From 410602cb8e170aff8a65ef753e5836188dfd888b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 29 Dec 2016 09:14:02 -0500 Subject: gpg fixes --- etc/gpa.profile | 2 -- etc/gpg-agent.profile | 4 +--- etc/gpg.profile | 5 +---- src/firecfg/firecfg.config | 2 -- 4 files changed, 2 insertions(+), 11 deletions(-) diff --git a/etc/gpa.profile b/etc/gpa.profile index 7d7277190..9da750f9e 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile @@ -18,6 +18,4 @@ shell none tracelog # private-bin gpa,gpg -private-tmp private-dev -# private-etc none diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 59c7383d7..f587f0d53 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -11,7 +11,7 @@ nogroups nonewprivs noroot nosound -protocol unix +protocol unix,inet,inet6 seccomp netfilter no3d @@ -21,6 +21,4 @@ tracelog blacklist /tmp/.X11-unix # private-bin gpg-agent,gpg -private-tmp private-dev -# private-etc none diff --git a/etc/gpg.profile b/etc/gpg.profile index d711c6f3e..963ff5ed7 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -11,10 +11,9 @@ nogroups nonewprivs noroot nosound -protocol unix +protocol unix,inet,inet6 seccomp netfilter -net none no3d shell none tracelog @@ -22,6 +21,4 @@ tracelog blacklist /tmp/.X11-unix # private-bin gpg,gpg-agent -private-tmp private-dev -# private-etc none diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fe65a5077..4e4e5488a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -184,8 +184,6 @@ eog # other atom atom-beta -gpa -gpg ranger keepass keepass2 -- cgit v1.2.3-70-g09d2 From c025912a3b3ebc97210ad0e7f6ba7cfc75b7e34a Mon Sep 17 00:00:00 2001 From: pshpsh Date: Sun, 1 Jan 2017 22:54:48 +0400 Subject: Create fossamail.profile --- etc/fossamail.profile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 etc/fossamail.profile diff --git a/etc/fossamail.profile b/etc/fossamail.profile new file mode 100644 index 000000000..a0dc8ae59 --- /dev/null +++ b/etc/fossamail.profile @@ -0,0 +1,15 @@ +# Firejail profile for FossaMail + +noblacklist ~/.gnupg +mkdir ~/.gnupg +whitelist ~/.gnupg + +noblacklist ~/.fossamail +mkdir ~/.fossamail +whitelist ~/.fossamail + +noblacklist ~/.cache/fossamail +mkdir ~/.cache/fossamail +whitelist ~/.cache/fossamail + +include /etc/firejail/firefox.profile -- cgit v1.2.3-70-g09d2 From 585afc028e0bcd476e03e03c78c6a5feaa11bbec Mon Sep 17 00:00:00 2001 From: pshpsh Date: Sun, 1 Jan 2017 23:22:56 +0400 Subject: Create FossaMail.profile --- etc/FossaMail.profile | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/FossaMail.profile diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile new file mode 100644 index 000000000..0da235467 --- /dev/null +++ b/etc/FossaMail.profile @@ -0,0 +1,2 @@ +# Firejail profile for FossaMail +include /etc/firejail/fossamail.profile -- cgit v1.2.3-70-g09d2 From 699ab75654ad5ab7b48b067a2679c544cc8725f6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 Jan 2017 09:44:55 -0500 Subject: FossaMail --- README | 2 ++ README.md | 2 +- RELNOTES | 2 +- platform/debian/conffiles | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README b/README index 751480868..64ee63db8 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +pshpsh (https://github.com/pshpsh) + - added FossaMail profile eventyrer (https://github.com/eventyrer) - update gnome-mplayer.profile thewisenerd (https://github.com/thewisenerd) diff --git a/README.md b/README.md index 9057a9a88..f4fa7282f 100644 --- a/README.md +++ b/README.md @@ -98,5 +98,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome- goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla +PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail diff --git a/RELNOTES b/RELNOTES index 2d57b1a88..79654e441 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.45) baseline; urgency=low * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, - * new profies: Xonotic, wireshark, keepassx2, QupZilla + * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 9afe42be8..56a5c8e7e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -240,3 +240,5 @@ /etc/firejail/xonotic.profile /etc/firejail/VirtualBox.profile /etc/firejail/qupzilla.profile +/etc/firejail/FossaMail.profile +/etc/firejail/fossamail.profile -- cgit v1.2.3-70-g09d2 From 18f015fbf39341611ad407908f295842cda8b17a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 Jan 2017 08:13:01 -0500 Subject: allow non-seccomp setup for OverlayFS sandboxes --- RELNOTES | 1 + src/firejail/sandbox.c | 11 +---------- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/RELNOTES b/RELNOTES index 79654e441..0f3f511bc 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,6 +16,7 @@ firejail (0.9.45) baseline; urgency=low * feature: config support for firejail prompt in terminals * feature: pass command line arguments to appimages * feature: --allow-private-blacklist option + * feature: allow non-seccomp setup for OverlayFS sandboxes * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 50fcd6ed0..493877db3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -616,19 +616,10 @@ int sandbox(void* sandbox_arg) { fs_trace_preload(); } else -#endif +#endif #ifdef HAVE_OVERLAYFS if (arg_overlay) { fs_overlayfs(); - // force caps and seccomp if not started as root - if (getuid() != 0) { - enforce_filters(); -#ifdef HAVE_SECCOMP - enforce_seccomp = 1; -#endif - } - else - arg_seccomp = 1; } else #endif -- cgit v1.2.3-70-g09d2 From ceaee7d23c9650ccb4d88e3d07c42a3443b75839 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 Jan 2017 08:34:16 -0500 Subject: 3 new Python scripts in contrib section --- README | 4 +- RELNOTES | 1 + contrib/fix_private-bin.py | 68 +++++++++++++++++++++++++++++ contrib/fix_private-bin_for_symlinked_sh.py | 68 ----------------------------- contrib/fjclip.py | 35 +++++++++++++++ contrib/fjdisplay.py | 43 ++++++++++++++++++ contrib/fjresize.py | 25 +++++++++++ 7 files changed, 175 insertions(+), 69 deletions(-) create mode 100755 contrib/fix_private-bin.py delete mode 100644 contrib/fix_private-bin_for_symlinked_sh.py create mode 100755 contrib/fjclip.py create mode 100755 contrib/fjdisplay.py create mode 100755 contrib/fjresize.py diff --git a/README b/README index 64ee63db8..c94560026 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +Pixel Fairy (https://github.com/xahare) + - added fjclip.py, fjdisplay.py and fjresize.py in contrib section pshpsh (https://github.com/pshpsh) - added FossaMail profile eventyrer (https://github.com/eventyrer) @@ -109,7 +111,7 @@ SYN-cook (https://github.com/SYN-cook) thewisenerd (https://github.com/thewisenerd) - appimage: pass commandline arguments KOLANICH (https://github.com/KOLANICH) - - added symlink fixer + - added symlink fixer fix_private-bin.py in contrib section Jesse Smith (https://github.com/slicer69) - added QupZilla profile Lari Rauno (https://github.com/tuutti) diff --git a/RELNOTES b/RELNOTES index 0f3f511bc..645d158b7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,6 +17,7 @@ firejail (0.9.45) baseline; urgency=low * feature: pass command line arguments to appimages * feature: --allow-private-blacklist option * feature: allow non-seccomp setup for OverlayFS sandboxes + * feature: added a number o Python scripts for handling sandboxes * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py new file mode 100755 index 000000000..705e46e46 --- /dev/null +++ b/contrib/fix_private-bin.py @@ -0,0 +1,68 @@ +#!/usr/bin/python3 + +import sys, os, glob, re + +privRx=re.compile("^(?:#\s*)?private-bin") + +def fixSymlinkedBins(files, replMap): + rxs=dict() + for (old,new) in replMap.items(): + rxs[old]=re.compile("\\b"+old+"\\b") + rxs[new]=re.compile("\\b"+new+"\\b") + print(rxs) + + for filename in files: + lines=None + with open(filename,"r") as file: + lines=file.readlines() + + shouldUpdate=False + for (i,line) in enumerate(lines): + if privRx.search(line): + for (old,new) in replMap.items(): + if rxs[old].search(line) and not rxs[new].search(line): + lines[i]=rxs[old].sub(old+","+new, line) + shouldUpdate=True + print(lines[i]) + + if shouldUpdate: + with open(filename,"w") as file: + file.writelines(lines) + pass + +def createListOfBinaries(files): + s=set() + for filename in files: + lines=None + with open(filename,"r") as file: + for line in file: + if privRx.search(line): + bins=line.split(",") + bins[0]=bins[0].split(" ")[-1] + bins = [n.strip() for n in bins] + s=s|set(bins) + return s + +def createSymlinkTable(binDirs, binariesSet): + m=dict() + for sh in binariesSet: + for bD in binDirs: + p=bD+os.path.sep+sh + if os.path.exists(p): + if os.path.islink(p): + m[sh]=os.readlink(p) + else: + pass + break + return m + + +sh="sh" +binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] +profilesPath="." +files=glob.glob(profilesPath+os.path.sep+"*.profile") + +bins=createListOfBinaries(files) +stbl=createSymlinkTable(binDirs,bins) +print(stbl) +fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0}) diff --git a/contrib/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py deleted file mode 100644 index 705e46e46..000000000 --- a/contrib/fix_private-bin_for_symlinked_sh.py +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/python3 - -import sys, os, glob, re - -privRx=re.compile("^(?:#\s*)?private-bin") - -def fixSymlinkedBins(files, replMap): - rxs=dict() - for (old,new) in replMap.items(): - rxs[old]=re.compile("\\b"+old+"\\b") - rxs[new]=re.compile("\\b"+new+"\\b") - print(rxs) - - for filename in files: - lines=None - with open(filename,"r") as file: - lines=file.readlines() - - shouldUpdate=False - for (i,line) in enumerate(lines): - if privRx.search(line): - for (old,new) in replMap.items(): - if rxs[old].search(line) and not rxs[new].search(line): - lines[i]=rxs[old].sub(old+","+new, line) - shouldUpdate=True - print(lines[i]) - - if shouldUpdate: - with open(filename,"w") as file: - file.writelines(lines) - pass - -def createListOfBinaries(files): - s=set() - for filename in files: - lines=None - with open(filename,"r") as file: - for line in file: - if privRx.search(line): - bins=line.split(",") - bins[0]=bins[0].split(" ")[-1] - bins = [n.strip() for n in bins] - s=s|set(bins) - return s - -def createSymlinkTable(binDirs, binariesSet): - m=dict() - for sh in binariesSet: - for bD in binDirs: - p=bD+os.path.sep+sh - if os.path.exists(p): - if os.path.islink(p): - m[sh]=os.readlink(p) - else: - pass - break - return m - - -sh="sh" -binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] -profilesPath="." -files=glob.glob(profilesPath+os.path.sep+"*.profile") - -bins=createListOfBinaries(files) -stbl=createSymlinkTable(binDirs,bins) -print(stbl) -fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0}) diff --git a/contrib/fjclip.py b/contrib/fjclip.py new file mode 100755 index 000000000..cd12cd289 --- /dev/null +++ b/contrib/fjclip.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python + +import re +import sys +import subprocess +import fjdisplay + +usage = """fjclip.py src dest. src or dest can be named firejails or - for stdin or stdout. +firemon --x11 to see available running x11 firejails. firejail names can be shortened +to least ambiguous. for example 'work-libreoffice' can be shortened to 'work' if no +other firejails name starts with 'work'. +warning: browsers are dangerous. clipboards from browsers are dangerous. see +https://github.com/dxa4481/Pastejacking +fjclip.py strips whitespace from both +ends, but does nothing else to protect you. use a simple gui text editor like +gedit if you want to see what your pasting.""" + +if len(sys.argv) != 3 or sys.argv == '-h' or sys.argv == '--help': + print(usage) + exit(1) + +if sys.argv[1] == '-': + clipin_raw = sys.stdin.read() +else: + display = fjdisplay.getdisplay(sys.argv[1]) + clipin_raw = subprocess.check_output(['xsel','-b','--display',display]) + +clipin = clipin_raw.strip() + +if sys.argv[2] == '-': + print(clipin) +else: + display = fjdisplay.getdisplay(sys.argv[2]) + clipout = subprocess.Popen(['xsel','-b','-i','--display',display],stdin=subprocess.PIPE) + clipout.communicate(clipin) \ No newline at end of file diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py new file mode 100755 index 000000000..0e0ef01ec --- /dev/null +++ b/contrib/fjdisplay.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python + +import re +import sys +import subprocess + +usage = """fjdisplay.py name-of-firejail +returns the display in the form of ':NNN' +""" + +def getfirejails(): + output = subprocess.check_output(['firemon','--x11']) + firejails = {} + name = '' + for line in output.split('\n'): + namematch = re.search('--name=(\w+\S*)',line) + if namematch: + name = namematch.group(1) + displaymatch = re.search('DISPLAY (:\d+)',line) + if displaymatch: + firejails[name] = displaymatch.group(1) + return firejails + +def getdisplay(name): + firejails = getfirejails() + fjlist = '\n'.join(firejails.keys()) + namere = re.compile('^'+name+'.*', re.MULTILINE) + matchingjails = namere.findall(fjlist) + if len(matchingjails) == 1: + return firejails[matchingjails[0]] + if len(matchingjails) == 0: + raise NameError("firejail {} does not exist".format(name)) + else: + raise NameError("ambiguous firejail name") + +if __name__ == '__main__': + if '-h' in sys.argv or '--help' in sys.argv or len(sys.argv) > 2: + print(usage) + exit() + if len(sys.argv) == 1: + print(getfirejails()) + if len(sys.argv) == 2: + print (getdisplay(sys.argv[1])) \ No newline at end of file diff --git a/contrib/fjresize.py b/contrib/fjresize.py new file mode 100755 index 000000000..52b289159 --- /dev/null +++ b/contrib/fjresize.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python + +import sys +import fjdisplay +import subprocess + +usage = """usage: fjresize.py firejail-name displaysize +resize firejail xephyr windows. +fjdisplay.py with no other arguments will list running named firejails with displays. +fjresize.py with only a firejail name will list valid resolutions. +names can be shortend as long its unambiguous. +note: you may need to move the xephyr window for the resize to take effect +example: + fjresize.py browser 1280x800 +""" + + +if len(sys.argv) == 2: + out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1])]) + print(out) +elif len(sys.argv) == 3: + out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1]),'--output','default','--mode',sys.argv[2]]) + print(out) +else: + print(usage) \ No newline at end of file -- cgit v1.2.3-70-g09d2 From 9436294c615339d4d043cc861ba18002a6a95fb7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 Jan 2017 08:41:12 -0500 Subject: install the content of contrib section /usr/lib/firejail directory --- Makefile.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile.in b/Makefile.in index 8251f9882..9c899d401 100644 --- a/Makefile.in +++ b/Makefile.in @@ -91,6 +91,9 @@ realinstall: install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. + for file in contrib/*; do \ + install -c -m 0755 $$file $(DESTDIR)/$(libdir)/firejail/.; \ + done # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. -- cgit v1.2.3-70-g09d2 From 60d4b478f65c60bcc825bb56f85fd6c4fd48b250 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 Jan 2017 11:59:46 -0500 Subject: security fix --- RELNOTES | 1 + src/firejail/fs_home.c | 14 ++++++++++++++ src/firejail/pulseaudio.c | 15 +++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/RELNOTES b/RELNOTES index 645d158b7..08444bc0a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable * security: split file copying in private option in a separate executable + * security: root exploit found by Sebastian Krahmer * feature: disable gnupg and systemd directories under /run/user * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: AppImage type 2 support diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 0872bf0d0..f5e545bf3 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -167,6 +167,13 @@ static void copy_xauthority(void) { char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); + + // if destination is a symbolic link, exit the sandbox!!! + if (is_link(dest)) { + fprintf(stderr, "Error: %s is a symbolic link\n", dest); + exit(1); + } + // copy, set permissions and ownership int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); if (rv) @@ -185,6 +192,13 @@ static void copy_asoundrc(void) { char *dest; if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); + + // if destination is a symbolic link, exit the sandbox!!! + if (is_link(dest)) { + fprintf(stderr, "Error: %s is a symbolic link\n", dest); + exit(1); + } + // copy, set permissions and ownership int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); if (rv) diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index f890dd534..b3a22bad9 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -133,7 +133,15 @@ void pulseaudio_init(void) { {;} // do nothing } } + else { + // make sure the directory is owned by the user + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: user .config directory is not owned by the current user\n"); + exit(1); + } + } free(dir1); + if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { @@ -144,6 +152,13 @@ void pulseaudio_init(void) { {;} // do nothing } } + else { + // make sure the directory is owned by the user + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n"); + exit(1); + } + } free(dir1); -- cgit v1.2.3-70-g09d2 From 80965e6a7f7ec62ba2c5385a320018adb5463c73 Mon Sep 17 00:00:00 2001 From: KOLANICH Date: Wed, 4 Jan 2017 18:54:33 +0300 Subject: Improved fix_private-bin.py a bit: added commandline arguments, metainfo and breadth-first search --- contrib/fix_private-bin.py | 129 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 109 insertions(+), 20 deletions(-) diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py index 705e46e46..270c758a2 100755 --- a/contrib/fix_private-bin.py +++ b/contrib/fix_private-bin.py @@ -1,15 +1,47 @@ #!/usr/bin/python3 +__author__ = "KOLANICH" +__copyright__ = """This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to """ +__license__ = "Unlicense" + import sys, os, glob, re privRx=re.compile("^(?:#\s*)?private-bin") def fixSymlinkedBins(files, replMap): + """ + Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap + replMap is a dict where key is the marker filename and value is the filename to add + """ + rxs=dict() for (old,new) in replMap.items(): rxs[old]=re.compile("\\b"+old+"\\b") rxs[new]=re.compile("\\b"+new+"\\b") - print(rxs) + #print(rxs) for filename in files: lines=None @@ -28,9 +60,12 @@ def fixSymlinkedBins(files, replMap): if shouldUpdate: with open(filename,"w") as file: file.writelines(lines) - pass + pass -def createListOfBinaries(files): +def createSetOfBinaries(files): + """ + Creates a set of binaries mentioned in private-bin directives of files. + """ s=set() for filename in files: lines=None @@ -44,25 +79,79 @@ def createListOfBinaries(files): return s def createSymlinkTable(binDirs, binariesSet): + """ + creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary. + binDirs are folders to look into for binaries symlinks + binariesSet is a set of binaries to be checked if they are actually a symlinks + """ m=dict() - for sh in binariesSet: - for bD in binDirs: - p=bD+os.path.sep+sh - if os.path.exists(p): - if os.path.islink(p): - m[sh]=os.readlink(p) - else: - pass - break + toProcess=binariesSet + while len(toProcess)!