diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/fcopy/main.c | 4 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.h | 10 | ||||
-rw-r--r-- | src/firecfg/main.c | 145 | ||||
-rw-r--r-- | src/firejail/fs_lib2.c | 6 | ||||
-rw-r--r-- | src/firejail/ls.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 40 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/x11.c | 30 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map.txt | 9 | ||||
-rw-r--r-- | src/man/firecfg.1.in | 57 |
11 files changed, 196 insertions, 116 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index a56e8a91b..84fe44d73 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
277 | 277 | ||
278 | // don't copy it if we already have the file | 278 | // don't copy it if we already have the file |
279 | struct stat s; | 279 | struct stat s; |
280 | if (stat(outfname, &s) == 0) { | 280 | if (lstat(outfname, &s) == 0) { |
281 | if (first) | 281 | if (first) |
282 | first = 0; | 282 | first = 0; |
283 | else if (!arg_quiet) | 283 | else if (!arg_quiet) |
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
286 | } | 286 | } |
287 | 287 | ||
288 | // extract mode and ownership | 288 | // extract mode and ownership |
289 | if (stat(infname, &s) != 0) | 289 | if (lstat(infname, &s) != 0) |
290 | goto out; | 290 | goto out; |
291 | 291 | ||
292 | uid_t uid = s.st_uid; | 292 | uid_t uid = s.st_uid; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 19c3166fa..558fe51ed 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -834,6 +834,7 @@ thunderbird-beta | |||
834 | thunderbird-wayland | 834 | thunderbird-wayland |
835 | tidal-hifi | 835 | tidal-hifi |
836 | tilp | 836 | tilp |
837 | tiny-rdm | ||
837 | tor-browser | 838 | tor-browser |
838 | tor-browser-ar | 839 | tor-browser-ar |
839 | tor-browser-ca | 840 | tor-browser-ca |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 8f74a1198..11e3ebc67 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -37,6 +37,16 @@ | |||
37 | #include "../include/common.h" | 37 | #include "../include/common.h" |
38 | #define MAX_BUF 4096 | 38 | #define MAX_BUF 4096 |
39 | 39 | ||
40 | // config files | ||
41 | #define FIRECFG_CFGFILE SYSCONFDIR "/firecfg.config" | ||
42 | #define FIRECFG_CONF_GLOB SYSCONFDIR "/firecfg.d/*.conf" | ||
43 | |||
44 | // programs | ||
45 | #define FIREJAIL_EXEC PREFIX "/bin/firejail" | ||
46 | #define FIREJAIL_WELCOME_SH LIBDIR "/firejail/firejail-welcome.sh" | ||
47 | #define FZENITY_EXEC LIBDIR "/firejail/fzenity" | ||
48 | #define ZENITY_EXEC "/usr/bin/zenity" | ||
49 | #define SUDO_EXEC "sudo" | ||
40 | 50 | ||
41 | // main.c | 51 | // main.c |
42 | extern int arg_debug; | 52 | extern int arg_debug; |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 4ec81c5b3..604b12633 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -20,6 +20,8 @@ | |||
20 | 20 | ||
21 | #include "firecfg.h" | 21 | #include "firecfg.h" |
22 | #include "../include/firejail_user.h" | 22 | #include "../include/firejail_user.h" |
23 | #include <glob.h> | ||
24 | |||
23 | int arg_debug = 0; | 25 | int arg_debug = 0; |
24 | char *arg_bindir = "/usr/local/bin"; | 26 | char *arg_bindir = "/usr/local/bin"; |
25 | int arg_guide = 0; | 27 | int arg_guide = 0; |
@@ -76,10 +78,6 @@ static void list(void) { | |||
76 | exit(1); | 78 | exit(1); |
77 | } | 79 | } |
78 | 80 | ||
79 | char *firejail_exec; | ||
80 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
81 | errExit("asprintf"); | ||
82 | |||
83 | struct dirent *entry; | 81 | struct dirent *entry; |
84 | while ((entry = readdir(dir)) != NULL) { | 82 | while ((entry = readdir(dir)) != NULL) { |
85 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 83 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
