
138 | int arg_x11_xorg = 0; // use X11 security extension | 139 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) { | |||
1287 | // filtering | 1288 | // filtering |
1288 | //************************************* | 1289 | //************************************* |
1289 | #ifdef HAVE_APPARMOR | 1290 | #ifdef HAVE_APPARMOR |
1290 | else if (strcmp(argv[i], "--apparmor") == 0) | 1291 | else if (strcmp(argv[i], "--apparmor") == 0) { |
1291 | arg_apparmor = 1; | 1292 | arg_apparmor = 1; |
1293 | apparmor_profile = "firejail-default"; | ||
1294 | } | ||
1295 | else if (strncmp(argv[i], "--apparmor=", 11) == 0) { | ||
1296 | arg_apparmor = 1; | ||
1297 | apparmor_profile = argv[i] + 11; | ||
1298 | } | ||
1292 | #endif | 1299 | #endif |
1293 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1300 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1294 | if (checkcfg(CFG_SECCOMP)) { | 1301 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dc1aff49a..f406e2c53 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
939 | if (strcmp(ptr, "apparmor") == 0) { | 939 | if (strcmp(ptr, "apparmor") == 0) { |
940 | #ifdef HAVE_APPARMOR | 940 | #ifdef HAVE_APPARMOR |
941 | arg_apparmor = 1; | 941 | arg_apparmor = 1; |
942 | apparmor_profile = "firejail-default"; | ||
943 | #endif | ||
944 | return 0; | ||
945 | } | ||
946 | |||
947 | if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
948 | #ifdef HAVE_APPARMOR | ||
949 | arg_apparmor = 1; | ||
950 | apparmor_profile = strdup(ptr + 9); | ||
951 | if (!apparmor_profile) | ||
952 | errExit("strdup"); | ||
942 | #endif | 953 | #endif |
943 | return 0; | 954 | return 0; |
944 | } | 955 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b1b3407b4..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,7 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_change_onexec("firejail-default")) { | 133 | if (aa_stack_onexec(apparmor_profile)) { |
134 | fwarning("Cannot confine the application using AppArmor.\n" | 134 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c3c17393c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,7 +30,9 @@ static char *usage_str = | |||
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement with the default profile.\n" |
34 | " --apparmor=profile_name - enable AppArmor confinement with a\n" | ||
35 | "\tcustom profile.\n" | ||
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 37 | " --appimage - sandbox an AppImage application.\n" |
36 | #ifdef HAVE_NETWORK | 38 | #ifdef HAVE_NETWORK |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 280a4aff1..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com | |||
146 | .BR firejail-login (5), | 146 | .BR firejail-login (5), |
147 | .BR firejail-users (5), | 147 | .BR firejail-users (5), |
148 | .BR jailcheck (1) | 148 | .BR jailcheck (1) |
149 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 05afd55b5..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com | |||
40 | .BR firejail-profile (5), | 40 | .BR firejail-profile (5), |
41 | .BR firejail-users (5), | 41 | .BR firejail-users (5), |
42 | .BR jailcheck (1) | 42 | .BR jailcheck (1) |
43 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index be1f55f0f..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal | |||
478 | #ifdef HAVE_APPARMOR | 478 | #ifdef HAVE_APPARMOR |
479 | .TP | 479 | .TP |
480 | \fBapparmor | 480 | \fBapparmor |
481 | Enable AppArmor confinement. | 481 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
482 | .TP | ||
483 | \fBapparmor profile_name | ||
484 | Enable AppArmor confinement with a custom AppArmor profile. | ||
485 | Note that the profile in question must already be loaded into the kernel. | ||
482 | #endif | 486 | #endif |
483 | .TP | 487 | .TP |
484 | \fBcaps | 488 | \fBcaps |
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com | |||
1031 | 1035 | ||
1032 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 1036 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
1033 | .UE | 1037 | .UE |
1038 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index e3cce7ed5..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com | |||
60 | .BR firejail-profile (5), | 60 | .BR firejail-profile (5), |
61 | .BR firejail-login (5), | 61 | .BR firejail-login (5), |
62 | .BR jailcheck (1) | 62 | .BR jailcheck (1) |
63 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..1dd5508b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
174 | .br | 191 | .br |
175 | 192 | ||
176 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | ||
195 | blacklist the path that it points to. | ||
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | ||
197 | be blacklisted. | ||
198 | .br | ||
199 | |||
200 | .br | ||
177 | Example: | 201 | Example: |
178 | .br | 202 | .br |
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | 203 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin |
@@ -2905,8 +2929,14 @@ all directories in /usr. | |||
2905 | .br | 2929 | .br |
2906 | 2930 | ||
2907 | .br | 2931 | .br |
2908 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 2932 | Symbolic link handling: Whitelisting a path that is a symbolic link will also |
2909 | the same top directory. For user home, both the link and the real file should be owned by the user. | 2933 | whitelist the path that it points to. |
2934 | For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will | ||
2935 | also be whitelisted. | ||
2936 | Restrictions: With the exception of the user home directory, both the link and | ||
2937 | the real file should be in the same top directory. | ||
2938 | For symbolic links in the user home directory, both the link and the real file | ||
2939 | should be owned by the user. | ||
2910 | .br | 2940 | .br |
2911 | 2941 | ||
2912 | .br | 2942 | .br |
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com | |||
3611 | .UE , | 3641 | .UE , |
3612 | .UR https://github.com/netblue30/firejail | 3642 | .UR https://github.com/netblue30/firejail |
3613 | .UE | 3643 | .UE |
3644 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index fd58a7168..9d0785a4a 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com | |||
118 | .BR firejail-login (5), | 118 | .BR firejail-login (5), |
119 | .BR firejail-users (5), | 119 | .BR firejail-users (5), |
120 | .BR jailcheck (1) | 120 | .BR jailcheck (1) |
121 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index 483f47fb9..e889ea91b 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com | |||
115 | .BR firejail-profile (5), | 115 | .BR firejail-profile (5), |
116 | .BR firejail-login (5), | 116 | .BR firejail-login (5), |
117 | .BR firejail-users (5), | 117 | .BR firejail-users (5), |
118 | .\" vim: set filetype=groff : | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 605000e31..2b67c2a00 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -171,7 +171,8 @@ _firejail_args=( | |||
171 | '--writable-var-log[use the real /var/log directory, not a clone]' | 171 | '--writable-var-log[use the real /var/log directory, not a clone]' |
172 | 172 | ||
173 | #ifdef HAVE_APPARMOR | 173 | #ifdef HAVE_APPARMOR |
174 | '--apparmor[enable AppArmor confinement]' | 174 | '--apparmor[enable AppArmor confinement with the default profile]' |
175 | '--apparmor=-[enable AppArmor confinement with a custom profile]: :' | ||
175 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' | 176 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' |
176 | #endif | 177 | #endif |
177 | 178 | ||