=0: + additional=set() + for sh in toProcess: + for bD in binDirs: + p=bD+os.path.sep+sh + if os.path.exists(p): + if os.path.islink(p): + m[sh]=os.readlink(p) + additional.add(m[sh].split(" ")[0]) + else: + pass + break + toProcess=additional return m +def doTheFixes(profilesPath, binDirs): + """ + Fixes private-bin in .profiles for firejail. The pipeline is as follows: + discover files -> discover mentioned binaries -> + discover the ones which are symlinks -> + make a look-up table for fix -> + filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) -> + apply fix + """ + files=glob.glob(profilesPath+os.path.sep+"*.profile") + bins=createSetOfBinaries(files) + #print("The binaries used are:") + #print(bins) + stbl=createSymlinkTable(binDirs,bins) + print("The replacement table is:") + print(stbl) + stbl={a[0]:a[1] for a in stbl.items() if a[0].find(os.path.sep) < 0 and a[1].find(os.path.sep)<0} + print("Filtered replacement table is:") + print(stbl) + fixSymlinkedBins(files,stbl) + +def printHelp(): + print("python3 "+os.path.basename(__file__)+" \nThe default dir is "+defaultProfilesPath+"\n"+doTheFixes.__doc__) + +def main(): + """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" + print(repr(sys.argv)) + defaultProfilesPath="../etc" + if len(sys.argv)>2 or (len(sys.argv)==2 and (sys.argv[1] == '-h' or sys.argv[1] == '--help') ): + printHelp() + exit(1) + + profilesPath=None + if len(sys.argv)==2: + if os.path.isdir(sys.argv[1]): + profilesPath=os.path.abspath(sys.argv[1]) + else: + if os.path.exists(sys.argv[1]): + print(sys.argv[1]+" is not a dir") + else: + print(sys.argv[1]+" does not exist") + printHelp() + exit(1) + else: + print("Using default profiles dir: " + defaultProfilesPath) + profilesPath=defaultProfilesPath -sh="sh" -binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] -profilesPath="." -files=glob.glob(profilesPath+os.path.sep+"*.profile") + binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] + print("Binaries dirs are:") + print(binDirs) + doTheFixes(profilesPath, binDirs) -bins=createListOfBinaries(files) -stbl=createSymlinkTable(binDirs,bins) -print(stbl) -fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0}) +if __name__ == "__main__": + main() -- cgit v1.2.3-70-g09d2 From b74e399b64c21243d37405ecc94be453ad742b5e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 Jan 2017 14:00:26 -0500 Subject: fixed make install --- Makefile.in | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Makefile.in b/Makefile.in index 9c899d401..fb6460dfd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -91,9 +91,10 @@ realinstall: install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. - for file in contrib/*; do \ - install -c -m 0755 $$file $(DESTDIR)/$(libdir)/firejail/.; \ - done + install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. @@ -161,7 +162,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg -DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" +DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: -- cgit v1.2.3-70-g09d2 From e74fdab5d2125ce8f058c1630ce7cce19cbdac16 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 Jan 2017 18:13:45 -0500 Subject: security fixes --- src/fcopy/main.c | 2 +- src/firejail/fs_home.c | 118 +++++++++++++++++++++++++++++++++++++--------- src/firejail/pulseaudio.c | 45 ++++++++++++++---- src/firejail/util.c | 4 +- 4 files changed, 136 insertions(+), 33 deletions(-) diff --git a/src/fcopy/main.c b/src/fcopy/main.c index b1e2813db..a4f5ace11 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -41,7 +41,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui // open source int src = open(srcname, O_RDONLY); if (src < 0) { - fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname); + fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", srcname); return; } diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index f5e545bf3..4de082b06 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -106,6 +106,14 @@ static int store_xauthority(void) { // put a copy of .Xauthority in XAUTHORITY_FILE char *src; char *dest = RUN_XAUTHORITY_FILE; + // create an empty file + FILE *fp = fopen(dest, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); + fclose(fp); + } + if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); @@ -115,12 +123,28 @@ static int store_xauthority(void) { fprintf(stderr, "Warning: invalid .Xauthority file\n"); return 0; } - - int rv = copy_file(src, dest, -1, -1, 0600); - if (rv) { - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); - return 0; + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), 0600); + if (rv) + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); + else { + fs_logger2("clone", dest); + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); return 1; // file copied } @@ -130,6 +154,14 @@ static int store_xauthority(void) { static int store_asoundrc(void) { char *src; char *dest = RUN_ASOUNDRC_FILE; + // create an empty file + FILE *fp = fopen(dest, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); + fclose(fp); + } + if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); @@ -150,11 +182,27 @@ static int store_asoundrc(void) { free(rp); } - int rv = copy_file(src, dest, -1, -1, -0644); - if (rv) { - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); - return 0; + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), 0644); + if (rv) + fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); + else { + fs_logger2("clone", dest); + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); return 1; // file copied } @@ -174,13 +222,27 @@ static void copy_xauthority(void) { exit(1); } - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); - if (rv) - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); - else { - fs_logger2("clone", dest); + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + if (rv) + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); + else { + fs_logger2("clone", dest); + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); // delete the temporary file unlink(src); @@ -199,13 +261,27 @@ static void copy_asoundrc(void) { exit(1); } - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); - if (rv) - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); - else { - fs_logger2("clone", dest); + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + if (rv) + fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); + else { + fs_logger2("clone", dest); + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); // delete the temporary file unlink(src); diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index b3a22bad9..14a7f03dd 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -127,11 +127,25 @@ void pulseaudio_init(void) { if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { - int rv = mkdir(dir1, 0755); - if (rv == 0) { - if (set_perms(dir1, getuid(), getgid(), 0755)) - {;} // do nothing + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + int rv = mkdir(dir1, 0755); + if (rv == 0) { + if (set_perms(dir1, getuid(), getgid(), 0755)) + {;} // do nothing + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); } else { // make sure the directory is owned by the user @@ -145,12 +159,25 @@ void pulseaudio_init(void) { if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { - /* coverity[toctou] */ - int rv = mkdir(dir1, 0700); - if (rv == 0) { - if (set_perms(dir1, getuid(), getgid(), 0700)) - {;} // do nothing + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + int rv = mkdir(dir1, 0700); + if (rv == 0) { + if (set_perms(dir1, getuid(), getgid(), 0700)) + {;} // do nothing + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); } else { // make sure the directory is owned by the user diff --git a/src/firejail/util.c b/src/firejail/util.c index 75f2acdb9..5b94aa288 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -177,14 +177,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m // open source int src = open(srcname, O_RDONLY); if (src < 0) { - fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname); + fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); return -1; } // open destination int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { - fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname); + fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); close(src); return -1; } -- cgit v1.2.3-70-g09d2 From 85517885bece9209bbcace80fec115b0126263ad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 6 Jan 2017 15:39:54 -0500 Subject: security fix --- RELNOTES | 3 +++ src/firejail/main.c | 22 +++++++++++++++++++++- src/man/firejail.txt | 4 +++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 08444bc0a..79c7a20e4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,8 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress + * security: disabled --allow-debuggers when running on kenel + versions prior to 4.8; a kernel bug in ptrace system call + allows a full bypass of seccomp filter; problem reported by Lizzie Dixon * security: overwrite /etc/resolv.conf found by Martin Carpenter * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson * security: invalid environment exploit found by Martin Carpenter diff --git a/src/firejail/main.c b/src/firejail/main.c index e70e20eec..3a347b3d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -35,6 +35,7 @@ #include #include #include +#include #if 0 #include @@ -817,8 +818,27 @@ int main(int argc, char **argv) { if (check_arg(argc, argv, "--quiet")) arg_quiet = 1; - if (check_arg(argc, argv, "--allow-debuggers")) + if (check_arg(argc, argv, "--allow-debuggers")) { + // check kernel version + struct utsname u; + int rv = uname(&u); + if (rv != 0) + errExit("uname"); + int major; + int minor; + if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { + fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); + exit(1); + } + if (major < 4 || (major == 4 && minor < 8)) { + fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " + "A bug in ptrace call allows a full bypass of the seccomp filter. " + "Your current kernel version is %d.%d.\n", major, minor); + exit(1); + } + arg_allow_debuggers = 1; + } // drop permissions by default and rise them when required EUID_INIT(); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 60c21cbc1..69d28c788 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox Signal the end of options and disables further option processing. .TP \fB\-\-allow-debuggers -Allow tools such as strace and gdb inside the sandbox. +Allow tools such as strace and gdb inside the sandbox. This option is only available +when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full +bypass of the seccomp filter. .br .br -- cgit v1.2.3-70-g09d2 From 6435525696e8eda2d1bc0ef50488523422b9126d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 6 Jan 2017 15:57:50 -0500 Subject: spelling --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 79c7a20e4..969eecb24 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress - * security: disabled --allow-debuggers when running on kenel + * security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon * security: overwrite /etc/resolv.conf found by Martin Carpenter -- cgit v1.2.3-70-g09d2 From 5d43fdcd215203868d440ffc42036f5f5ffc89fc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 6 Jan 2017 22:45:11 -0500 Subject: security fix --- RELNOTES | 1 + src/firejail/bandwidth.c | 9 +-------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/RELNOTES b/RELNOTES index 969eecb24..b9a982d77 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress + * security: --bandwidth root shel found by Martin Carpenter * security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 5e9002f22..84c9dc53a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -435,15 +435,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in if (setregid(0, 0)) errExit("setregid"); - if (!cfg.shell) - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); - exit(1); - } - char *arg[4]; - arg[0] = cfg.shell; + arg[0] = "/bin/sh"; arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; -- cgit v1.2.3-70-g09d2 From b573d10fcd93db1591d5c58657cf5efdeb79da5a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 6 Jan 2017 22:48:14 -0500 Subject: spelling --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index b9a982d77..5a3bfa5fb 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress - * security: --bandwidth root shel found by Martin Carpenter + * security: --bandwidth root shell found by Martin Carpenter * security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon -- cgit v1.2.3-70-g09d2 From 2edc394d28b35a4aee13d98128cc4ce25836852a Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 7 Jan 2017 17:27:43 +0100 Subject: Add references to CVEs in release notes --- RELNOTES | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/RELNOTES b/RELNOTES index 5a3bfa5fb..5d5c93e63 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,13 +4,13 @@ firejail (0.9.45) baseline; urgency=low * security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon - * security: overwrite /etc/resolv.conf found by Martin Carpenter + * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson - * security: invalid environment exploit found by Martin Carpenter + * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable * security: split file copying in private option in a separate executable - * security: root exploit found by Sebastian Krahmer + * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) * feature: disable gnupg and systemd directories under /run/user * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: AppImage type 2 support @@ -32,7 +32,7 @@ firejail (0.9.45) baseline; urgency=low -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 firejail (0.9.44) baseline; urgency=low - * CVE-2016-7545 submitted by Aleksey Manevich + * CVE-2016-9016 submitted by Aleksey Manevich * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev @@ -149,11 +149,12 @@ firejail (0.9.38) baseline; urgency=low * added KMail, Seamonkey, Telegram, Mathematica, uGet, * and mupen64plus profiles * --chroot in user mode allowed only if seccomp support is available - * in current Linux kernel + * in current Linux kernel (CVE-2016-10123) * deprecated --private-home feature * the first protocol list installed takes precedence - * --tmpfs option allowed only running as root + * --tmpfs option allowed only running as root (CVE-2016-10117) * added --private-tmp option + * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) * bugfixes -- netblue30 Tue, 2 Feb 2016 10:00:00 -0500 -- cgit v1.2.3-70-g09d2 From c5c630ce3ef94cc36ea40d1c7729da30ced135ff Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 7 Jan 2017 20:00:06 +0100 Subject: Reference new CVEs --- RELNOTES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 5d5c93e63..a14200a0f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,9 +1,10 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress - * security: --bandwidth root shell found by Martin Carpenter + * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon + (CVE-2017-5206) * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) -- cgit v1.2.3-70-g09d2 From 1294ac5193d7f8f130ddd14a1b6978d616a9531e Mon Sep 17 00:00:00 2001 From: Christian Stadelmann Date: Mon, 9 Jan 2017 21:39:45 +0100 Subject: evolution.profile: add local mail dirs `/var/spool/mail/$USERNAME` and `/var/mail/$USERNAME` are valid paths for local mails. --- etc/evolution.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/evolution.profile b/etc/evolution.profile index ab6dd7a4a..1707e562b 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -6,6 +6,9 @@ noblacklist ~/.pki noblacklist ~/.pki/nssdb noblacklist ~/.gnupg +noblacklist /var/spool/mail +noblacklist /var/mail + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From ec719b9e0f4f7258b5f752af4857649a34a35dfe Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Mon, 9 Jan 2017 23:22:31 +0100 Subject: etc: Support local customizations in *.inc This is useful for places, like hashbang.sh, which have site-specific modifications of the *.inc files. With the current setup, the package manager cannot automatically install updated versions of those files, as it would need to somehow merge the site-specific and upstream changes. Having the site-specific changes in separate files solves this. --- etc/disable-common.inc | 3 +++ etc/disable-common.local | 1 + etc/disable-devel.inc | 3 +++ etc/disable-devel.local | 1 + etc/disable-passwdmgr.inc | 3 +++ etc/disable-passwdmgr.local | 1 + etc/disable-programs.inc | 3 +++ etc/disable-programs.local | 1 + etc/whitelist-common.inc | 3 +++ etc/whitelist-common.local | 1 + 10 files changed, 20 insertions(+) create mode 100644 etc/disable-common.local create mode 100644 etc/disable-devel.local create mode 100644 etc/disable-passwdmgr.local create mode 100644 etc/disable-programs.local create mode 100644 etc/whitelist-common.local diff --git a/etc/disable-common.inc b/etc/disable-common.inc index efe5c850d..187d26c83 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -1,3 +1,6 @@ +# Local customizations come here +include /etc/firejail/disable-common.local + # History files in $HOME blacklist-nolog ${HOME}/.history blacklist-nolog ${HOME}/.*_history diff --git a/etc/disable-common.local b/etc/disable-common.local new file mode 100644 index 000000000..c9fbadfaf --- /dev/null +++ b/etc/disable-common.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-common.local diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 2ac367f37..07fc3928c 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -1,3 +1,6 @@ +# Local customizations come here +include /etc/firejail/disable-devel.local + # development tools # GCC diff --git a/etc/disable-devel.local b/etc/disable-devel.local new file mode 100644 index 000000000..6ce1a8c75 --- /dev/null +++ b/etc/disable-devel.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-devel.local diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 045b4d92b..7d129b2e4 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -1,3 +1,6 @@ +# Local customizations come here +include /etc/firejail/disable-passwdmgr.local + blacklist ${HOME}/.pki/nssdb blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx diff --git a/etc/disable-passwdmgr.local b/etc/disable-passwdmgr.local new file mode 100644 index 000000000..2a3bb45d3 --- /dev/null +++ b/etc/disable-passwdmgr.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-passwdmgr.local diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e5eb4f857..96bf1464b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -1,3 +1,6 @@ +# Local customizations come here +include /etc/firejail/disable-programs.local + blacklist ${HOME}/.*coin blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.Atom diff --git a/etc/disable-programs.local b/etc/disable-programs.local new file mode 100644 index 000000000..6c226a331 --- /dev/null +++ b/etc/disable-programs.