@@ -92,7 +90,7 @@ static void list(void) { | |||
92 | if (is_link(fullname)) { | 90 | if (is_link(fullname)) { |
93 | char* fname = realpath(fullname, NULL); | 91 | char* fname = realpath(fullname, NULL); |
94 | if (fname) { | 92 | if (fname) { |
95 | if (strcmp(fname, firejail_exec) == 0) | 93 | if (strcmp(fname, FIREJAIL_EXEC) == 0) |
96 | printf("%s\n", fullname); | 94 | printf("%s\n", fullname); |
97 | free(fname); | 95 | free(fname); |
98 | } | 96 | } |
@@ -101,7 +99,6 @@ static void list(void) { | |||
101 | } | 99 | } |
102 | 100 | ||
103 | closedir(dir); | 101 | closedir(dir); |
104 | free(firejail_exec); | ||
105 | } | 102 | } |
106 | 103 | ||
107 | static void clean(void) { | 104 | static void clean(void) { |
@@ -114,10 +111,6 @@ static void clean(void) { | |||
114 | exit(1); | 111 | exit(1); |
115 | } | 112 | } |
116 | 113 | ||
117 | char *firejail_exec; | ||
118 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
119 | errExit("asprintf"); | ||
120 | |||
121 | struct dirent *entry; | 114 | struct dirent *entry; |
122 | while ((entry = readdir(dir)) != NULL) { | 115 | while ((entry = readdir(dir)) != NULL) { |
123 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 116 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
@@ -130,7 +123,7 @@ static void clean(void) { | |||
130 | if (is_link(fullname)) { | 123 | if (is_link(fullname)) { |
131 | char* fname = realpath(fullname, NULL); | 124 | char* fname = realpath(fullname, NULL); |
132 | if (fname) { | 125 | if (fname) { |
133 | if (strcmp(fname, firejail_exec) == 0) { | 126 | if (strcmp(fname, FIREJAIL_EXEC) == 0) { |
134 | char *ptr = strrchr(fullname, '/'); | 127 | char *ptr = strrchr(fullname, '/'); |
135 | assert(ptr); | 128 | assert(ptr); |
136 | ptr++; | 129 | ptr++; |
@@ -147,10 +140,43 @@ static void clean(void) { | |||
147 | } | 140 | } |
148 | 141 | ||
149 | closedir(dir); | 142 | closedir(dir); |
150 | free(firejail_exec); | ||
151 | printf("\n"); | 143 | printf("\n"); |
152 | } | 144 | } |
153 | 145 | ||
146 | #define ignorelist_maxlen 2048 | ||
147 | static const char *ignorelist[ignorelist_maxlen]; | ||
148 | static int ignorelist_len = 0; | ||
149 | |||
150 | static int append_ignorelist(const char *const str) { | ||
151 | assert(str); | ||
152 | if (ignorelist_len >= ignorelist_maxlen) { | ||
153 | fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n", | ||
154 | ignorelist_len, ignorelist_maxlen, str); | ||
155 | return 0; | ||
156 | } | ||
157 | |||
158 | printf(" ignoring '%s'\n", str); | ||
159 | const char *const dup = strdup(str); | ||
160 | if (!dup) | ||
161 | errExit("strdup"); | ||
162 | |||
163 | ignorelist[ignorelist_len] = dup; | ||
164 | ignorelist_len++; | ||
165 | |||
166 | return 1; | ||
167 | } | ||
168 | |||
169 | static int in_ignorelist(const char *const str) { | ||
170 | assert(str); | ||
171 | int i; | ||
172 | for (i = 0; i < ignorelist_len; i++) { | ||
173 | if (strcmp(str, ignorelist[i]) == 0) | ||
174 | return 1; | ||
175 | } | ||
176 | |||
177 | return 0; | ||
178 | } | ||
179 | |||
154 | static void set_file(const char *name, const char *firejail_exec) { | 180 | static void set_file(const char *name, const char *firejail_exec) { |
155 | if (which(name) == 0) | 181 | if (which(name) == 0) |
156 | return; | 182 | return; |
@@ -165,35 +191,26 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
165 | if (rv) { | 191 | if (rv) { |
166 | fprintf(stderr, "Error: cannot create %s symbolic link\n", fname); | 192 | fprintf(stderr, "Error: cannot create %s symbolic link\n", fname); |
167 | perror("symlink"); | 193 | perror("symlink"); |
168 | } | 194 | } else { |
169 | else | ||
