| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
| |
- disable-interpreters: blacklist /usr/lib64/libmozjs-*
- fdns:
- fix .local name
- remove server.profile comment (do we need /sbin and /usr/sbin?)
- add wusc and wvc (commented because untested)
- minimize caps.keep (based on fdns.service)
- fix protocol position
- add private-etc (based on fdns.service)
|
|
|
|
|
|
|
| |
Move autoconfigured lines up in Makefile.in so that they are defined
before they are used .
Closes #3341 #3344.
|
|
|
|
| |
Delete two unused variables.
|
|
|
|
| |
Closes #3341.
|
| |
|
| |
|
|\
| |
| | |
Build improvements
|
| |
| |
| |
| |
| | |
Sometimes concurrent build could fail if the filter apps were not
made before attempting to make the filters.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise, fails with error
CreateDirectories: failed to mkdir /usr/share/games (mode 448)
file_system.cpp(158): Function call failed: return value was -110300 (Insufficient access rights to open file)
Function call failed: return value was -110300 (Insufficient access rights to open file)
Location: file_system.cpp:158 (CreateDirectories)
Observed on Debian 10, 0ad 0.0.23
|
|\ \
| | |
| | | |
early decision in bug report if using git version
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Improvements for syscalls.sh contib file
|
|/ /
| |
| | |
Fixed the identation for copy/past problems and added a console character that returns the console to it's original colour after the SYSCALLS_OUTPUT_FILE param is printed.
|
|\|
| |
| | |
Request behavior change description in bug reports
|
|/
|
|
| |
program
|
| |
|
| |
|
| |
|
|
|
| |
See discussion in https://github.com/netblue30/firejail/pull/3326.
|
| |
|
|\ |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Add bug report template
|
| |
| |
| | |
(Mostly) auto-generated with GitHub, will need tweaking over time
|
|/
|
|
| |
caps are already handled by caps.keep ... in this profile
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
| |
|
| |
|
|\
| |
| | |
Fine-grained DBus sandboxing
|
| | |
|
| |
| |
| |
| |
| |
| | |
This patch also allows setting the DBus policies to filter even if
xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is
allowed, but a warning is emitted.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are
bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root.
Instead of relying on the default locations of the DBus sockets, the environment
variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set
accordingly.
User sockets are tried in the following order when starting the proxy:
* DBUS_SESSION_BUS_ADDRES
* /run/user/<pid>/bus
* /run/user/<pid>/dbus/user_bus_socket
These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
System sockets are tried in the following order:
* DBUS_SYSTEM_BUS_ADDRESS
* /run/dbus/system_bus_socket
These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and
--dbus-system.own control which names can be accessed and owned on the user and
system buses.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* The proxy is forked off outside the sandbox namespace to protect the
fds of the original buses from the sandboxed process.
* The /run/firejail/dbus directory (with the sticky bit set) holds the proxy
sockets. The sockets are <parent pid>-user and <parent pid>-system for the
user and system buses, respectively. Each socket is owned by the sandbox user.
* The sockets are bind-mounted over their expected locations and the
/run/firejail/dbus directory is subsequently hidden from the sandbox.
* Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets
are cleaned up.
* Filter rules will be added in a future commit.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To contain processes forked for long time, such as the xdg-dbus-proxy,
sbox_exec_v can be used, which is the non-forking version of sbox_run_v.
Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds,
so fds needed by the subordinate process can be left open before calling
sbox_exec_v.
This flag does not makes sense for sbox_run_v, and causes an assertion failure.
|
|/
|
|
|
|
| |
Allow setting a separate policy for the user and system buses.
For now, the filter policy is equivalent to the none (block) policy.
Future commits will add more configuration options and filters.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
| |
fix #3321
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If `less` is sandboxed, then we get a similar message to below
when calling `man <anything>`
Error clone: main.c:2743 main: Operation not permitted
man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less
See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143
https://github.com/netblue30/firejail/issues/1856
Noticed on Debian 10, firejail 0.9.63
|
|\
| |
| | |
Simple sanity checks for arguments and environment
|
| |
| |
| |
| |
| | |
Restrict number of program arguments and their length as well as
number of environment variables and their length.
|
| | |
|
| | |
|
| | |
|
| | |
|