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-programs.local diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index d4e69948e..cf7797100 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -1,3 +1,6 @@ +# Local customizations come here +include /etc/firejail/whitelist-common.local + # common whitelist for all profiles whitelist ~/.XCompose diff --git a/etc/whitelist-common.local b/etc/whitelist-common.local new file mode 100644 index 000000000..11ed186ce --- /dev/null +++ b/etc/whitelist-common.local @@ -0,0 +1 @@ +# This file is meant for local customizations of whitelist-common.local -- cgit v1.2.3-70-g09d2 From 0022b74ab59b807d982c06ea1a3d718356d9f147 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Tue, 10 Jan 2017 00:13:07 +0100 Subject: disable-common: Make mutt and msmtp's rc files R/O Those allow arbitrary command executions through various mechanisms --- etc/disable-common.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index efe5c850d..3fdccf6d2 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -101,6 +101,9 @@ read-only ${HOME}/.caffrc read-only ${HOME}/.dotfiles read-only ${HOME}/dotfiles read-only ${HOME}/.mailcap +read-only ${HOME}/.muttrc +read-only ${HOME}/.mutt/muttrc +read-only ${HOME}/.msmtprc read-only ${HOME}/.exrc read-only ${HOME}/_exrc read-only ${HOME}/.vimrc -- cgit v1.2.3-70-g09d2 From edfa2d698a3a98e541bc7818996d3c6a135c0747 Mon Sep 17 00:00:00 2001 From: Jericho Date: Mon, 9 Jan 2017 21:44:32 -0700 Subject: typo in changelog --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index a14200a0f..e00eaee00 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,7 +6,7 @@ firejail (0.9.45) baseline; urgency=low allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206) * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) - * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson + * security: TOCTOU exploit for --get and --put found by Daniel Hodson * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable -- cgit v1.2.3-70-g09d2 From 9aa81442afc6e00ca177bf0e3e7a025195102f7d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 10 Jan 2017 10:07:20 -0500 Subject: security fix --- src/firejail/firejail.h | 2 + src/firejail/fs_home.c | 148 +++++++++++----------------------------------- src/firejail/pulseaudio.c | 1 + src/firejail/util.c | 46 ++++++++++++++ 4 files changed, 85 insertions(+), 112 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 36cf47435..a8208233f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -450,6 +450,8 @@ void logmsg(const char *msg); void logargs(int argc, char **argv) ; void logerr(const char *msg); int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); +void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); +void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode); int is_dir(const char *fname); int is_link(const char *fname); char *line_remove_spaces(const char *buf); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4de082b06..e4b19d5cc 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -42,19 +42,17 @@ static void skel(const char *homedir, uid_t u, gid_t g) { // don't copy it if we already have the file if (stat(fname, &s) == 0) return; + if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + fprintf(stderr, "Error: invalid %s file\n", fname); + exit(1); + } if (stat("/etc/skel/.zshrc", &s) == 0) { - if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) { - fs_logger("clone /etc/skel/.zshrc"); - } + copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); + fs_logger("clone /etc/skel/.zshrc"); } - else { // - FILE *fp = fopen(fname, "w"); - if (fp) { - fprintf(fp, "\n"); - SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR); - fclose(fp); - fs_logger2("touch", fname); - } + else { + touch_file_as_user(fname, u, g, 0644); + fs_logger2("touch", fname); } free(fname); } @@ -64,23 +62,21 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (asprintf(&fname, "%s/.cshrc", homedir) == -1) errExit("asprintf"); struct stat s; + // don't copy it if we already have the file if (stat(fname, &s) == 0) return; + if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + fprintf(stderr, "Error: invalid %s file\n", fname); + exit(1); + } if (stat("/etc/skel/.cshrc", &s) == 0) { - if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) { - fs_logger("clone /etc/skel/.cshrc"); - } + copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); + fs_logger("clone /etc/skel/.cshrc"); } - else { // - /* coverity[toctou] */ - FILE *fp = fopen(fname, "w"); - if (fp) { - fprintf(fp, "\n"); - SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR); - fclose(fp); - fs_logger2("touch", fname); - } + else { + touch_file_as_user(fname, u, g, 0644); + fs_logger2("touch", fname); } free(fname); } @@ -93,10 +89,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) { // don't copy it if we already have the file if (stat(fname, &s) == 0) return; + if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + fprintf(stderr, "Error: invalid %s file\n", fname); + exit(1); + } if (stat("/etc/skel/.bashrc", &s) == 0) { - if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) { - fs_logger("clone /etc/skel/.bashrc"); - } + copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); + fs_logger("clone /etc/skel/.bashrc"); } free(fname); } @@ -106,7 +105,7 @@ static int store_xauthority(void) { // put a copy of .Xauthority in XAUTHORITY_FILE char *src; char *dest = RUN_XAUTHORITY_FILE; - // create an empty file + // create an empty file as root, and change ownership to user FILE *fp = fopen(dest, "w"); if (fp) { fprintf(fp, "\n"); @@ -124,27 +123,8 @@ static int store_xauthority(void) { return 0; } - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), 0600); - if (rv) - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); - else { - fs_logger2("clone", dest); - } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); + copy_file_as_user(src, dest, getuid(), getgid(), 0600); + fs_logger2("clone", dest); return 1; // file copied } @@ -152,9 +132,10 @@ static int store_xauthority(void) { } static int store_asoundrc(void) { + // put a copy of .Xauthority in XAUTHORITY_FILE char *src; char *dest = RUN_ASOUNDRC_FILE; - // create an empty file + // create an empty file as root, and change ownership to user FILE *fp = fopen(dest, "w"); if (fp) { fprintf(fp, "\n"); @@ -182,27 +163,8 @@ static int store_asoundrc(void) { free(rp); } - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), 0644); - if (rv) - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); - else { - fs_logger2("clone", dest); - } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); + copy_file_as_user(src, dest, getuid(), getgid(), 0644); + fs_logger2("clone", dest); return 1; // file copied } @@ -222,27 +184,8 @@ static void copy_xauthority(void) { exit(1); } - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); - if (rv) - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); - else { - fs_logger2("clone", dest); - } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); + copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + fs_logger2("clone", dest); // delete the temporary file unlink(src); @@ -261,27 +204,8 @@ static void copy_asoundrc(void) { exit(1); } - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); - if (rv) - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); - else { - fs_logger2("clone", dest); - } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); + copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + fs_logger2("clone", dest); // delete the temporary file unlink(src); diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 14a7f03dd..f0f95a80e 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -22,6 +22,7 @@ #include #include #include +#include static void disable_file(const char *path, const char *file) { assert(file); diff --git a/src/firejail/util.c b/src/firejail/util.c index 5b94aa288..2d3563093 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -28,6 +28,7 @@ #include #include #include +#include #define MAX_GROUPS 1024 // drop privileges @@ -218,6 +219,51 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m return 0; } +// return -1 if error, 0 if no error +void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(srcname, destname, uid, gid, mode); + if (rv) + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); +} + +// return -1 if error, 0 if no error +void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + FILE *fp = fopen(fname, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, uid, gid, mode); + fclose(fp); + } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); +} // return 1 if the file is a directory int is_dir(const char *fname) { -- cgit v1.2.3-70-g09d2 From a119058e87f8b6a25ca5a59e25837410caa118f7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 10 Jan 2017 14:19:45 -0500 Subject: copy_file cleanup --- src/firejail/fs.c | 2 +- src/firejail/fs_home.c | 14 +++++++------- src/firejail/ls.c | 8 ++++---- src/firejail/preproc.c | 8 ++++---- src/firejail/pulseaudio.c | 2 +- src/firejail/util.c | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e2fc09533..0c643af4a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1129,7 +1129,7 @@ void fs_chroot(const char *rootdir) { fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) + if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); } diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index e4b19d5cc..8a52314ed 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -47,7 +47,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { exit(1); } if (stat("/etc/skel/.zshrc", &s) == 0) { - copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); + copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user fs_logger("clone /etc/skel/.zshrc"); } else { @@ -71,7 +71,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { exit(1); } if (stat("/etc/skel/.cshrc", &s) == 0) { - copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); + copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user fs_logger("clone /etc/skel/.cshrc"); } else { @@ -94,7 +94,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { exit(1); } if (stat("/etc/skel/.bashrc", &s) == 0) { - copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); + copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user fs_logger("clone /etc/skel/.bashrc"); } free(fname); @@ -123,7 +123,7 @@ static int store_xauthority(void) { return 0; } - copy_file_as_user(src, dest, getuid(), getgid(), 0600); + copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user fs_logger2("clone", dest); return 1; // file copied } @@ -163,7 +163,7 @@ static int store_asoundrc(void) { free(rp); } - copy_file_as_user(src, dest, getuid(), getgid(), 0644); + copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user fs_logger2("clone", dest); return 1; // file copied } @@ -184,7 +184,7 @@ static void copy_xauthority(void) { exit(1); } - copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); // delete the temporary file @@ -204,7 +204,7 @@ static void copy_asoundrc(void) { exit(1); } - copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); // delete the temporary file diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 77eb35f97..1af56751a 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // copy the file - if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) + if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); #ifdef HAVE_GCOV __gcov_flush(); @@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // copy the file - if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) + if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); #ifdef HAVE_GCOV __gcov_flush(); @@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // copy the file - if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) + if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); #ifdef HAVE_GCOV __gcov_flush(); @@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // copy the file - if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) + if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); #ifdef HAVE_GCOV __gcov_flush(); diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index d2db7d3dd..e17f39caa 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) { fs_logger2("tmpfs", RUN_MNT_DIR); //copy defaultl seccomp files - copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); - copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); + copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed + copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed if (arg_allow_debuggers) - copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed else - copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed // as root, create an empty RUN_SECCOMP_PROTOCOL file create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index f0f95a80e..4ec84ec61 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -114,7 +114,7 @@ void pulseaudio_init(void) { char *pulsecfg = NULL; if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) errExit("asprintf"); - if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) + if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed errExit("copy_file"); FILE *fp = fopen(pulsecfg, "a+"); if (!fp) diff --git a/src/firejail/util.c b/src/firejail/util.c index 2d3563093..763e6b58b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -229,7 +229,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid drop_privs(0); // copy, set permissions and ownership - int rv = copy_file(srcname, destname, uid, gid, mode); + int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user if (rv) fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); #ifdef HAVE_GCOV -- cgit v1.2.3-70-g09d2 From 4ac3130b78293b799314138e4e335c5036aeee8a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 10 Jan 2017 14:29:44 -0500 Subject: chroot tightening --- src/firejail/firejail.h | 2 +- src/firejail/fs.c | 78 +++++++++++++++++++++++++++++++++++++------------ src/firejail/main.c | 7 ++--- 3 files changed, 63 insertions(+), 24 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a8208233f..586cfd65e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -403,7 +403,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); void fs_overlayfs(void); // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf void fs_chroot(const char *rootdir); -int fs_check_chroot_dir(const char *rootdir); +void fs_check_chroot_dir(const char *rootdir); // profile.c // find and read the profile specified by name from dir directory diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0c643af4a..d7764accd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -994,20 +994,25 @@ void fs_overlayfs(void) { #ifdef HAVE_CHROOT // return 1 if error -int fs_check_chroot_dir(const char *rootdir) { +void fs_check_chroot_dir(const char *rootdir) { EUID_ASSERT(); assert(rootdir); struct stat s; char *name; + if (strcmp(rootdir, "/tmp") == 0 || strcmp(rootdir, "/var/tmp") == 0) { + fprintf(stderr, "Error: invalid chroot directory\n"); + exit(1); + } + // rootdir has to be owned by root if (stat(rootdir, &s) != 0) { fprintf(stderr, "Error: cannot find chroot directory\n"); - return 1; + exit(1); } if (s.st_uid != 0) { fprintf(stderr, "Error: chroot directory should be owned by root\n"); - return 1; + exit(1); } // check /dev @@ -1015,7 +1020,11 @@ int fs_check_chroot_dir(const char *rootdir) { errExit("asprintf"); if (stat(name, &s) == -1) { fprintf(stderr, "Error: cannot find /dev in chroot directory\n"); - return 1; + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /dev directory should be owned by root\n"); + exit(1); } free(name); @@ -1024,7 +1033,11 @@ int fs_check_chroot_dir(const char *rootdir) { errExit("asprintf"); if (stat(name, &s) == -1) { fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n"); - return 1; + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /var/tmp directory should be owned by root\n"); + exit(1); } free(name); @@ -1033,7 +1046,11 @@ int fs_check_chroot_dir(const char *rootdir) { errExit("asprintf"); if (stat(name, &s) == -1) { fprintf(stderr, "Error: cannot find /proc in chroot directory\n"); - return 1; + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /proc directory should be owned by root\n"); + exit(1); } free(name); @@ -1042,18 +1059,41 @@ int fs_check_chroot_dir(const char *rootdir) { errExit("asprintf"); if (stat(name, &s) == -1) { fprintf(stderr, "Error: cannot find /tmp in chroot directory\n"); - return 1; + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /tmp directory should be owned by root\n"); + exit(1); } free(name); - // check /bin/bash -// if (asprintf(&name, "%s/bin/bash", rootdir) == -1) -// errExit("asprintf"); -// if (stat(name, &s) == -1) { -// fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n"); -// return 1; -// } -// free(name); + // check /etc + if (asprintf(&name, "%s/etc", rootdir) == -1) + errExit("asprintf"); + if (stat(name, &s) == -1) { + fprintf(stderr, "Error: cannot find /etc in chroot directory\n"); + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /etc directory should be owned by root\n"); + exit(1); + } + free(name); + + // check /etc/resolv.conf + if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1) + errExit("asprintf"); + if (stat(name, &s) == 0) { + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n"); + exit(1); + } + } + if (is_link(name)) { + fprintf(stderr, "Error: invalid %s file\n", name); + exit(1); + } + free(name); // check x11 socket directory if (getenv("FIREJAIL_X11")) { @@ -1063,12 +1103,14 @@ int fs_check_chroot_dir(const char *rootdir) { errExit("asprintf"); if (stat(name, &s) == -1) { fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); - return 1; + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /tmp/.X11-unix directory should be owned by root\n"); + exit(1); } free(name); } - - return 0; } // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf diff --git a/src/firejail/main.c b/src/firejail/main.c index 3a347b3d9..84bf5e8e6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1468,13 +1468,10 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid chroot directory\n"); exit(1); } - free(rpath); + cfg.chrootdir = rpath; // check chroot directory structure - if (fs_check_chroot_dir(cfg.chrootdir)) { - fprintf(stderr, "Error: invalid chroot\n"); - exit(1); - } + fs_check_chroot_dir(cfg.chrootdir); } else exit_err_feature("chroot"); -- cgit v1.2.3-70-g09d2 From 067ece23e9298008d9008cab9cdda4686cdd5d7a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 11 Jan 2017 12:27:45 -0500 Subject: merges --- README | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README b/README index c94560026..04b4f56f5 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +Jericho (https://github.com/attritionorg) + - spelling Pixel Fairy (https://github.com/xahare) - added fjclip.py, fjdisplay.py and fjresize.py in contrib section pshpsh (https://github.com/pshpsh) @@ -108,6 +110,7 @@ thewisenerd (https://github.com/thewisenerd) - use $SHELL variable if the shell is not specified SYN-cook (https://github.com/SYN-cook) - keepass/keepassx browser fixes + - disable-common.inc fixes thewisenerd (https://github.com/thewisenerd) - appimage: pass commandline arguments KOLANICH (https://github.com/KOLANICH) @@ -217,6 +220,8 @@ KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter - disable-common.inc additions + - make mutt and msmtp's rc files read-only + - added support for .local profile files in /etc/firejail ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes @@ -296,6 +301,7 @@ Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Christian Stadelmann (https://github.com/genodeftest) - profile fixes + - evolution profile fix pirate486743186 (https://github.com/pirate486743186) - KMail profile Kaan Genç (https://github.com/SeriousBug) -- cgit v1.2.3-70-g09d2 From e8431db16eb326a489e3f23bea749617bc670baa Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 11 Jan 2017 14:00:33 -0500 Subject: temoprary fix for local profile feature --- src/firejail/profile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index fab4f1efa..f328f71ef 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1018,7 +1018,7 @@ void profile_read(const char *fname) { FILE *fp = fopen(fname, "r"); if (fp == NULL) { fprintf(stderr, "Error: cannot open profile file %s\n", fname); - exit(1); + return; } int msg_printed = 0; -- cgit v1.2.3-70-g09d2 From 17ba8d39620e3b3b2c6814ac0ee8e69785cf98a8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 11 Jan 2017 14:11:36 -0500 Subject: fix --- src/firejail/profile.