170 | printf(" %s created\n", name); | 195 | printf(" %s created\n", name); |
171 | } | 196 | } |
172 | else { | 197 | } else { |
173 | fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname); | 198 | fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname); |
174 | } | 199 | } |
175 | 200 | ||
176 | free(fname); | 201 | free(fname); |
177 | } | 202 | } |
178 | 203 | ||
179 | // parse /etc/firejail/firecfg.config file | 204 | // parse a single config file |
180 | static void set_links_firecfg(void) { | 205 | static void set_links_firecfg(const char *cfgfile) { |
181 | char *cfgfile; | 206 | printf("Configuring symlinks in %s based on %s\n", arg_bindir, cfgfile); |
182 | if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1) | ||
183 | errExit("asprintf"); | ||
184 | |||
185 | char *firejail_exec; | ||
186 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
187 | errExit("asprintf"); | ||
188 | 207 | ||
189 | // parse /etc/firejail/firecfg.config file | ||
190 | FILE *fp = fopen(cfgfile, "r"); | 208 | FILE *fp = fopen(cfgfile, "r"); |
191 | if (!fp) { | 209 | if (!fp) { |
192 | perror("fopen"); | 210 | perror("fopen"); |
193 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); | 211 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); |
194 | exit(1); | 212 | exit(1); |
195 | } | 213 | } |
196 | printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir); | ||
197 | 214 | ||
198 | char buf[MAX_BUF]; | 215 | char buf[MAX_BUF]; |
199 | int lineno = 0; | 216 | int lineno = 0; |
@@ -223,13 +240,43 @@ static void set_links_firecfg(void) { | |||
223 | if (*start == '\0') | 240 | if (*start == '\0') |
224 | continue; | 241 | continue; |
225 | 242 | ||
243 | // handle ignore command | ||
244 | if (*start == '!') { | ||
245 | append_ignorelist(start + 1); | ||
246 | continue; | ||
247 | } | ||
248 | |||
226 | // set link | 249 | // set link |
227 | set_file(start, firejail_exec); | 250 | if (!in_ignorelist(start)) |
251 | set_file(start, FIREJAIL_EXEC); | ||
252 | else | ||
253 | printf(" %s ignored\n", start); | ||
228 | } | 254 | } |
229 | 255 | ||
230 | fclose(fp); | 256 | fclose(fp); |
231 | free(cfgfile); | 257 | printf("\n"); |
232 | free(firejail_exec); | 258 | } |
259 | |||
260 | // parse all config files matching pattern | ||
261 | static void set_links_firecfg_glob(const char *pattern) { | ||
262 | printf("Looking for config files in %s\n", pattern); | ||
263 | |||
264 | glob_t globbuf; | ||
265 | int globerr = glob(pattern, 0, NULL, &globbuf); | ||
266 | if (globerr == GLOB_NOMATCH) { | ||
267 | fprintf(stderr, "No matches for glob pattern %s\n", pattern); | ||
268 | goto out; | ||
269 | } else if (globerr != 0) { | ||
270 | fprintf(stderr, "Warning: Failed to match glob pattern %s: %s\n", | ||
271 | pattern, strerror(errno)); | ||
272 | goto out; | ||
273 | } | ||
274 | |||
275 | size_t i; | ||
276 | for (i = 0; i < globbuf.gl_pathc; i++) | ||
277 | set_links_firecfg(globbuf.gl_pathv[i]); | ||
278 | out: | ||
279 | globfree(&globbuf); | ||
233 | } | 280 | } |
234 | 281 | ||
235 | // parse ~/.config/firejail/ directory | 282 | // parse ~/.config/firejail/ directory |
@@ -246,10 +293,6 @@ static void set_links_homedir(const char *homedir) { | |||
246 | return; | 293 | return; |
247 | } | 294 | } |
248 | 295 | ||
249 | char *firejail_exec; | ||
250 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
251 | errExit("asprintf"); | ||
252 | |||
253 | // parse ~/.config/firejail/ directory | 296 | // parse ~/.config/firejail/ directory |
254 | printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir); | 297 | printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir); |
255 | 298 | ||
@@ -260,6 +303,7 @@ static void set_links_homedir(const char *homedir) { | |||