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f328f71ef..33b6eab91 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1017,8 +1017,13 @@ void profile_read(const char *fname) { // open profile file: FILE *fp = fopen(fname, "r"); if (fp == NULL) { + // if the file ends in ".local", do not exit + char *ptr = strstr(fname, ".local"); + if (ptr && strlen(ptr) == 6) + return; + fprintf(stderr, "Error: cannot open profile file %s\n", fname); - return; + exit(1); } int msg_printed = 0; -- cgit v1.2.3-70-g09d2 From f12f4756c822b786547f29b5f88f389ba4dd6b6c Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Tue, 10 Jan 2017 00:26:11 +0100 Subject: disable-common: Make directories commonly found in $PATH read-only --- etc/disable-common.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index efe5c850d..78698782b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -117,8 +117,11 @@ read-only ${HOME}/.reportbugrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver -# The user ~/bin directory can override commands such as ls +# Make directories commonly found in $PATH read-only read-only ${HOME}/bin +read-only ${HOME}/.gem +read-only ${HOME}/.luarocks +read-only ${HOME}/.npm-packages # top secret blacklist ${HOME}/.ecryptfs -- cgit v1.2.3-70-g09d2 From cbb8417abad24234979c6ade8ef87f764b2ad791 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Thu, 12 Jan 2017 00:21:52 +0100 Subject: disable-common: Make ~/.local read-only --- etc/disable-common.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 78698782b..184885c7f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -123,6 +123,11 @@ read-only ${HOME}/.gem read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages +# Make the contents of ~/.local read-only, +# except the commonly-used ~/.local/share +read-only ${HOME}/.local +read-write ${HOME}/.local/share + # top secret blacklist ${HOME}/.ecryptfs blacklist ${HOME}/.Private -- cgit v1.2.3-70-g09d2 From 385ce504eaf504316d9579fdefbf4ada2ff9105e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 11 Jan 2017 19:43:07 -0500 Subject: copy_file cleanup --- src/firejail/x11.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 91017237d..4e0b46fb8 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -653,11 +653,7 @@ void x11_xorg(void) { struct stat s; if (stat(dest, &s) == -1) { // create an .Xauthority file - FILE *fp = fopen(dest, "w"); - if (!fp) - errExit("fopen"); - SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); - fclose(fp); + touch_file_as_user(dest, getuid(), getgid(), 0600); } // check xauth utility is present in the system @@ -666,6 +662,10 @@ void x11_xorg(void) { exit(1); } + // temporarily mount a tempfs on top of /tmp directory + if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) + errExit("mounting /tmp"); + // create a temporary .Xauthority file char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; int fd = mkstemp(tmpfname); @@ -673,9 +673,9 @@ void x11_xorg(void) { fprintf(stderr, "Error: cannot create .Xauthority file\n"); exit(1); } - close(fd); - if (chown(tmpfname, getuid(), getgid()) == -1) + if (fchown(fd, getuid(), getgid()) == -1) errExit("chown"); + close(fd); pid_t child = fork(); if (child < 0) @@ -713,7 +713,7 @@ void x11_xorg(void) { // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted // automatically when the sandbox is closed - if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { + if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); exit(1); } @@ -730,5 +730,8 @@ void x11_xorg(void) { if (set_perms(dest, getuid(), getgid(), 0600)) errExit("set_perms"); free(dest); + + // unmount /tmp + umount("/tmp"); #endif } -- cgit v1.2.3-70-g09d2 From c80e89e8a76a3f25e6b629683f39bf383d4f69f0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 12 Jan 2017 10:02:29 -0500 Subject: Gentoo compile fix --- README | 2 ++ RELNOTES | 1 + src/firejail/fs_dev.c | 1 + 3 files changed, 4 insertions(+) diff --git a/README b/README index 04b4f56f5..67d9a555f 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +Mike Frysinger (vapier@gentoo.org) + - Gentoo compile patch Jericho (https://github.com/attritionorg) - spelling Pixel Fairy (https://github.com/xahare) diff --git a/RELNOTES b/RELNOTES index e00eaee00..55877f424 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress + * Gentoo compile patch * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index d710e98f2..f429a3bd6 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -28,6 +28,7 @@ #ifndef _BSD_SOURCE #define _BSD_SOURCE #endif +#include #include typedef struct { -- cgit v1.2.3-70-g09d2 From 5440bc47971bfbe0db570283973bafb0b2486e69 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 12 Jan 2017 20:10:17 -0500 Subject: cleanup --- src/firejail/fs.c | 36 ++++++++++++++++++++++++++++++++++-- src/firejail/fs_mkdir.c | 29 ++--------------------------- src/firejail/util.c | 2 +- 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7764accd..0da4cc111 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -711,10 +711,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { // create ~/.firejail directory if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); + + if (is_link(dirname)) { + fprintf(stderr, "Error: invalid ~/.firejail directory\n"); + exit(1); + } if (stat(dirname, &s) == -1) { - mkdir_attr(dirname, 0700, 0, 0); + // create directory + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // create directory + if (mkdir(dirname, 0700)) + errExit("mkdir"); + if (chmod(dirname, 0700) == -1) + errExit("chmod"); + ASSERT_PERMS(dirname, getuid(), getgid(), 0700); + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + if (stat(dirname, &s) == -1) { + fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); + exit(1); + } } - else if (is_link(dirname)) { + else if (s.st_uid != getuid()) { fprintf(stderr, "Error: invalid ~/.firejail directory\n"); exit(1); } @@ -1141,10 +1167,16 @@ void fs_chroot(const char *rootdir) { free(newx11); } + // some older distros don't have a /run directory + // create one by default // create /run/firejail directory in chroot char *rundir; if (asprintf(&rundir, "%s/run", rootdir) == -1) errExit("asprintf"); + if (is_link(rundir)) { + fprintf(stderr, "Error: invalid run directory inside chroot\n"); + exit(1); + } create_empty_dir_as_root(rundir, 0755); free(rundir); if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 5b6ceae90..d29f58a58 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -112,33 +112,8 @@ void fs_mkfile(const char *name) { } // create file - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - /* coverity[toctou] */ - FILE *fp = fopen(expanded, "w"); - if (!fp) - fprintf(stderr, "Warning: cannot create %s file\n", expanded); - else { - int fd = fileno(fp); - if (fd == -1) - errExit("fileno"); - int rv = fchmod(fd, 0600); - (void) rv; - fclose(fp); - } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); - + touch_file_as_user(expanded, getuid(), getgid(), 0600); + doexit: free(expanded); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 763e6b58b..10000e912 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -231,7 +231,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid // copy, set permissions and ownership int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user if (rv) - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); + fprintf(stderr, "Warning: cannot copy %s\n", srcname); #ifdef HAVE_GCOV __gcov_flush(); #endif -- cgit v1.2.3-70-g09d2 From b46400ebae74be65080f86eaa4109cae8cf5026f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 13 Jan 2017 08:31:33 -0500 Subject: nvidia fix --- src/firejail/fs_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index f429a3bd6..bd9b9e828 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -52,7 +52,7 @@ static DevEntry dev[] = { {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, - {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1}, + {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1}, {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, {NULL, NULL, 0, 0} }; -- cgit v1.2.3-70-g09d2 From 6a4d18710871320e84b1b888227a7bba17d38c41 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 13 Jan 2017 08:40:37 -0500 Subject: allow local customization using .local files under /etc/firejail --- RELNOTES | 1 + etc/disable-common.local | 1 - etc/disable-devel.local | 1 - etc/disable-passwdmgr.local | 1 - etc/disable-programs.local | 1 - etc/whitelist-common.local | 1 - 6 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 etc/disable-common.local delete mode 100644 etc/disable-devel.local delete mode 100644 etc/disable-passwdmgr.local delete mode 100644 etc/disable-programs.local delete mode 100644 etc/whitelist-common.local diff --git a/RELNOTES b/RELNOTES index 55877f424..7d0bbaf61 100644 --- a/RELNOTES +++ b/RELNOTES @@ -25,6 +25,7 @@ firejail (0.9.45) baseline; urgency=low * feature: --allow-private-blacklist option * feature: allow non-seccomp setup for OverlayFS sandboxes * feature: added a number o Python scripts for handling sandboxes + * feature: allow local customization using .local files under /etc/firejail * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/etc/disable-common.local b/etc/disable-common.local deleted file mode 100644 index c9fbadfaf..000000000 --- a/etc/disable-common.local +++ /dev/null @@ -1 +0,0 @@ -# This file is meant for local customizations of disable-common.local diff --git a/etc/disable-devel.local b/etc/disable-devel.local deleted file mode 100644 index 6ce1a8c75..000000000 --- a/etc/disable-devel.local +++ /dev/null @@ -1 +0,0 @@ -# This file is meant for local customizations of disable-devel.local diff --git a/etc/disable-passwdmgr.local b/etc/disable-passwdmgr.local deleted file mode 100644 index 2a3bb45d3..000000000 --- a/etc/disable-passwdmgr.local +++ /dev/null @@ -1 +0,0 @@ -# This file is meant for local customizations of disable-passwdmgr.local diff --git a/etc/disable-programs.local b/etc/disable-programs.local deleted file mode 100644 index 6c226a331..000000000 --- a/etc/disable-programs.local +++ /dev/null @@ -1 +0,0 @@ -# This file is meant for local customizations of disable-programs.local diff --git a/etc/whitelist-common.local b/etc/whitelist-common.local deleted file mode 100644 index 11ed186ce..000000000 --- a/etc/whitelist-common.local +++ /dev/null @@ -1 +0,0 @@ -# This file is meant for local customizations of whitelist-common.local -- cgit v1.2.3-70-g09d2 From 700f65d869262afcd5180245bf61167b0f64cf4a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 14 Jan 2017 08:56:15 -0500 Subject: local customization --- src/man/firejail-profile.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index fa522c154..8fd4562b0 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -86,6 +86,10 @@ file in user home directory. Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. +If the file is not found, and the file name does not end in ".local", the sandbox exist immediately +with an error printed on stderr. ".local" files can be used to customize the global configuration +in /etc/firejail directory. These files are not overwritten during software install. + .TP \fBnoblacklist file_name If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. -- cgit v1.2.3-70-g09d2 From 15f43d3a6972128b485517192cb5525e4e578028 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 14 Jan 2017 09:43:06 -0500 Subject: fix ASSERT_PERMS_FD macro --- src/firejail/firejail.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 586cfd65e..722d5c05e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -105,7 +105,7 @@ #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ do { \ struct stat s;\ - if (stat(fd, &s) == -1) errExit("stat");\ + if (fstat(fd, &s) == -1) errExit("fstat");\ assert(s.st_uid == uid);\ assert(s.st_gid == gid);\ assert((s.st_mode & 07777) == (mode));\ -- cgit v1.2.3-70-g09d2 From 6b4193a166cf76999939c1b04f64557d0f8ea28d Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Mon, 16 Jan 2017 23:34:33 +0100 Subject: etc/Cryptocat: Fix missing app name --- etc/Cryptocat.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 3db34c03c..b61b88f68 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile @@ -1,4 +1,4 @@ -# Firejail profile for +# Firejail profile for Cryptocat noblacklist ${HOME}/.config/Cryptocat include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From b81376f197dc94ca9bc13f08051d485abe0ff7d0 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Tue, 17 Jan 2017 10:26:37 -0600 Subject: added update scripts --- contrib/update_deb.sh | 17 +++++++++++++++++ contrib/update_src.sh | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100755 contrib/update_deb.sh create mode 100755 contrib/update_src.sh diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh new file mode 100755 index 000000000..aa851535d --- /dev/null +++ b/contrib/update_deb.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Purpose: Fetch, compile, and install firejail from GitHub source. For +# Debian-based distros only (Ubuntu, Mint, etc). +if [ $EUID != 0 ]; then + sudo "$0" "$@" + exit $? +fi + +git clone https://www.github.com/netblue30/firejail.git +cd firejail +./configure --prefix=/usr +make deb +dpkg -i firejail*.deb +echo "Firejail was updated!" +sleep 3 +cd .. +rm -rf firejail diff --git a/contrib/update_src.sh b/contrib/update_src.sh new file mode 100755 index 000000000..77f7be16e --- /dev/null +++ b/contrib/update_src.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. + +if [ $EUID != 0 ]; then + sudo "$0" "$@" + exit $? +fi + +git clone https://www.github.com/netblue30/firejail.git +cd firejail +./configure --prefix=/usr +make +make install-strip +echo "Firejail was updated!" +sleep 3 +cd .. +rm -rf firejail -- cgit v1.2.3-70-g09d2 From f278102ab1cdf9b3637fc7df5bd2e4bee1965c36 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 18 Jan 2017 08:50:39 -0500 Subject: fix PulseAudio/machine-id problem --- src/firejail/fs_etc.c | 4 ++-- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 479383af2..f14e90deb 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -31,8 +31,8 @@ void fs_machineid(void) { uint32_t u32[4]; } mid; - // if --machine-id flag is active, do nothing - if (arg_machineid) + // if --machine-id flag is inactive, do nothing + if (arg_machineid == 0) return; // init random number generator diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8fd4562b0..ecb8be139 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -452,7 +452,7 @@ Assign MAC addresses to the last network interface defined by a net command. .TP \fBmachine-id -Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. +Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. .TP \fBmtu number diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69d28c788..69ed2a8dc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -678,7 +678,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox .TP \fB\-\-machine-id -Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. +Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. .br .br -- cgit v1.2.3-70-g09d2 From 9ab87bcbdaedda5264408cc3091d5438c0888014 Mon Sep 17 00:00:00 2001 From: GSI2017 <2017@groovy-skills.com> Date: Fri, 20 Jan 2017 10:32:26 -0300 Subject: added uzbl-browser.profile (refs #825) --- etc/uzbl-browser.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/uzbl-browser.profile diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile new file mode 100644 index 000000000..1346b7fc2 --- /dev/null +++ b/etc/uzbl-browser.profile @@ -0,0 +1,27 @@ +# Firejail profile for uzbl-browser + +noblacklist ~/.config/uzbl +noblacklist ~/.cache/uzbl +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +tracelog + +mkdir ~/.config/uzbl +whitelist ~/.config/uzbl +mkdir ~/.cache/uzbl +whitelist ~/.cache/uzbl +mkdir ~/.local/share/uzbl +whitelist ~/.local/share/uzbl + +whitelist ${DOWNLOADS} + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From 9419181ebb5deab89b86c31fa095f3584cb14fc8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2017 08:57:37 -0500 Subject: profile merges --- README | 3 +++ README.md | 2 +- etc/disable-common.inc | 5 +++++ platform/debian/conffiles | 2 ++ 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/README b/README index 67d9a555f..3a843ba5c 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +GSI (https://github.com/GSI) + - added Uzbl browser profile Mike Frysinger (vapier@gentoo.org) - Gentoo compile patch Jericho (https://github.com/attritionorg) @@ -224,6 +226,7 @@ KellerFuchs (https://github.com/KellerFuchs) - disable-common.inc additions - make mutt and msmtp's rc files read-only - added support for .local profile files in /etc/firejail + - fixed Cryptocat profile ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes diff --git a/README.md b/README.md index f4fa7282f..2e029bb0b 100644 --- a/README.md +++ b/README.md @@ -98,5 +98,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome- goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail +PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 5a281a91f..8e1e052a9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -99,6 +99,11 @@ read-only ${HOME}/.tcshrc read-only ${HOME}/.cshrc read-only ${HOME}/.csh_files read-only ${HOME}/.profile +read-only ${HOME}/.login +read-only ${HOME}/.logout +read-only ${HOME}/.pgpkey +read-only ${HOME}/.plan +read-only ${HOME}/.project # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 56a5c8e7e..6b07f72f8 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -242,3 +242,5 @@ /etc/firejail/qupzilla.profile /etc/firejail/FossaMail.profile /etc/firejail/fossamail.profile +/etc/firejail/uzbl-browser.profile + -- cgit v1.2.3-70-g09d2 From 9145814d710247e87d27bf210f31205fb0c640e2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2017 09:03:56 -0500 Subject: profile fixes --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 3a843ba5c..a9a0d9a16 100644 --- a/README +++ b/README @@ -115,6 +115,7 @@ thewisenerd (https://github.com/thewisenerd) SYN-cook (https://github.com/SYN-cook) - keepass/keepassx browser fixes - disable-common.inc fixes + - blacklist GNOME keyring and Konqueror thewisenerd (https://github.com/thewisenerd) - appimage: pass commandline arguments KOLANICH (https://github.com/KOLANICH) -- cgit v1.2.3-70-g09d2 From e417d75a143934b2cb9e601751348ef202507b2a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2017 09:08:48 -0500 Subject: profile merges --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index a9a0d9a16..f8dc4f500 100644 --- a/README +++ b/README @@ -228,6 +228,7 @@ KellerFuchs (https://github.com/KellerFuchs) - make mutt and msmtp's rc files read-only - added support for .local profile files in /etc/firejail - fixed Cryptocat profile + - make ~/.local read-only ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes -- cgit v1.2.3-70-g09d2 From 73c14d714188ec36549ed6f2ed214b78f9ca2af5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2017 09:12:50 -0500 Subject: profile merges --- RELNOTES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 7d0bbaf61..bb71d1723 100644 --- a/RELNOTES +++ b/RELNOTES @@ -30,7 +30,8 @@ firejail (0.9.45) baseline; urgency=low * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, - * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail + * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, + * new profiles: Uzbl browser * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From 4a1d906e89c0d0f8ebe6dce16b8b7c05f2c6084f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2017 09:20:11 -0500 Subject: profile merges --- README.md | 2 +- etc/disable-common.inc | 5 +---- etc/vlc.profile | 2 +- etc/xmms.profile | 11 +++++++++++ platform/debian/conffiles | 2 +- 5 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 etc/xmms.profile diff --git a/README.md b/README.md index 2e029bb0b..dcc9d8ca4 100644 --- a/README.md +++ b/README.md @@ -98,5 +98,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome- goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser +PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 6a3586e81..de8a9bfe7 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -75,12 +75,9 @@ blacklist /etc/profile.d blacklist /etc/rc.local blacklist /etc/anacrontab -# General startup files +# Startup files read-only ${HOME}/.xinitrc read-only ${HOME}/.xserverrc -read-only ${HOME}/.profile - -# Shell startup files read-only ${HOME}/.antigen read-only ${HOME}/.bash_login read-only ${HOME}/.bashrc diff --git a/etc/vlc.profile b/etc/vlc.profile index 2fd763f25..df9fcab03 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -8,7 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nogroups +# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink diff --git a/etc/xmms.profile b/etc/xmms.profile new file mode 100644 index 000000000..4a482f49e --- /dev/null +++ b/etc/xmms.profile @@ -0,0 +1,11 @@ +# xmms media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6b07f72f8..61e72583e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -243,4 +243,4 @@ /etc/firejail/FossaMail.profile /etc/firejail/fossamail.profile /etc/firejail/uzbl-browser.profile - +/etc/firejail/xmms.profile -- cgit v1.2.3-70-g09d2 From fefa0f8fd1692a3cbbb12b8c0cd797b5cf54c9e1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2017 09:25:32 -0500 Subject: man page fix --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69ed2a8dc..1c0f7d55b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -192,7 +192,7 @@ Define a custom blacklist Linux capabilities filter. .br Example: .br -$ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw +$ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw .TP \fB\-\-caps.keep=capability,capability,capability -- cgit v1.2.3-70-g09d2 From cbfe796bb402f994afbaa67bdb0a7cecf3963b67 Mon Sep 17 00:00:00 2001 From: GSI2017 <2017@groovy-skills.com> Date: Fri, 20 Jan 2017 13:40:54 -0300 Subject: uzbl-browser.profile: enabled support for pass password-manager --- etc/uzbl-browser.profile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 1346b7fc2..3df74eea7 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile @@ -2,10 +2,10 @@ noblacklist ~/.config/uzbl noblacklist ~/.cache/uzbl +noblacklist ~/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter @@ -24,4 +24,9 @@ whitelist ~/.local/share/uzbl whitelist ${DOWNLOADS} +mkdir ~/.gnupg +whitelist ~/.gnupg +mkdir ~/.password-store +whitelist ~/.password-store + include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From 807f1741fa2dd679171dc1c558dcab89a2a35eee Mon Sep 17 00:00:00 2001 From: Zack Weinberg Date: Fri, 20 Jan 2017 14:18:31 -0500 Subject: firejail/fs.c: include sys/wait.h for declaration of waitpid --- src/firejail/fs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0da4cc111..a4d4db7fe 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -20,6 +20,7 @@ #include "firejail.h" #include #include +#include #include #include #include -- cgit v1.2.3-70-g09d2 From e7ad91f0f52ce8dfccfd961c62750bbd77a89df2 Mon Sep 17 00:00:00 2001 From: GSI2017 <2017@groovy-skills.com> Date: Fri, 20 Jan 2017 16:38:22 -0300 Subject: ensured use of clean cache directory to tackle uzbl/uzbl#335 --- etc/uzbl-browser.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 3df74eea7..8dc90982e 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile @@ -1,7 +1,6 @@ # Firejail profile for uzbl-browser noblacklist ~/.config/uzbl -noblacklist ~/.cache/uzbl noblacklist ~/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc @@ -17,8 +16,6 @@ tracelog mkdir ~/.config/uzbl whitelist ~/.config/uzbl -mkdir ~/.cache/uzbl -whitelist ~/.cache/uzbl mkdir ~/.local/share/uzbl whitelist ~/.local/share/uzbl -- cgit v1.2.3-70-g09d2 From ef37be106728613dd032a235db1add2532774fed Mon Sep 17 00:00:00 2001 From: Zack Weinberg Date: Fri, 20 Jan 2017 17:38:51 -0500 Subject: Add support for joining a persistent, named network namespace. --- src/firejail/firejail.h | 6 +++ src/firejail/main.c | 10 +++++ src/firejail/netns.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++ src/firejail/sandbox.c | 11 +++++ src/man/firejail.txt | 5 +++ 5 files changed, 146 insertions(+) create mode 100644 src/firejail/netns.c diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 722d5c05e..94e66920b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -317,6 +317,7 @@ extern int arg_netfilter; // enable netfilter extern int arg_netfilter6; // enable netfilter6 extern char *arg_netfilter_file; // netfilter file extern char *arg_netfilter6_file; // netfilter file +extern char *arg_netns; // "ip netns"-created network namespace to use extern int arg_doubledash; // double dash extern int arg_shell_none; // run the program directly without a shell extern int arg_private_dev; // private dev directory @@ -560,6 +561,11 @@ void check_netfilter_file(const char *fname); void netfilter(const char *fname); void netfilter6(const char *fname); +// netns.c +void check_netns(const char *nsname); +void netns(const char *nsname); +void netns_mounts(const char *nsname); + // bandwidth.c void bandwidth_del_run_file(pid_t pid); void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); diff --git a/src/firejail/main.c b/src/firejail/main.c index 84bf5e8e6..9c6b6e001 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -85,6 +85,7 @@ int arg_netfilter; // enable netfilter int arg_netfilter6; // enable netfilter6 char *arg_netfilter_file = NULL; // netfilter file char *arg_netfilter6_file = NULL; // netfilter6 file +char *arg_netns = NULL; // "ip netns"-created network namespace to use int arg_doubledash = 0; // double dash int arg_shell_none = 0; // run the program directly without a shell int arg_private_dev = 0; // private dev directory @@ -1999,6 +2000,15 @@ int main(int argc, char **argv) { else exit_err_feature("networking"); } + + else if (strncmp(argv[i], "--netns=", 8) == 0) { + if (checkcfg(CFG_NETWORK)) { + arg_netns = argv[i] + 8; + check_netns(arg_netns); + } + else + exit_err_feature("networking"); + } #endif //************************************* // command diff --git a/src/firejail/netns.c b/src/firejail/netns.c new file mode 100644 index 000000000..477d56b3d --- /dev/null +++ b/src/firejail/netns.c @@ -0,0 +1,114 @@ +/* + * Copyright (C) 2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#include "firejail.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static char *netns_control_file(const char *nsname) { + char *rv = 0; + if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0) + errExit("asprintf"); + return rv; +} + +static char *netns_etc_dir(const char *nsname) { + char *rv = 0; + if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0) + errExit("asprintf"); + return rv; +} + +void check_netns(const char *nsname) { + if (strchr(nsname, '/') || strstr(nsname, "..")) { + fprintf(stderr, "Error: invalid netns name %s\n", nsname); + exit(1); + } + invalid_filename(nsname); + char *control_file = netns_control_file(nsname); + + EUID_ASSERT(); + + struct stat st; + if (lstat(control_file, &st)) { + fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n", + nsname, control_file, strerror(errno)); + exit(1); + } + if (!S_ISREG(st.st_mode)) { + fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n", + nsname, control_file); + exit(1); + } + free(control_file); +} + +void netns(const char *nsname) { + char *control_file = netns_control_file(nsname); + int nsfd = open(control_file, O_RDONLY|O_CLOEXEC); + if (nsfd < 0) { + fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n", + nsname, control_file, strerror(errno)); + exit(1); + } + if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) { + fprintf(stderr, "Error: cannot join netns '%s': %s\n", + nsname, strerror(errno)); + exit(1); + } + close(nsfd); + free(control_file); +} + +void netns_mounts(const char *nsname) { + char *etcdir = netns_etc_dir(nsname); + char *netns_name, *etc_name; + struct dirent *entry; + DIR *dir; + + dir = opendir(etcdir); + if (!dir) { + free(etcdir); + return; + } + while ((entry = readdir(dir))) { + if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, "..")) + continue; + if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 || + asprintf(&etc_name, "/etc/%s", entry->d_name) < 0) + errExit("asprintf"); + if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) { + fprintf(stderr, "Warning: bind %s -> %s failed: %s\n", + netns_name, etc_name, strerror(errno)); + } + free(netns_name); + free(etc_name); + } + closedir(dir); + free(etcdir); +} diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 493877db3..69cb8331e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) { if (arg_debug) printf("Network namespace enabled, only loopback interface available\n"); } + else if (arg_netns) { + netns(arg_netns); + if (arg_debug) + printf("Network namespace '%s' activated\n", arg_netns); + } else if (any_bridge_configured() || any_interface_configured()) { // configure lo and eth0...eth3 net_if_up("lo"); @@ -729,6 +734,12 @@ int sandbox(void* sandbox_arg) { EUID_ROOT(); } } + + //**************************** + // /etc overrides from the network namespace + //**************************** + if (arg_netns) + netns_mounts(arg_netns); //**************************** // update /proc, /sys, /dev, /boot directorymy diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1c0f7d55b..afd8e1e4e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -760,6 +760,11 @@ Example: .br $ firejail \-\-net=none vlc +.TP +\fB\-\-netns=name +Run the program in a named, persistent network namespace. These can +be created and configured using "ip netns". + .TP \fB\-\-netfilter Enable a default client network filter in the new network namespace. -- cgit v1.2.3-70-g09d2 From 1b841ad02c2ea96dc94ca12b43fb5145449699e9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Jan 2017 08:20:24 -0500 Subject: tor fix --- etc/start-tor-browser.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index ee19cee25..16ef754f6 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile @@ -14,7 +14,7 @@ seccomp shell none tracelog -private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf private-etc fonts private-dev private-tmp -- cgit v1.2.3-70-g09d2 From 53c8cc0ae064ba3528b5f856c949d61b2e28b9c0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Jan 2017 08:35:58 -0500 Subject: merges --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index f8dc4f500..585772553 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +Zack Weinberg (https://github.com/zackw) + - sdded support for joining a persistent, named network namespace GSI (https://github.com/GSI) - added Uzbl browser profile Mike Frysinger (vapier@gentoo.org) -- cgit v1.2.3-70-g09d2 From a7a2d514412bed2a2fe9f1e5dee08b71040448d3 Mon Sep 17 00:00:00 2001 From: ecat3 Date: Sun, 22 Jan 2017 17:41:45 +0300 Subject: Prevent tmux connecting to an existing session --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index de8a9bfe7..527713bd8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -213,6 +213,8 @@ blacklist /usr/lib64/virtualbox # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* +# prevent tmux connecting to an existing session +blacklist /tmp/tmux-* # disable terminals running as server resulting in sandbox escape blacklist ${PATH}/gnome-terminal -- cgit v1.2.3-70-g09d2 From 7d11cf62ca175696c8f5998de42c510924c6dcc3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Jan 2017 10:26:05 -0500 Subject: --hosts-file option --- README.md | 16 +++++++++---- RELNOTES | 11 +++++---- src/firejail/firejail.h | 4 ++++ src/firejail/fs_hostname.c | 55 ++++++++++++++++++++++++++++++++++++++++---- src/firejail/main.c | 3 +++ src/firejail/profile.c | 6 +++++ src/firejail/sandbox.c | 21 +++++++++++------ src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 4 ++++ src/man/firejail.txt | 10 ++++++++ 10 files changed, 111 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index dcc9d8ca4..e480361c4 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ````` -## AppImage type 2 support +## AppImage + +Added AppImage type 2 support, and support for passing command line arguments to appimages. ````` ````` @@ -75,9 +77,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is Example: # firejail --private-srv=www /etc/init.d/apache2 start - --machine-id - Preserve id number in /etc/machine-id file. By default a new - random id is generated inside the sandbox. + --machine-id + Spoof id number in /etc/machine-id file - a new random id is + generated inside the sandbox. Example: $ firejail --machine-id @@ -89,6 +91,12 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is Example: $ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla + + --hosts-file=file + Use file as /etc/hosts. + + Example: + $ firejail --hosts-file=~/myhosts firefox ````` ## New Profiles diff --git a/RELNOTES b/RELNOTES index bb71d1723..90e65f973 100644 --- a/RELNOTES +++ b/RELNOTES @@ -14,16 +14,17 @@ firejail (0.9.45) baseline; urgency=low * security: split file copying in private option in a separate executable * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) * feature: disable gnupg and systemd directories under /run/user - * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) - * feature: AppImage type 2 support * feature: test coverage (gcov) support + * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) - * feature: spoof machine-id + * feature: spoof machine-id (--machine-id, profile support) + * feature: allow blacklists under --private (--allow-private-blacklist) - more work to come + * feature: user-defined /etc/hosts file (--hosts-file, profile support) * feature: config support for firejail prompt in terminals + * feature: AppImage type 2 support * feature: pass command line arguments to appimages - * feature: --allow-private-blacklist option - * feature: allow non-seccomp setup for OverlayFS sandboxes + * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come * feature: added a number o Python scripts for handling sandboxes * feature: allow local customization using .local files under /etc/firejail * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 94e66920b..0f836f1db 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -213,6 +213,7 @@ typedef struct config_t { // networking char *name; // sandbox name char *hostname; // host name + char *hosts_file; // hosts file to be installed in the sandbox uint32_t defaultgw; // default gateway Bridge bridge0; Bridge bridge1; @@ -537,6 +538,9 @@ void fs_trace(void); // fs_hostname.c void fs_hostname(const char *hostname); void fs_resolvconf(void); +char *fs_check_hosts_fiile(const char *fname); +void fs_store_hosts_file(void); +void fs_mount_hosts_file(void); // rlimit.c void set_rlimits(void); diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index b2e1b4a99..ac831f6b9 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -42,7 +42,7 @@ void fs_hostname(const char *hostname) { } // create a new /etc/hosts - if (stat("/etc/hosts", &s) == 0) { + if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) { if (arg_debug) printf("Creating a new /etc/hosts file\n"); // copy /etc/host into our new file, and modify it on the fly @@ -79,9 +79,7 @@ void fs_hostname(const char *hostname) { fclose(fp2); // bind-mount the file on top of /etc/hostname - if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind /etc/hosts"); - fs_logger("create /etc/hosts"); + fs_mount_hosts_file(); } return; @@ -129,4 +127,53 @@ void fs_resolvconf(void) { } } +char *fs_check_hosts_fiile(const char *fname) { + assert(fname); + invalid_filename(fname); + char *rv = expand_home(fname, cfg.homedir); + + // no a link + if (is_link(rv)) + goto errexit; + + // file owned by the user + struct stat s; + if (stat(rv, &s) == -1) + goto errexit; + if (s.st_uid != getuid()) + goto errexit; + + return rv; +errexit: + fprintf(stderr, "Error: invalid file %s\n", fname); + exit(1); +} + +void fs_store_hosts_file(void) { + copy_file(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed +} + +void fs_mount_hosts_file(void) { + // check /etc/hosts file + struct stat s; + if (stat("/etc/hosts", &s) == -1) + goto errexit; + // not a link + if (is_link("/etc/hosts")) + goto errexit; + // owned by root + if (s.st_uid != 0) + goto errexit; + + // bind-mount the file on top of /etc/hostname + if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind /etc/hosts"); + fs_logger("create /etc/hosts"); + return; + +errexit: + fprintf(stderr, "Error: invalid /etc/hosts file\n"); + exit(1); +} + diff --git a/src/firejail/main.c b/src/firejail/main.c index 9c6b6e001..8fea98950 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1947,6 +1947,9 @@ int main(int argc, char **argv) { return 1; } } + + else if (strncmp(argv[i], "--hosts-file=", 13) == 0) + cfg.hosts_file = fs_check_hosts_fiile(argv[i] + 13); #ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netfilter") == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 33b6eab91..2d49b60c0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -602,6 +602,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + // hosts-file + if (strncmp(ptr, "hosts-file ", 11) == 0) { + cfg.hosts_file = fs_check_hosts_fiile(ptr + 11); + return 0; + } + // dns if (strncmp(ptr, "dns ", 4) == 0) { uint32_t dns; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 69cb8331e..812112b51 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -587,6 +587,10 @@ int sandbox(void* sandbox_arg) { if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace_preload(); + // store hosts file + if (cfg.hosts_file) + fs_store_hosts_file(); + //**************************** // configure filesystem //**************************** @@ -630,13 +634,6 @@ int sandbox(void* sandbox_arg) { #endif fs_basic_fs(); - //**************************** - // set hostname in /etc/hostname - //**************************** - if (cfg.hostname) { - fs_hostname(cfg.hostname); - } - //**************************** // private mode //**************************** @@ -735,6 +732,16 @@ int sandbox(void* sandbox_arg) { } } + + //**************************** + // hosts and hostname + //**************************** + if (cfg.hostname) + fs_hostname(cfg.hostname); + + if (cfg.hosts_file) + fs_mount_hosts_file(); + //**************************** // /etc overrides from the network namespace //**************************** diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9f4dfd44c..6f16a5868 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -78,6 +78,7 @@ void usage(void) { printf(" --get=name|pid filename - get a file from sandbox container.