260 | free(dirname); | 303 | free(dirname); |
261 | return; | 304 | return; |
262 | } | 305 | } |
306 | free(dirname); | ||
263 | 307 | ||
264 | struct dirent *entry; | 308 | struct dirent *entry; |
265 | while ((entry = readdir(dir))) { | 309 | while ((entry = readdir(dir))) { |
@@ -280,12 +324,10 @@ static void set_links_homedir(const char *homedir) { | |||
280 | } | 324 | } |
281 | 325 | ||
282 | *ptr = '\0'; | 326 | *ptr = '\0'; |
283 | set_file(exec, firejail_exec); | 327 | set_file(exec, FIREJAIL_EXEC); |
284 | free(exec); | 328 | free(exec); |
285 | } | 329 | } |
286 | closedir(dir); | 330 | closedir(dir); |
287 | |||
288 | free(firejail_exec); | ||
289 | } | 331 | } |
290 | 332 | ||
291 | static const char *get_sudo_user(void) { | 333 | static const char *get_sudo_user(void) { |
@@ -449,18 +491,20 @@ int main(int argc, char **argv) { | |||
449 | } | 491 | } |
450 | 492 | ||
451 | if (arg_guide) { | 493 | if (arg_guide) { |
494 | const char *zenity_exec; | ||
495 | if (arg_debug) | ||
496 | zenity_exec = FZENITY_EXEC; | ||
497 | else | ||
498 | zenity_exec = ZENITY_EXEC; | ||
499 | |||
452 | char *cmd; | 500 | char *cmd; |
453 | if (arg_debug) { | 501 | if (asprintf(&cmd, "%s %s %s %s %s", |
454 | if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/lib/firejail/fzenity %s %s", LIBDIR, SYSCONFDIR, user) == -1) | 502 | SUDO_EXEC, FIREJAIL_WELCOME_SH, zenity_exec, SYSCONFDIR, user) == -1) |
455 | errExit("asprintf"); | 503 | errExit("asprintf"); |
456 | } | 504 | |
457 | else { | ||
458 | if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/bin/zenity %s %s", LIBDIR, SYSCONFDIR, user) == -1) | ||
459 | errExit("asprintf"); | ||
460 | } | ||
461 | int status = system(cmd); | 505 | int status = system(cmd); |
462 | if (status == -1) { | 506 | if (status == -1) { |
463 | fprintf(stderr, "Error: cannot run firejail-welcome.sh\n"); | 507 | fprintf(stderr, "Error: cannot run %s\n", FIREJAIL_WELCOME_SH); |
464 | exit(1); | 508 | exit(1); |
465 | } | 509 | } |
466 | free(cmd); | 510 | free(cmd); |
@@ -474,12 +518,15 @@ else { | |||
474 | // clear all symlinks | 518 | // clear all symlinks |
475 | clean(); | 519 | clean(); |
476 | 520 | ||
477 | // set new symlinks based on /etc/firejail/firecfg.config | 521 | // set new symlinks based on .conf files |
478 | set_links_firecfg(); | 522 | set_links_firecfg_glob(FIRECFG_CONF_GLOB); |
523 | |||
524 | // set new symlinks based on firecfg.config | ||
525 | set_links_firecfg(FIRECFG_CFGFILE); | ||
479 | 526 | ||
480 | if (getuid() == 0) { | 527 | if (getuid() == 0) { |
481 | // add user to firejail access database - only for root | 528 | // add user to firejail access database - only for root |
482 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 529 | printf("Adding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
483 | // temporarily set the umask, access database must be world-readable | 530 | // temporarily set the umask, access database must be world-readable |
484 | mode_t orig_umask = umask(022); | 531 | mode_t orig_umask = umask(022); |
485 | firejail_user_add(user); | 532 | firejail_user_add(user); |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 583888e0e..b43c36c1a 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) { | |||
166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user | 166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user |
167 | 167 | ||
168 | // bring in xauth libraries | 168 | // bring in xauth libraries |
169 | |||
170 | char *xauth_bin = find_in_path("xauth"); | ||
169 | if (arg_x11_xorg) | 171 | if (arg_x11_xorg) |
170 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user | 172 | fslib_mount_libs(xauth_bin, 1); // parse as user |
173 | |||
174 | free(xauth_bin); | ||
171 | 175 | ||
172 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | 176 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); |
173 | } | 177 | } |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2ab1c188..6dc4904fc 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) { | |||
154 | 154 | ||
155 | // file size | 155 | // file size |
156 | char *sz; | 156 | char *sz; |
157 | if (asprintf(&sz, "%d", (int) s.st_size) == -1) | 157 | if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1) |
158 | errExit("asprintf"); | 158 | errExit("asprintf"); |
159 | 159 | ||
160 | // file name | 160 | // file name |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b39693af7..5bcc3a0e5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1600,7 +1600,7 @@ int main(int argc, char **argv, char **envp) { | |||
1600 | arg_trace = 1; | 1600 | arg_trace = 1; |
1601 | else if (strncmp(argv[i], "--trace=", 8) == 0) { | 1601 | else if (strncmp(argv[i], "--trace=", 8) == 0) { |
1602 | arg_trace = 1; | 1602 | arg_trace = 1; |
1603 | arg_tracefile = argv[i] + 8; | 1603 | arg_tracefile = expand_macros(argv[i] + 8); |
1604 | if (*arg_tracefile == '\0') { | 1604 | if (*arg_tracefile == '\0') { |
1605 | fprintf(stderr, "Error: invalid trace option\n"); | 1605 | fprintf(stderr, "Error: invalid trace option\n"); |
1606 | exit(1); | 1606 | exit(1); |
@@ -1610,13 +1610,6 @@ int main(int argc, char **argv, char **envp) { | |||
1610 | fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile); | 1610 | fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile); |
1611 | exit(1); | 1611 | exit(1); |
1612 | } | 1612 | } |
1613 | // if the filename starts with ~, expand the home directory | ||
1614 | if (*arg_tracefile == '~') { | ||
1615 | char *tmp; | ||
1616 | if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1) | ||
1617 | errExit("asprintf"); | ||
1618 | arg_tracefile = tmp; | ||
1619 | } | ||
1620 | } | 1613 | } |
1621 | else if (strcmp(argv[i], "--tracelog") == 0) { | 1614 | else if (strcmp(argv[i], "--tracelog") == 0) { |
1622 | if (checkcfg(CFG_TRACELOG)) | 1615 | if (checkcfg(CFG_TRACELOG)) |
@@ -1981,20 +1974,13 @@ int main(int argc, char **argv, char **envp) { | |||
1981 | } | 1974 | } |
1982 | 1975 | ||
1983 | // extract chroot dirname | 1976 | // extract chroot dirname |
1984 | cfg.chrootdir = argv[i] + 9; | 1977 | cfg.chrootdir = expand_macros(argv[i] + 9); |
1985 | if (*cfg.chrootdir == '\0') { | 1978 | if (*cfg.chrootdir == '\0') { |
1986 | fprintf(stderr, "Error: invalid chroot option\n"); | 1979 | fprintf(stderr, "Error: invalid chroot option\n"); |
1987 | exit(1); | 1980 | exit(1); |
1988 | } | 1981 | } |
1989 | invalid_filename(cfg.chrootdir, 0); // no globbing | 1982 | invalid_filename(cfg.chrootdir, 0); // no globbing |
1990 | 1983 | ||
1991 | // if the directory starts with ~, expand the home directory | ||
1992 | if (*cfg.chrootdir == '~') { | ||
1993 | char *tmp; | ||
1994 | if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1) | ||
1995 | errExit("asprintf"); | ||
1996 | cfg.chrootdir = tmp; | ||
1997 | } | ||
1998 | // check chroot directory | 1984 | // check chroot directory |
1999 | fs_check_chroot_dir(); | 1985 | fs_check_chroot_dir(); |
2000 | } | 1986 | } |
@@ -2776,16 +2762,7 @@ int main(int argc, char **argv, char **envp) { | |||
2776 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 2762 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
2777 | if (checkcfg(CFG_NETWORK)) { | 2763 | if (checkcfg(CFG_NETWORK)) { |
2778 | arg_netfilter = 1; | 2764 | arg_netfilter = 1; |
2779 | arg_netfilter_file = argv[i] + 12; | 2765 | arg_netfilter_file = expand_macros(argv[i] + 12); |