\n"); printf(" --help, -? - this help screen.\n"); printf(" --hostname=name - set sandbox hostname.\n"); + printf(" --hosts-file=file - use file as /etc/hosts.\n"); printf(" --ignore=command - ignore command in profile files.\n"); #ifdef HAVE_NETWORK printf(" --interface=name - move interface in sandbox.\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ecb8be139..034f1beac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -391,6 +391,10 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. \fBhostname name Set a hostname for the sandbox. +.TP +\fBhosts-file file +Use file as /etc/hosts. + .TP \fBip address Assign IP addresses to the last network interface defined by a net command. A diff --git a/src/man/firejail.txt b/src/man/firejail.txt index afd8e1e4e..b836fd738 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -468,6 +468,16 @@ Example: .br $ firejail \-\-hostname=officepc firefox +.TP +\fB\-\-hosts-file=file +Use file as /etc/hosts. +.br + +.br +Example: +.br +$ firejail \-\-hosts-file=~/myhosts firefox + .TP \fB\-\-ignore=command Ignore command in profile file. -- cgit v1.2.3-70-g09d2 From 2802355641d03998b21d614b6bcc5ebd3cf4b5c4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Jan 2017 10:31:49 -0500 Subject: profile merges --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index 585772553..e202d82d8 100644 --- a/README +++ b/README @@ -97,6 +97,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +Cat (https://github.com/ecat3) + - prevent tmux connecting to an existing session Zack Weinberg (https://github.com/zackw) - sdded support for joining a persistent, named network namespace GSI (https://github.com/GSI) -- cgit v1.2.3-70-g09d2 From 9dc298716871879c3202ffe6269d616f1c4f2559 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Jan 2017 10:36:43 -0500 Subject: bash completion for --hosts-file --- src/bash_completion/firejail.bash_completion | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index d3dcd57d0..0f71c74dc 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion @@ -23,6 +23,10 @@ _firejail() _filedir return 0 ;; + --hosts-file) + _filedir + return 0 + ;; --chroot) _filedir -d return 0 -- cgit v1.2.3-70-g09d2 From d4e006cc1291dbb6a4c2857a0fcb15229bf83b0f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 23 Jan 2017 09:53:37 -0500 Subject: fixed access for --hosts-file --- src/firejail/fs_hostname.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index ac831f6b9..19af11dd8 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -136,12 +136,8 @@ char *fs_check_hosts_fiile(const char *fname) { if (is_link(rv)) goto errexit; - // file owned by the user - struct stat s; - if (stat(rv, &s) == -1) - goto errexit; - - if (s.st_uid != getuid()) + // the user has read access to the file + if (access(rv, R_OK)) goto errexit; return rv; -- cgit v1.2.3-70-g09d2 From 4d7dcc4b814841ad340582f88bd35bff8f9310ce Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Mon, 23 Jan 2017 19:36:58 -0600 Subject: changes for review upstream --- contrib/update_deb.sh | 13 ++++--------- contrib/update_src.sh | 16 +++++----------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh index aa851535d..c2adffaf8 100755 --- a/contrib/update_deb.sh +++ b/contrib/update_deb.sh @@ -1,17 +1,12 @@ -#!/bin/bash +#!/bin/sh # Purpose: Fetch, compile, and install firejail from GitHub source. For # Debian-based distros only (Ubuntu, Mint, etc). -if [ $EUID != 0 ]; then - sudo "$0" "$@" - exit $? -fi - -git clone https://www.github.com/netblue30/firejail.git +set -e +git clone --depth=1 https://www.github.com/netblue30/firejail.git cd firejail ./configure --prefix=/usr make deb -dpkg -i firejail*.deb +sudo dpkg -i firejail*.deb echo "Firejail was updated!" -sleep 3 cd .. rm -rf firejail diff --git a/contrib/update_src.sh b/contrib/update_src.sh index 77f7be16e..a61244c49 100755 --- a/contrib/update_src.sh +++ b/contrib/update_src.sh @@ -1,17 +1,11 @@ -#!/bin/bash +#!/bin/sh # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. - -if [ $EUID != 0 ]; then - sudo "$0" "$@" - exit $? -fi - -git clone https://www.github.com/netblue30/firejail.git +set -e +git clone --depth=1 https://www.github.com/netblue30/firejail.git cd firejail -./configure --prefix=/usr +./configure make -make install-strip +sudo make install-strip echo "Firejail was updated!" -sleep 3 cd .. rm -rf firejail -- cgit v1.2.3-70-g09d2 From 1ed74bdc5ea774f32eeebeb652fa5e280782c43e Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Mon, 23 Jan 2017 22:56:56 -0600 Subject: fixes #1032 --- etc/uudeview.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/uudeview.profile b/etc/uudeview.profile index d5b750a13..d4b54067d 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -3,7 +3,6 @@ quiet ignore noroot include /etc/firejail/default.profile -blacklist /etc hostname uudeview net none @@ -13,3 +12,4 @@ tracelog private-bin uudeview private-dev +private-etc ld.so.preload -- cgit v1.2.3-70-g09d2 From 66390f4ba1b80b2c7d310925876bae87f22c4dd4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 25 Jan 2017 09:13:48 -0500 Subject: profile merges --- README | 1 + etc/disable-common.inc | 1 + 2 files changed, 2 insertions(+) diff --git a/README b/README index e202d82d8..64c5b3968 100644 --- a/README +++ b/README @@ -83,6 +83,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added xed and pluma profiles - added Cryptocat profile - added wireshark profile + - uudeview profile fix valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 527713bd8..64a39296e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -96,6 +96,7 @@ read-only ${HOME}/.tcshrc read-only ${HOME}/.cshrc read-only ${HOME}/.csh_files read-only ${HOME}/.profile +read-only ${HOME}/.forward read-only ${HOME}/.login read-only ${HOME}/.logout read-only ${HOME}/.pgpkey -- cgit v1.2.3-70-g09d2 From ae9651b4de9df06511491766bebbd399a4c3a670 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 28 Jan 2017 09:07:36 -0500 Subject: profile fixes --- etc/gnome-mplayer.profile | 2 +- etc/xmms.profile | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 488c7e0b8..25d2da085 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -12,6 +12,6 @@ protocol unix,inet,inet6 seccomp shell none -private-bin gnome-mplayer,mplayer +# private-bin gnome-mplayer,mplayer private-dev private-tmp diff --git a/etc/xmms.profile b/etc/xmms.profile index 4a482f49e..c12a3bcdc 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile @@ -1,11 +1,17 @@ # xmms media player profile +noblacklist ${HOME}/.xmms include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +private-bin xmms +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From c83cf990e0defae1aab570bfd46688c1e9b3eafb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 28 Jan 2017 09:40:07 -0500 Subject: support allow-private-blacklist in profile files --- RELNOTES | 2 +- src/firejail/profile.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 90e65f973..e7999f13a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -19,7 +19,7 @@ firejail (0.9.45) baseline; urgency=low * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) * feature: spoof machine-id (--machine-id, profile support) - * feature: allow blacklists under --private (--allow-private-blacklist) - more work to come + * feature: allow blacklists under --private (--allow-private-blacklist) * feature: user-defined /etc/hosts file (--hosts-file, profile support) * feature: config support for firejail prompt in terminals * feature: AppImage type 2 support diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2d49b60c0..d188f97a8 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -215,6 +215,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_no3d = 1; return 0; } + else if (strcmp(ptr, "allow-private-blacklist") == 0) { + arg_allow_private_blacklist = 1; + return 0; + } else if (strcmp(ptr, "netfilter") == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) -- cgit v1.2.3-70-g09d2 From 5292798bb4fffc2f8c9b6de2bf373cf86ebf8e3b Mon Sep 17 00:00:00 2001 From: Igor Bukanov Date: Sun, 29 Jan 2017 18:13:30 +0100 Subject: fixing --hosts-file privelege check Currently the code uses the access() call to check if the user has an access to a file that is copied into the root as /etc/hosts. This inevitably adds a race when the user changes the file to a symbolic link pointing to an arbitrary location on the filsystem after the access check is done but before opening the file to copy it. This potentially allows to read any file on the system. To close this the code adds a utility copy_file_from_user_to_root . It opens the copy destination file as root and then forks/drop privileges. Then as a user the utility opens the source file and do the copy into the destination descriptor that is preserved accross the fork. --- src/firejail/firejail.h | 1 + src/firejail/fs_hostname.c | 2 +- src/firejail/util.c | 91 +++++++++++++++++++++++++++++++++------------- 3 files changed, 68 insertions(+), 26 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0f836f1db..7d6e16094 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -453,6 +453,7 @@ void logargs(int argc, char **argv) ; void logerr(const char *msg); int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); +void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode); int is_dir(const char *fname); int is_link(const char *fname); diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 19af11dd8..3b586b276 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -147,7 +147,7 @@ errexit: } void fs_store_hosts_file(void) { - copy_file(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed + copy_file_from_user_to_root(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed } void fs_mount_hosts_file(void) { diff --git a/src/firejail/util.c b/src/firejail/util.c index 10000e912..44891ce2d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -169,6 +169,25 @@ void logerr(const char *msg) { closelog(); } +static int copy_file_by_fd(int src, int dst) { + assert(src >= 0); + assert(dst >= 0); + + ssize_t len; + static const int BUFLEN = 1024; + unsigned char buf[BUFLEN]; + while ((len = read(src, buf, BUFLEN)) > 0) { + int done = 0; + while (done != len) { + int rv = write(dst, buf + done, len - done); + if (rv == -1) + return -1; + done += rv; + } + } + fflush(0); + return 0; +} // return -1 if error, 0 if no error; if destname already exists, return error int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { @@ -190,33 +209,16 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m return -1; } - // copy - ssize_t len; - static const int BUFLEN = 1024; - unsigned char buf[BUFLEN]; - while ((len = read(src, buf, BUFLEN)) > 0) { - int done = 0; - while (done != len) { - int rv = write(dst, buf + done, len - done); - if (rv == -1) { - close(src); - close(dst); - return -1; - } - - done += rv; - } + int errors = copy_file_by_fd(src, dst); + if (!errors) { + if (fchown(dst, uid, gid) == -1) + errExit("fchown"); + if (fchmod(dst, mode) == -1) + errExit("fchmod"); } - fflush(0); - - if (fchown(dst, uid, gid) == -1) - errExit("fchown"); - if (fchmod(dst, mode) == -1) - errExit("fchmod"); - close(src); close(dst); - return 0; + return errors; } // return -1 if error, 0 if no error @@ -241,6 +243,45 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid waitpid(child, NULL, 0); } +void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { + // open destination + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (dst < 0) { + fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); + return; + } + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + int src = open(srcname, O_RDONLY); + if (src < 0) { + fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); + } else { + if (copy_file_by_fd(src, dst)) { + fprintf(stderr, "Warning: cannot copy %s\n", srcname); + } + close(src); + } + close(dst); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + if (fchown(dst, uid, gid) == -1) + errExit("fchown"); + if (fchmod(dst, mode) == -1) + errExit("fchmod"); + close(dst); +} + // return -1 if error, 0 if no error void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { pid_t child = fork(); @@ -864,4 +905,4 @@ errexit: close(fd); fprintf(stderr, "Error: cannot read %s\n", fname); exit(1); -} \ No newline at end of file +} -- cgit v1.2.3-70-g09d2 From a9f45ae11452e7f0170aca4d70f951c3f7c21d10 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 29 Jan 2017 15:21:24 -0500 Subject: merges --- README | 2 ++ src/firejail/sandbox.c | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/README b/README index 64c5b3968..687eab4e0 100644 --- a/README +++ b/README @@ -98,6 +98,8 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +Igor Bukanov (https://github.com/ibukanov) + - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) - prevent tmux connecting to an existing session Zack Weinberg (https://github.com/zackw) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 812112b51..d6d7d3887 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -629,6 +629,23 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_OVERLAYFS if (arg_overlay) { fs_overlayfs(); + +//todo - bring it back for overlay-named +#if 0 + fs_overlayfs(); + // force caps and seccomp if not started as root + if (getuid() != 0) { + enforce_filters(); +#ifdef HAVE_SECCOMP + enforce_seccomp = 1; +#endif + } + else + arg_seccomp = 1; +#endif + + + } else #endif -- cgit v1.2.3-70-g09d2 From 4900803fd5c0cf61000a8a4b425e1b987894b848 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 29 Jan 2017 15:59:02 -0500 Subject: documentation --- etc/login.users | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/login.users b/etc/login.users index bc6ac4b09..81f12c6b1 100644 --- a/etc/login.users +++ b/etc/login.users @@ -9,6 +9,12 @@ # # netblue:--net=none --protocol=unix # +# Wildcard patterns are accepted in the user name field: +# +# user*: --private +# +# The example will do --private for user1, user2, and so on. +# # The extra arguments are inserted into program command line if firejail # was started as a login shell. -- cgit v1.2.3-70-g09d2 From 7dd00cebb3a00edbae9fed8ff9a7895866a22407 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 30 Jan 2017 09:00:18 -0500 Subject: --quiet fix --- src/firejail/sandbox.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d6d7d3887..e56526f34 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -386,7 +386,7 @@ static void enforce_filters(void) { } // disable all capabilities - if (arg_caps_default_filter || arg_caps_list) + if (arg_caps_default_filter || arg_caps_list && !arg_quiet) fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); arg_caps_drop_all = 1; @@ -520,7 +520,8 @@ int sandbox(void* sandbox_arg) { if (cfg.defaultgw) { // set the default route if (net_add_route(0, 0, cfg.defaultgw)) { - fprintf(stderr, "Warning: cannot configure default route\n"); + if (!arg_quiet) + fprintf(stderr, "Warning: cannot configure default route\n"); gw_cfg_failed = 1; } } @@ -847,7 +848,8 @@ int sandbox(void* sandbox_arg) { int rv = nice(cfg.nice); (void) rv; if (errno) { - fprintf(stderr, "Warning: cannot set nice value\n"); + if (!arg_quiet) + fprintf(stderr, "Warning: cannot set nice value\n"); errno = 0; } } @@ -903,7 +905,8 @@ int sandbox(void* sandbox_arg) { if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { - fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); + if (!arg_quiet) + fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); drop_privs(arg_nogroups); arg_noroot = 0; } @@ -934,7 +937,7 @@ int sandbox(void* sandbox_arg) { if (arg_nonewprivs) { int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - if(no_new_privs != 0) + if(no_new_privs != 0 && !arg_quiet) fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); else if (arg_debug) printf("NO_NEW_PRIVS set\n"); -- cgit v1.2.3-70-g09d2 From 4579993d9b756d0821fa77a8fff409e764f2107a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 30 Jan 2017 11:01:32 -0500 Subject: --writable-var-log --- README.md | 8 ++++++++ RELNOTES | 3 ++- src/firejail/firejail.h | 1 + src/firejail/fs.c | 21 ++++++++++++++++----- src/firejail/main.c | 6 +++++- src/firejail/profile.c | 4 ++++ src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 5 +++++ src/man/firejail.txt | 11 +++++++++++ 9 files changed, 53 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e480361c4..07de69e42 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,14 @@ Added AppImage type 2 support, and support for passing command line arguments to Example: $ firejail --hosts-file=~/myhosts firefox + --writable-var-log + Use the real /var/log directory, not a clone. By default, a + tmpfs is mounted on top of /var/log directory, and a skeleton + filesystem is created based on the original /var/log. + + Example: + $ sudo firejail --writable-var-log + ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, diff --git a/RELNOTES b/RELNOTES index e7999f13a..16360bc64 100644 --- a/RELNOTES +++ b/RELNOTES @@ -19,8 +19,9 @@ firejail (0.9.45) baseline; urgency=low * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) * feature: spoof machine-id (--machine-id, profile support) - * feature: allow blacklists under --private (--allow-private-blacklist) + * feature: allow blacklists under --private (--allow-private-blacklist, profile support) * feature: user-defined /etc/hosts file (--hosts-file, profile support) + * feature: support for the real /var/log directory (--writable-var-log, profile support) * feature: config support for firejail prompt in terminals * feature: AppImage type 2 support * feature: pass command line arguments to appimages diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7d6e16094..7e5412630 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -338,6 +338,7 @@ extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc extern int arg_writable_var; // writable var +extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage extern int arg_audit; // audit extern char *arg_audit_prog; // audit diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a4d4db7fe..3cda68f1b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -445,6 +445,7 @@ static void fs_rdwr(const char *dir) { mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) errExit("mount read-write"); fs_logger2("read-write", dir); +printf("readwrite %s\n", dir); } } @@ -682,11 +683,13 @@ void fs_basic_fs(void) { fs_rdonly("/usr"); // update /var directory in order to support multiple sandboxes running on the same root directory -// if (!arg_private_dev) -// fs_dev_shm(); fs_var_lock(); fs_var_tmp(); - fs_var_log(); + if (!arg_writable_var_log) + fs_var_log(); + else + fs_rdwr("/var/log"); + fs_var_lib(); fs_var_cache(); fs_var_utmp(); @@ -996,7 +999,11 @@ void fs_overlayfs(void) { // fs_dev_shm(); fs_var_lock(); fs_var_tmp(); - fs_var_log(); + if (!arg_writable_var_log) + fs_var_log(); + else + fs_rdwr("/var/log"); + fs_var_lib(); fs_var_cache(); fs_var_utmp(); @@ -1226,7 +1233,11 @@ void fs_chroot(const char *rootdir) { // fs_dev_shm(); fs_var_lock(); fs_var_tmp(); - fs_var_log(); + if (!arg_writable_var_log) + fs_var_log(); + else + fs_rdwr("/var/log"); + fs_var_lib(); fs_var_cache(); fs_var_utmp(); diff --git a/src/firejail/main.c b/src/firejail/main.c index 8fea98950..7c6568903 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -114,7 +114,8 @@ int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extention int arg_allusers = 0; // all user home directories visible int arg_machineid = 0; // preserve /etc/machine-id -int arg_allow_private_blacklist = 0; // blacklist things in private directories +int arg_allow_private_blacklist = 0; // blacklist things in private directories +int arg_writable_var_log; // writable /var/log int login_shell = 0; @@ -1488,6 +1489,9 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } + else if (strcmp(argv[i], "--writable-var-log") == 0) { + arg_writable_var_log = 1; + } else if (strcmp(argv[i], "--machine-id") == 0) { arg_machineid = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d188f97a8..4856b31ae 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -673,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_writable_var = 1; return 0; } + if (strcmp(ptr, "writable-var-log") == 0) { + arg_writable_var_log = 1; + return 0; + } // private directory if (strncmp(ptr, "private ", 8) == 0) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6f16a5868..15ba22d4d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -192,6 +192,7 @@ void usage(void) { #endif printf(" --writable-etc - /etc directory is mounted read-write.