2780 | |||
2781 | // expand tilde | ||
2782 | if (*arg_netfilter_file == '~') { | ||
2783 | char *tmp; | ||
2784 | if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1) | ||
2785 | errExit("asprintf"); | ||
2786 | arg_netfilter_file = tmp; | ||
2787 | } | ||
2788 | |||
2789 | check_netfilter_file(arg_netfilter_file); | 2766 | check_netfilter_file(arg_netfilter_file); |
2790 | } | 2767 | } |
2791 | else | 2768 | else |
@@ -2795,16 +2772,7 @@ int main(int argc, char **argv, char **envp) { | |||
2795 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { | 2772 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { |
2796 | if (checkcfg(CFG_NETWORK)) { | 2773 | if (checkcfg(CFG_NETWORK)) { |
2797 | arg_netfilter6 = 1; | 2774 | arg_netfilter6 = 1; |
2798 | arg_netfilter6_file = argv[i] + 13; | 2775 | arg_netfilter6_file = expand_macros(argv[i] + 13); |
2799 | |||
2800 | // expand tilde | ||
2801 | if (*arg_netfilter6_file == '~') { | ||
2802 | char *tmp; | ||
2803 | if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1) | ||
2804 | errExit("asprintf"); | ||
2805 | arg_netfilter6_file = tmp; | ||
2806 | } | ||
2807 | |||
2808 | check_netfilter_file(arg_netfilter6_file); | 2776 | check_netfilter_file(arg_netfilter6_file); |
2809 | } | 2777 | } |
2810 | else | 2778 | else |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e3554eb12..62d3c78e7 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -635,9 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
635 | #ifdef HAVE_NETWORK | 635 | #ifdef HAVE_NETWORK |
636 | if (checkcfg(CFG_NETWORK)) { | 636 | if (checkcfg(CFG_NETWORK)) { |
637 | arg_netfilter = 1; | 637 | arg_netfilter = 1; |
638 | arg_netfilter_file = strdup(ptr + 10); | 638 | arg_netfilter_file = expand_macros(ptr + 10); |
639 | if (!arg_netfilter_file) | ||
640 | errExit("strdup"); | ||
641 | check_netfilter_file(arg_netfilter_file); | 639 | check_netfilter_file(arg_netfilter_file); |
642 | } | 640 | } |
643 | else | 641 | else |
@@ -649,9 +647,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
649 | #ifdef HAVE_NETWORK | 647 | #ifdef HAVE_NETWORK |
650 | if (checkcfg(CFG_NETWORK)) { | 648 | if (checkcfg(CFG_NETWORK)) { |
651 | arg_netfilter6 = 1; | 649 | arg_netfilter6 = 1; |
652 | arg_netfilter6_file = strdup(ptr + 11); | 650 | arg_netfilter6_file = expand_macros(ptr + 11); |
653 | if (!arg_netfilter6_file) | ||
654 | errExit("strdup"); | ||
655 | check_netfilter_file(arg_netfilter6_file); | 651 | check_netfilter_file(arg_netfilter6_file); |
656 | } | 652 | } |
657 | else | 653 | else |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2eaa9bde5..3721a2c2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) { | |||
1164 | } | 1164 | } |
1165 | #endif | 1165 | #endif |
1166 | 1166 | ||
1167 | |||
1168 | void x11_xorg(void) { | 1167 | void x11_xorg(void) { |
1169 | #ifdef HAVE_X11 | 1168 | #ifdef HAVE_X11 |
1170 | 1169 | ||
@@ -1175,31 +1174,38 @@ void x11_xorg(void) { | |||
1175 | exit(1); | 1174 | exit(1); |
1176 | } | 1175 | } |
1177 | 1176 | ||
1177 | char *xauth_bin = find_in_path("xauth"); | ||
1178 | |||
1178 | // check xauth utility is present in the system | 1179 | // check xauth utility is present in the system |
1179 | struct stat s; | 1180 | if (!xauth_bin) { |
1180 | if (stat("/usr/bin/xauth", &s) == -1) { | 1181 | fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n"); |
1181 | fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); | ||
1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); | 1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); |
1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); | 1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); |
1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); | 1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); |
1185 | exit(1); | 1185 | exit(1); |
1186 | } | 1186 | } |
1187 | |||
1188 | struct stat s; | ||
1189 | if (stat(xauth_bin, &s) == -1) { | ||
1190 | fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno)); | ||
1191 | exit(1); | ||
1192 | } | ||
1187 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { | 1193 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { |
1188 | fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); | 1194 | fprintf(stderr, "Error: invalid %s executable\n", xauth_bin); |
1189 | exit(1); | 1195 | exit(1); |
1190 | } | 1196 | } |
1191 | if (s.st_size > 1024 * 1024) { | 1197 | if (s.st_size > 1024 * 1024) { |
1192 | fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); | 1198 | fprintf(stderr, "Error: %s executable is too large\n", xauth_bin); |
1193 | exit(1); | 1199 | exit(1); |
1194 | } | 1200 | } |
1195 | // copy /usr/bin/xauth in the sandbox and set mode to 0711 | 1201 | // copy xauth in the sandbox and set mode to 0711 |
1196 | // users are not able to trace the running xauth this way | 1202 | // users are not able to trace the running xauth this way |
1197 | if (arg_debug) | 1203 | if (arg_debug) |
1198 | printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); | 1204 | printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE); |
1199 | if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { | 1205 | |
1200 | fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); | 1206 | copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711); |
1201 | exit(1); | 1207 | |
1202 | } | 1208 | free(xauth_bin); |
1203 | 1209 | ||
1204 | fmessage("Generating a new .Xauthority file\n"); | 1210 | fmessage("Generating a new .Xauthority file\n"); |
1205 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); | 1211 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); |
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt index aeac58c6a..830df058f 100644 --- a/src/fnettrace/static-ip-map.txt +++ b/src/fnettrace/static-ip-map.txt | |||
@@ -92,7 +92,7 @@ | |||
92 | 8.8.4.0/24 Google DNS | 92 | 8.8.4.0/24 Google DNS |
93 | 8.8.8.0/24 Google DNS | 93 | 8.8.8.0/24 Google DNS |
94 | 8.20.247.20/32 Comodo DNS | 94 | 8.20.247.20/32 Comodo DNS |
95 | 8.26.56.26/32 Comodo DNS | 95 | 8.26.56.0/24 Comodo DNS |
96 | 9.9.9.0/24 Quad9 DNS | 96 | 9.9.9.0/24 Quad9 DNS |
97 | 45.90.28.0/22 NextDNS | 97 | 45.90.28.0/22 NextDNS |
98 | 45.11.45.0/24 DNS-SB | 98 | 45.11.45.0/24 DNS-SB |
@@ -103,8 +103,7 @@ | |||
103 | 76.76.10.0/24 ControlD DNS | 103 | 76.76.10.0/24 ControlD DNS |
104 | 76.76.19.0/24 Alternate DNS | 104 | 76.76.19.0/24 Alternate DNS |
105 | 76.223.122.150/32 Alternate DNS | 105 | 76.223.122.150/32 Alternate DNS |
106 | 77.88.8.8/32 Yandex DNS | 106 | 77.88.8.0/24 Yandex DNS |
107 | 77.88.8.1/32 Yandex DNS | ||
108 | 80.80.80.0/24 Freenom DNS Cloud | 107 | 80.80.80.0/24 Freenom DNS Cloud |
109 | 80.80.81.0/24 Freenom DNS Cloud | 108 | 80.80.81.0/24 Freenom DNS Cloud |
110 | 84.200.69.80/32 DSN Watch | 109 | 84.200.69.80/32 DSN Watch |
@@ -123,8 +122,7 @@ | |||
123 | 205.171.3.66/32 CentyrLink DNS | 122 | 205.171.3.66/32 CentyrLink DNS |
124 | 205.171.202.166/32 CentyrLink DNS | 123 | 205.171.202.166/32 CentyrLink DNS |
125 | 208.67.216.0/21 OpenDNS | 124 | 208.67.216.0/21 OpenDNS |
126 | 216.146.35.35/32 Dyn DNS | 125 | 216.146.32.0/20 Dyn DNS |
127 | 216.146.36.36/32 Dyn DNS | ||
128 | 126 | ||
129 | # whois | 127 | # whois |
130 | 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service | 128 | 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service |
@@ -288,6 +286,7 @@ | |||