\n"); printf(" --writable-var - /var directory is mounted read-write.\n"); + printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); printf("\tattempt to use X11 security extension.\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 034f1beac..90dca19bf 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -244,6 +244,11 @@ Mount /etc directory read-write. .TP \fBwritable-var Mount /var directory read-write. +.TP +\fBwritable-var-log +Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log +directory, and a skeleton filesystem is created based on the original /var/log. + .SH Security filters The following security filters are currently implemented: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b836fd738..993186476 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1725,6 +1725,17 @@ Example: .br $ sudo firejail --writable-var +.TP +\fB\-\-writable-var-log +Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log +directory, and a skeleton filesystem is created based on the original /var/log. +.br + +.br +Example: +.br +$ sudo firejail --writable-var-log + .TP \fB\-\-x11 -- cgit v1.2.3-70-g09d2 From da097ac2e892b2472ec8898f194e4940edc6cdff Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 30 Jan 2017 11:19:02 -0500 Subject: --writable-var-log --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 07de69e42..55ed7523a 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ Added AppImage type 2 support, and support for passing command line arguments to $ firejail --hosts-file=~/myhosts firefox --writable-var-log - Use the real /var/log directory, not a clone. By default, a + Useq the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log directory, and a skeleton filesystem is created based on the original /var/log. -- cgit v1.2.3-70-g09d2 From 38036088fc46f152dff7870295ed53c1add81087 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 1 Feb 2017 08:32:54 -0500 Subject: fixed README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 55ed7523a..07de69e42 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ Added AppImage type 2 support, and support for passing command line arguments to $ firejail --hosts-file=~/myhosts firefox --writable-var-log - Useq the real /var/log directory, not a clone. By default, a + Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log directory, and a skeleton filesystem is created based on the original /var/log. -- cgit v1.2.3-70-g09d2 From abea7c9a73a6e44e9c05a054c4bb6c301b8ad4d2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 4 Feb 2017 08:26:58 -0500 Subject: xmms profile fix --- etc/xmms.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/xmms.profile b/etc/xmms.profile index c12a3bcdc..0d57f2f90 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile @@ -1,5 +1,6 @@ -# xmms media player profile +# Firejail profile for XMMS noblacklist ${HOME}/.xmms + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -12,6 +13,6 @@ noroot protocol unix,inet,inet6 seccomp shell none + private-bin xmms private-dev -private-tmp -- cgit v1.2.3-70-g09d2 From a6894d03f4a03e45ed3564f351c21dc4a622b733 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 4 Feb 2017 08:32:18 -0500 Subject: quiet fix --- src/firejail/fs.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3cda68f1b..69b9d77bc 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -445,7 +445,6 @@ static void fs_rdwr(const char *dir) { mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) errExit("mount read-write"); fs_logger2("read-write", dir); -printf("readwrite %s\n", dir); } } -- cgit v1.2.3-70-g09d2 From e46dd3e952af021c76d7f7b4df8f6da48fed6bed Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 4 Feb 2017 11:57:47 -0500 Subject: git-install --- Makefile.in | 2 + contrib/update_src.sh | 11 ------ src/fgit/fgit-install.sh | 20 ++++++++++ src/fgit/fgit-uninstall.sh | 16 ++++++++ src/firejail/firejail.h | 4 ++ src/firejail/git.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 7 +++- 7 files changed, 139 insertions(+), 12 deletions(-) delete mode 100755 contrib/update_src.sh create mode 100755 src/fgit/fgit-install.sh create mode 100644 src/fgit/fgit-uninstall.sh create mode 100644 src/firejail/git.c diff --git a/Makefile.in b/Makefile.in index fb6460dfd..7152019d4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -82,6 +82,8 @@ realinstall: install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. diff --git a/contrib/update_src.sh b/contrib/update_src.sh deleted file mode 100755 index a61244c49..000000000 --- a/contrib/update_src.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. -set -e -git clone --depth=1 https://www.github.com/netblue30/firejail.git -cd firejail -./configure -make -sudo make install-strip -echo "Firejail was updated!" -cd .. -rm -rf firejail diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh new file mode 100755 index 000000000..9e43559a1 --- /dev/null +++ b/src/fgit/fgit-install.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. +# + +set -e # exit immediately if one of the commands fails +cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp +git clone --depth=1 https://www.github.com/netblue30/firejail.git +cd firejail +./configure +make +sudo make install-strip +echo "**********************************************************************" +echo "Mainline git Firejail version was installed in /usr/local." +echo "If you want to remove it, run" +echo +echo " firejail --git-uninstall" +echo +echo "**********************************************************************" +cd .. +rm -rf firejail diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh new file mode 100644 index 000000000..9a370546d --- /dev/null +++ b/src/fgit/fgit-uninstall.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. +# + +set -e # exit immediately if one of the commands fails +cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp +git clone --depth=1 https://www.github.com/netblue30/firejail.git +cd firejail +./configure +sudo make uninstall +echo "**********************************************************************" +echo "Firejail mainline git version uninstalled from /usr/local" +echo +echo "**********************************************************************" +cd .. +rm -rf firejail diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7e5412630..40d81f3aa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -720,5 +720,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, int sbox_run(unsigned filter, int num, ...); +// git.c +void git_install(); +void git_uninstall(); + #endif diff --git a/src/firejail/git.c b/src/firejail/git.c new file mode 100644 index 000000000..bacceba59 --- /dev/null +++ b/src/firejail/git.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#include "firejail.h" +#include +#include +#include + +// install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp +static void sbox_ns(void) { + if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) + errExit("unshare"); + + if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) + errExit("mount"); +} + +void git_install() { + // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" + EUID_ASSERT(); + EUID_ROOT(); + + // install a mount namespace with a tmpfs on top of /tmp + sbox_ns(); + + // drop privileges + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + assert(getenv("LD_PRELOAD") == NULL); + + printf("Running as "); fflush(0); + int rv = system("whoami"); + (void) rv; + printf("/tmp directory: "); fflush(0); + rv = system("ls -l /tmp"); + (void) rv; + + // run command + const char *cmd = LIBDIR "/firejail/fgit-install.sh"; + rv = system(cmd); + (void) rv; + exit(0); +} + +void git_uninstall() { + // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" + EUID_ASSERT(); + EUID_ROOT(); + + // install a mount namespace with a tmpfs on top of /tmp + sbox_ns(); + + // drop privileges + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + assert(getenv("LD_PRELOAD") == NULL); + + printf("Running as "); fflush(0); + int rv = system("whoami"); + (void) rv; + printf("/tmp directory: "); fflush(0); + rv = system("ls -l /tmp"); + (void) rv; + + // run command + const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; + rv = system(cmd); + (void) rv; + exit(0); +} + diff --git a/src/firejail/main.c b/src/firejail/main.c index 7c6568903..ee89a7281 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -846,10 +846,15 @@ int main(int argc, char **argv) { EUID_INIT(); EUID_USER(); + // process git-install and git-uninstall + if (check_arg(argc, argv, "--git-install")) + git_install(); // this function will not return + if (check_arg(argc, argv, "--git-uninstall")) + git_uninstall(); // this function will not return // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') - run_symlink(argc, argv); + run_symlink(argc, argv); // this function will not return // check if we already have a sandbox running // If LXC is detected, start firejail sandbox -- cgit v1.2.3-70-g09d2 From e138ebaa33b1c2c28734f32d542d674bff129c7c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 4 Feb 2017 15:55:05 -0500 Subject: --git-install --- src/firejail/git.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/firejail/git.c b/src/firejail/git.c index bacceba59..aaae44de7 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c @@ -22,14 +22,21 @@ #include #include -// install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp +// install a very simple mount namespace sandbox with a tmpfs on top of /tmp static void sbox_ns(void) { - if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) + if (unshare(CLONE_NEWNS) < 0) errExit("unshare"); + // mount events are not forwarded between the host the sandbox + if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { + errExit("mount"); + } + + // moount a tmpfs on top of /tmp if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) errExit("mount"); } + void git_install() { // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" -- cgit v1.2.3-70-g09d2 From d580c3454f59d10d6e0d63280658a40cd575dffa Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 4 Feb 2017 16:01:49 -0500 Subject: --git-install --- src/firejail/git.c | 44 ++++++++++++++++---------------------------- 1 file changed, 16 insertions(+), 28 deletions(-) diff --git a/src/firejail/git.c b/src/firejail/git.c index aaae44de7..1cfbb1bf4 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c @@ -23,6 +23,7 @@ #include // install a very simple mount namespace sandbox with a tmpfs on top of /tmp +// and drop privileges static void sbox_ns(void) { if (unshare(CLONE_NEWNS) < 0) errExit("unshare"); @@ -32,20 +33,11 @@ static void sbox_ns(void) { errExit("mount"); } - // moount a tmpfs on top of /tmp + // mount a tmpfs on top of /tmp if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) errExit("mount"); -} - -void git_install() { - // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" - EUID_ASSERT(); - EUID_ROOT(); - - // install a mount namespace with a tmpfs on top of /tmp - sbox_ns(); - + // drop privileges if (setgid(getgid()) < 0) errExit("setgid/getgid"); @@ -59,15 +51,25 @@ void git_install() { printf("/tmp directory: "); fflush(0); rv = system("ls -l /tmp"); (void) rv; +} + +void git_install(void) { + // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" + EUID_ASSERT(); + EUID_ROOT(); + + // install a mount namespace with a tmpfs on top of /tmp + sbox_ns(); + // run command const char *cmd = LIBDIR "/firejail/fgit-install.sh"; - rv = system(cmd); + int rv = system(cmd); (void) rv; exit(0); } -void git_uninstall() { +void git_uninstall(void) { // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" EUID_ASSERT(); EUID_ROOT(); @@ -75,23 +77,9 @@ void git_uninstall() { // install a mount namespace with a tmpfs on top of /tmp sbox_ns(); - // drop privileges - if (setgid(getgid()) < 0) - errExit("setgid/getgid"); - if (setuid(getuid()) < 0) - errExit("setuid/getuid"); - assert(getenv("LD_PRELOAD") == NULL); - - printf("Running as "); fflush(0); - int rv = system("whoami"); - (void) rv; - printf("/tmp directory: "); fflush(0); - rv = system("ls -l /tmp"); - (void) rv; - // run command const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; - rv = system(cmd); + int rv = system(cmd); (void) rv; exit(0); } -- cgit v1.2.3-70-g09d2 From a5b2d7ff64209e1a6b4d18d97fea74d50dc05091 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 5 Feb 2017 00:18:31 -0600 Subject: Added private-opt to palemoon profile --- etc/palemoon.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 1476369a1..11ebe3d1f 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -23,6 +23,7 @@ shell none tracelog private-bin palemoon +private-opt palemoon private-tmp # These are uncommented in the Firefox profile. If you run into trouble you may -- cgit v1.2.3-70-g09d2 From 1ccbd9b0b6f928c2500765440ee15c82b33c8113 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 5 Feb 2017 00:20:03 -0600 Subject: added nogroups to qbittorrent profile --- etc/qbittorrent.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 89e0e4c78..4106065cb 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot nosound -- cgit v1.2.3-70-g09d2 From 3f1baae2d7427423455fd24d4c6fa3da84dcf21d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Feb 2017 08:56:12 -0500 Subject: profile merges --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 687eab4e0..109a887ad 100644 --- a/README +++ b/README @@ -84,6 +84,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Cryptocat profile - added wireshark profile - uudeview profile fix + - fixed palemoon and qbittorrent profiles valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature -- cgit v1.2.3-70-g09d2 From 6185c6f0767326a09d69f4e4e4c0d628f6b3ec33 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Feb 2017 09:17:06 -0500 Subject: --git-install/--git-uninstall --- README | 1 + README.md | 25 +++++++++++++++++++++++++ src/firejail/usage.c | 3 +++ src/man/firejail.txt | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+) diff --git a/README b/README index 109a887ad..70577700c 100644 --- a/README +++ b/README @@ -85,6 +85,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added wireshark profile - uudeview profile fix - fixed palemoon and qbittorrent profiles + - compile/install scripts for --git-install/--git-uninstall commands valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 07de69e42..696096924 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,31 @@ Added AppImage type 2 support, and support for passing command line arguments to Example: $ sudo firejail --writable-var-log + + --git-install + Download, compile and install mainline git version of Firejail + from the official repository on GitHub. The software is + installed in /usr/local/bin, and takes precedence over the (old) + version installed in /usr/bin. If for any reason the new version + doesn't work, the user can uninstall it using --git-uninstall + command and revert to the old version. + + Prerequisites: git and compile support are required for this com‐ + mand to work. On Debian/Ubuntu systems this support is installed + using "sudo apt-get install build-essential git". + + Example: + + $ firejail --git-install + + --git-uninstall + Remove the Firejail version previously installed in + /usr/local/bin using --git-install command. + + Example: + + $ firejail --git-uninstall + ````` ## New Profiles diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 15ba22d4d..b9fff2011 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -76,6 +76,9 @@ void usage(void) { printf(" --env=name=value - set environment variable.\n"); printf(" --fs.print=name|pid - print the filesystem log.\n"); printf(" --get=name|pid filename - get a file from sandbox container.\n"); + printf(" --git-install - download, compile and install mainline git version\n"); + printf("\tof Firejail.\n"); + printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); printf(" --help, -? - this help screen.\n"); printf(" --hostname=name - set sandbox hostname.\n"); printf(" --hosts-file=file - use file as /etc/hosts.\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 993186476..f978661dc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -453,6 +453,39 @@ $ firejail \-\-fs.print=3272 \fB\-\-get=name|pid filename Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. + +.TP +\fB\-\-git-install +Download, compile and install mainline git version of Firejail from the official repository on GitHub. +The software is installed in /usr/local/bin, and takes precedence over the (old) version +installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it +using \-\-git-uninstall command and revert to the old version. +.br + +.br +Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu +systems this support is installed using "sudo apt-get install build-essential git". +.br + +.br +Example: +.br + +.br +$ firejail \-\-git-install + +.TP +\fB\-\-git-uninstall +Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command. +.br + +.br +Example: +.br + +.br +$ firejail \-\-git-uninstall + .TP \fB\-?