288 | 192.187.114.96/29 BitChute | 286 | 192.187.114.96/29 BitChute |
289 | 192.187.118.168/29 BitChute | 287 | 192.187.118.168/29 BitChute |
290 | 192.187.121.208/29 BitChute | 288 | 192.187.121.208/29 BitChute |
289 | 192.187.122.72/29 BitChute | ||
291 | 192.187.123.112/29 BitChute | 290 | 192.187.123.112/29 BitChute |
292 | 192.187.126.0/29 BitChute | 291 | 192.187.126.0/29 BitChute |
293 | 198.204.226.120/29 BitChute | 292 | 198.204.226.120/29 BitChute |
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a85fbc5da..e43a573de 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in | |||
@@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported. | |||
29 | To set it up, run "sudo firecfg" after installing Firejail software. | 29 | To set it up, run "sudo firecfg" after installing Firejail software. |
30 | The same command should also be run after | 30 | The same command should also be run after |
31 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin | 31 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin |
32 | will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config". | 32 | will be created. |
33 | 33 | .PP | |
34 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. | 34 | To configure the list of programs used by firecfg when creating symlinks, see |
35 | \fBFILES\fR and \fBSYNTAX\fR. | ||
36 | .PP | ||
37 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in | ||
38 | \fBman 1 firejail\fR. | ||
35 | .SH DEFAULT ACTIONS | 39 | .SH DEFAULT ACTIONS |
36 | The following actions are implemented by default by running sudo firecfg: | 40 | The following actions are implemented by default by running sudo firecfg: |
37 | 41 | ||
@@ -135,8 +139,53 @@ $ sudo firecfg --clean | |||
135 | /usr/local/bin/vlc removed | 139 | /usr/local/bin/vlc removed |
136 | .br | 140 | .br |
137 | [...] | 141 | [...] |
142 | .SH FILES | ||
143 | .PP | ||
144 | Configuration files are searched for and parsed in the following paths: | ||
145 | .PP | ||
146 | .RS | ||
147 | 1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) | ||
148 | .br | ||
149 | 2. /etc/firejail/firecfg.config | ||
150 | .RE | ||
151 | .PP | ||
152 | The programs that are supported by default are listed in | ||
153 | /etc/firejail/firecfg.config. | ||
154 | It is recommended to leave it as is and put all customizations inside | ||
155 | /etc/firejail/firecfg.d/. | ||
156 | .PP | ||
157 | Profile files are also searched in the user configuration directory: | ||
158 | .PP | ||
159 | .RS | ||
160 | 3. ~/.config/firejail/*.profile | ||
161 | .RE | ||
162 | .PP | ||
163 | For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a | ||
164 | symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. | ||
165 | .SH SYNTAX | ||
166 | Configuration file syntax: | ||
167 | .PP | ||
168 | A line that starts with \fB#\fR is considered a comment. | ||
169 | .br | ||
170 | A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating | ||
171 | symlinks. | ||
172 | .br | ||
173 | A line that starts with anything else is considered to be the name of an | ||
174 | executable and firecfg will attempt to create a symlink for it. | ||
175 | .PP | ||
176 | For example, to prevent firecfg from creating symlinks for "firefox" and | ||
177 | "patch" while attempting to create a symlink for "myprog", the following lines | ||
178 | could be added to /etc/firejail/firecfg.d/10-my.conf: | ||
179 | .PP | ||
180 | .RS | ||
181 | !firefox | ||
182 | .br | ||
183 | !patch | ||
184 | .br | ||
138 | 185 | ||
139 | 186 | .br | |
187 | myprog | ||
188 | .RE | ||
140 | .SH LICENSE | 189 | .SH LICENSE |
141 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 190 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
142 | .PP | 191 | .PP |