\fR, \fB\-\-help\fR Print options end exit. -- cgit v1.2.3-70-g09d2 From a387deeef7858653f27a835509ab420d55769307 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Feb 2017 11:16:45 -0500 Subject: enable strict seccomp filter on overlay options --- src/firejail/sandbox.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e56526f34..81cce7e98 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -630,10 +630,6 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_OVERLAYFS if (arg_overlay) { fs_overlayfs(); - -//todo - bring it back for overlay-named -#if 0 - fs_overlayfs(); // force caps and seccomp if not started as root if (getuid() != 0) { enforce_filters(); @@ -643,10 +639,6 @@ int sandbox(void* sandbox_arg) { } else arg_seccomp = 1; -#endif - - - } else #endif -- cgit v1.2.3-70-g09d2 From d17ce1322e6e42ca905393545db03a13570da1b0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Feb 2017 11:50:04 -0500 Subject: disable --git-install at compile time --- configure | 16 +++++++++++++++ configure.ac | 8 ++++++++ src/firejail/Makefile.in | 3 ++- src/firejail/checkcfg.c | 8 ++++++++ src/firejail/fs.c | 52 ------------------------------------------------ src/firejail/git.c | 4 ++++ src/firejail/main.c | 2 ++ src/firejail/usage.c | 2 ++ 8 files changed, 42 insertions(+), 53 deletions(-) diff --git a/configure b/configure index 9efba1b1d..bdffba2ad 100755 --- a/configure +++ b/configure @@ -625,6 +625,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H +HAVE_GIT_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS @@ -711,6 +712,7 @@ enable_whitelist enable_fatal_warnings enable_busybox_workaround enable_gcov +enable_git_install ' ac_precious_vars='build_alias host_alias @@ -1349,6 +1351,7 @@ Optional Features: --enable-busybox-workaround enable busybox workaround --enable-gcov Gcov instrumentation + --disable-git-install disable git install feature Some influential environment variables: CC C compiler command @@ -3710,6 +3713,18 @@ if test "x$enable_gcov" = "xyes"; then : fi +HAVE_GIT_INSTALL="" +# Check whether --enable-git-install was given. +if test "${enable_git_install+set}" = set; then : + enableval=$enable_git_install; +fi + +if test "x$enable_git_install" != "xno"; then : + + HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" + + +fi # checking pthread library @@ -4971,6 +4986,7 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" +echo " git install support: $HAVE_GIT_INSTALL" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" diff --git a/configure.ac b/configure.ac index f3076f2f8..252f82cde 100644 --- a/configure.ac +++ b/configure.ac @@ -145,6 +145,13 @@ AS_IF([test "x$enable_gcov" = "xyes"], [ AC_SUBST(HAVE_GCOV) ]) +HAVE_GIT_INSTALL="" +AC_ARG_ENABLE([git-install], + AS_HELP_STRING([--disable-git-install], [disable git install feature])) +AS_IF([test "x$enable_git_install" != "xno"], [ + HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" + AC_SUBST(HAVE_GIT_INSTALL) +]) # checking pthread library @@ -179,6 +186,7 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" +echo " git install support: $HAVE_GIT_INSTALL" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 6e5071925..80f35ff4d 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ HAVE_GCOV=@HAVE_GCOV@ +HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index c3eedc510..73fa6e46b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -351,6 +351,13 @@ void print_compiletime_support(void) { #endif ); + printf("\t- git install support is %s\n", +#ifdef HAVE_GIT_INSTALL + "enabled" +#else + "disabled" +#endif + ); #ifdef HAVE_NETWORK_RESTRICTED printf("\t- networking features are available only to root user\n"); @@ -395,4 +402,5 @@ void print_compiletime_support(void) { "disabled" #endif ); + } diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 69b9d77bc..2a2e97419 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -572,58 +572,6 @@ void fs_proc_sys_dev_boot(void) { } free(fname); -// todo: investigate -#if 0 - // breaks too many applications, option needed - /* // disable /run/user/{uid}/bus */ - /* char *fnamebus; */ - /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ - /* errExit("asprintf"); */ - /* if (stat(fnamebus, &s) == 0) */ - /* disable_file(BLACKLIST_FILE, fnamebus); */ - /* free(fnamebus); */ - - // WARNING: not working - // disable /run/user/{uid}/kdeinit* - //char *fnamekde; - //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) - // errExit("asprintf"); - //if (stat(fnamekde, &s) == 0) - // disable_file(BLACKLIST_FILE, fnamekde); - //free(fnamekde); - - - // disable /run/user/{uid}/pulse - /* char *fnamepulse; */ - /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ - /* errExit("asprintf"); */ - /* if (stat(fnamepulse, &s) == 0) */ - /* disable_file(BLACKLIST_FILE, fnamepulse); */ - /* free(fnamepulse); */ - - // disable /run/user/{uid}/dconf - /* char *fnamedconf; */ - /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ - /* errExit("asprintf"); */ - /* if (stat(fnamedconf, &s) == 0) */ - /* disable_file(BLACKLIST_FILE, fnamedconf); */ - /* free(fnamedconf); */ - - - // dirs in /run/user/{uid}/ - // using gnome: - // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd - - // using kde: - // kdeinit__0, ... - - // more files with sockets to be blacklisted - // /run/dbus /run/systemd /run/udev /run/lvm - - // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications - -#endif - if (getuid() != 0) { // disable /dev/kmsg and /proc/kmsg disable_file(BLACKLIST_FILE, "/dev/kmsg"); diff --git a/src/firejail/git.c b/src/firejail/git.c index 1cfbb1bf4..b67339c8b 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c @@ -17,6 +17,9 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + +#ifdef HAVE_GIT_INSTALL + #include "firejail.h" #include #include @@ -84,3 +87,4 @@ void git_uninstall(void) { exit(0); } +#endif // HAVE_GIT_INSTALL diff --git a/src/firejail/main.c b/src/firejail/main.c index ee89a7281..0d4cf2595 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -846,11 +846,13 @@ int main(int argc, char **argv) { EUID_INIT(); EUID_USER(); +#ifdef HAVE_GIT_INSTALL // process git-install and git-uninstall if (check_arg(argc, argv, "--git-install")) git_install(); // this function will not return if (check_arg(argc, argv, "--git-uninstall")) git_uninstall(); // this function will not return +#endif // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b9fff2011..dc8fcdfef 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -76,9 +76,11 @@ void usage(void) { printf(" --env=name=value - set environment variable.\n"); printf(" --fs.print=name|pid - print the filesystem log.\n"); printf(" --get=name|pid filename - get a file from sandbox container.\n"); +#ifdef HAVE_GIT_INSTALL printf(" --git-install - download, compile and install mainline git version\n"); printf("\tof Firejail.\n"); printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); +#endif printf(" --help, -? - this help screen.\n"); printf(" --hostname=name - set sandbox hostname.\n"); printf(" --hosts-file=file - use file as /etc/hosts.\n"); -- cgit v1.2.3-70-g09d2 From 6730f4c0cce738b79bdd3a661ab9077ec7839176 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Feb 2017 13:03:28 -0500 Subject: --git-install: default disabled in ./configure script --- configure | 7 ++++--- configure.ac | 7 ++++--- src/fgit/fgit-install.sh | 2 +- src/fgit/fgit-uninstall.sh | 2 +- src/firejail/main.c | 6 ++++++ 5 files changed, 16 insertions(+), 8 deletions(-) diff --git a/configure b/configure index bdffba2ad..74f47a7c4 100755 --- a/configure +++ b/configure @@ -1351,7 +1351,7 @@ Optional Features: --enable-busybox-workaround enable busybox workaround --enable-gcov Gcov instrumentation - --disable-git-install disable git install feature + --enable-git-install enable git install feature Some influential environment variables: CC C compiler command @@ -3103,6 +3103,7 @@ if test "x$enable_apparmor" = "xyes"; then : fi + ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -3713,20 +3714,20 @@ if test "x$enable_gcov" = "xyes"; then : fi + HAVE_GIT_INSTALL="" # Check whether --enable-git-install was given. if test "${enable_git_install+set}" = set; then : enableval=$enable_git_install; fi -if test "x$enable_git_install" != "xno"; then : +if test "x$enable_git_install" = "xyes"; then : HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" fi - # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 $as_echo_n "checking for main in -lpthread... " >&6; } diff --git a/configure.ac b/configure.ac index 252f82cde..6a6c40b40 100644 --- a/configure.ac +++ b/configure.ac @@ -17,6 +17,7 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ AC_SUBST(HAVE_APPARMOR) ]) + AS_IF([test "x$enable_apparmor" = "xyes"], [ AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) @@ -145,15 +146,15 @@ AS_IF([test "x$enable_gcov" = "xyes"], [ AC_SUBST(HAVE_GCOV) ]) + HAVE_GIT_INSTALL="" AC_ARG_ENABLE([git-install], - AS_HELP_STRING([--disable-git-install], [disable git install feature])) -AS_IF([test "x$enable_git_install" != "xno"], [ + AS_HELP_STRING([--enable-git-install], [enable git install feature])) +AS_IF([test "x$enable_git_install" = "xyes"], [ HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" AC_SUBST(HAVE_GIT_INSTALL) ]) - # checking pthread library AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh index 9e43559a1..1f710c688 100755 --- a/src/fgit/fgit-install.sh +++ b/src/fgit/fgit-install.sh @@ -6,7 +6,7 @@ set -e # exit immediately if one of the commands fails cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp git clone --depth=1 https://www.github.com/netblue30/firejail.git cd firejail -./configure +./configure --enable-git-install make sudo make install-strip echo "**********************************************************************" diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh index 9a370546d..bc7cc9563 100644 --- a/src/fgit/fgit-uninstall.sh +++ b/src/fgit/fgit-uninstall.sh @@ -6,7 +6,7 @@ set -e # exit immediately if one of the commands fails cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp git clone --depth=1 https://www.github.com/netblue30/firejail.git cd firejail -./configure +./configure --enable-git-install sudo make uninstall echo "**********************************************************************" echo "Firejail mainline git version uninstalled from /usr/local" diff --git a/src/firejail/main.c b/src/firejail/main.c index 0d4cf2595..b90e30cca 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2143,6 +2143,12 @@ int main(int argc, char **argv) { return 1; } } + else if (strcmp(argv[i], "--git-install") == 0 || + strcmp(argv[i], "--git-uninstall") == 0) { + fprintf(stderr, "This feature is not enabled in the current build\n"); + exit(1); + } + else if (strcmp(argv[i], "--") == 0) { // double dash - positional params to follow arg_doubledash = 1; -- cgit v1.2.3-70-g09d2 From 14489ed329a8b90c621d144fb638e3b2bcda3cce Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Feb 2017 16:43:55 -0500 Subject: firemon fix --- src/firemon/procevent.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index edae21951..8cec404f8 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -70,7 +70,9 @@ static int pid_is_firejail(pid_t pid) { errExit("asprintf"); if ((fd = open(fname, O_RDONLY)) < 0) { free(fname); - rv = 0; +#ifdef DEBUG_PRCTL + printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); +#endif goto doexit; } free(fname); @@ -81,7 +83,9 @@ static int pid_is_firejail(pid_t pid) { ssize_t len; if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { close(fd); - rv = 0; +#ifdef DEBUG_PRCTL + printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); +#endif goto doexit; } buffer[len] = '\0'; @@ -89,8 +93,12 @@ static int pid_is_firejail(pid_t pid) { // list of firejail arguments that don't trigger sandbox creation // the initial -- is not included - char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols " - "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean "; + char *exclude_args[] = { + "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls", + "debug-errnos", "debug-protocols", "protocol.print", "debug.caps", + "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps", + "fs.print", "get", "overlay-clean", NULL + }; int i; char *start; @@ -105,16 +113,26 @@ static int pid_is_firejail(pid_t pid) { } if (strncmp(start, "--", 2) != 0) break; + start += 2; // clan starting with = - char *ptr = strchr(start + 2, '='); + char *ptr = strchr(start, '='); if (ptr) *ptr = '\0'; - if (strstr(firejail_args, start + 2)) { - rv = 0; - break; + // look into exclude list + int j = 0; + while (exclude_args[j] != NULL) { + if (strcmp(start, exclude_args[j]) == 0) { + rv = 0; +#ifdef DEBUG_PRCTL +printf("start=#%s#, ptr=#%s#, flip rv %d\n", start, ptr, rv); +#endif + break; + } + j++; } + start = (char *) buffer + i + 1; } } -- cgit v1.2.3-70-g09d2 From 85c8cc454d3df3a83667556f7ddfafe66a78d421 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Feb 2017 09:03:35 -0500 Subject: adding macro for include command in profile files --- src/firejail/main.c | 15 ++------------- src/firejail/profile.c | 22 ++++++++++++++++------ src/firejail/util.c | 5 +++++ src/man/firejail-profile.txt | 16 +++++++++++----- 4 files changed, 34 insertions(+), 24 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index b90e30cca..4149f1342 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1362,6 +1362,8 @@ int main(int argc, char **argv) { } #endif else if (strncmp(argv[i], "--profile=", 10) == 0) { + // multiple profile files are allowed! + if (arg_noprofile) { fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); exit(1); @@ -1370,19 +1372,6 @@ int main(int argc, char **argv) { char *ppath = expand_home(argv[i] + 10, cfg.homedir); if (!ppath) errExit("strdup"); - invalid_filename(ppath); - - // multiple profile files are allowed! - if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { - fprintf(stderr, "Error: invalid profile file\n"); - exit(1); - } - - // access call checks as real UID/GID, not as effective UID/GID - if (access(ppath, R_OK)) { - fprintf(stderr, "Error: cannot access profile file\n"); - return 1; - } profile_read(ppath); custom_profile = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4856b31ae..9b3e58ab4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1013,10 +1013,25 @@ void profile_read(const char *fname) { exit(1); } + // check file if (strlen(fname) == 0) { fprintf(stderr, "Error: invalid profile file\n"); exit(1); } + invalid_filename(fname); + if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { + fprintf(stderr, "Error: invalid profile file\n"); + exit(1); + } + if (access(fname, R_OK)) { + // if the file ends in ".local", do not exit + char *ptr = strstr(fname, ".local"); + if (ptr && strlen(ptr) == 6) + return; + + fprintf(stderr, "Error: cannot access profile file\n"); + exit(1); + } // allow debuggers if (arg_allow_debuggers) { @@ -1027,15 +1042,10 @@ void profile_read(const char *fname) { return; } } - + // open profile file: FILE *fp = fopen(fname, "r"); if (fp == NULL) { - // if the file ends in ".local", do not exit - char *ptr = strstr(fname, ".local"); - if (ptr && strlen(ptr) == 6) - return; - fprintf(stderr, "Error: cannot open profile file %s\n", fname); exit(1); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 44891ce2d..fbaf0b5ac 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -648,6 +648,11 @@ char *expand_home(const char *path, const char* homedir) { errExit("asprintf"); return new_name; } + else if (strncmp(path, "${CFG}", 6) == 0) { + if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) + errExit("asprintf"); + return new_name; + } char *rv = strdup(path); if (!rv) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90dca19bf..aa1aec567 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -81,14 +81,20 @@ Include other.profile file. Example: "include /etc/firejail/disable-common.inc" -other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the -file in user home directory. +The file name can be prefixed with a macro such as ${HOME} or ${CFG}. +${HOME} is expanded as user home directory, and ${CFG} is expanded as +Firejail system configuration directory - in most cases /etc/firejail or +/usr/local/etc/firejail. Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. -If the file is not found, and the file name does not end in ".local", the sandbox exist immediately -with an error printed on stderr. ".local" files can be used to customize the global configuration -in /etc/firejail directory. These files are not overwritten during software install. +Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file. + +System configuration files in ${CFG} are overwritten during software installation. +Persistent configuration at system level is handled in ".local" files. For every +profile file in ${CFG} directory, the user can create a corresponding .local file +storing modifications to the persistent configuration. Persistent .local files +are included at the start of regular profile files. .TP \fBnoblacklist file_name -- cgit v1.2.3-70-g09d2 From 145248c42e8c222ff4bd7e50517d72a26859c066 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Feb 2017 09:27:33 -0500 Subject: persistent config --- etc/disable-common.inc | 3 ++- etc/disable-devel.inc | 3 ++- etc/disable-passwdmgr.inc | 3 ++- etc/disable-programs.inc | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 64a39296e..79732b197 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -1,4 +1,5 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include /etc/firejail/disable-common.local # History files in $HOME diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 07fc3928c..24c739b5b 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -1,4 +1,5 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include /etc/firejail/disable-devel.local # development tools diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 7d129b2e4..96555940d 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -1,4 +1,5 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include /etc/firejail/disable-passwdmgr.local blacklist ${HOME}/.pki/nssdb diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b307978da..98cd2125f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -1,4 +1,5 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include /etc/firejail/disable-programs.local blacklist ${HOME}/.*coin -- cgit v1.2.3-70-g09d2 From 975c6f327f6347c2fed66437b65b593a1aef6a2f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Feb 2017 10:53:33 -0500 Subject: persistent support for all profile files --- etc/0ad.profile | 4 ++++ etc/7z.profile | 4 ++++ etc/Cryptocat.profile | 4 ++++ etc/Cyberfox.profile | 4 ++++ etc/FossaMail.profile | 4 ++++ etc/Mathematica.profile | 4 ++++ etc/Telegram.profile | 4 ++++ etc/VirtualBox.profile | 4 ++++ etc/Wire.profile | 4 ++++ etc/abrowser.profile | 4 ++++ etc/amarok.profile | 4 ++++ etc/ark.profile | 4 ++++ etc/atom-beta.profile | 4 ++++ etc/atom.profile | 4 ++++ etc/atool.profile | 4 ++++ etc/atril.profile | 4 ++++ etc/audacious.profile | 4 ++++ etc/audacity.profile | 4 ++++ etc/aweather.profile | 4 ++++ etc/bitlbee.profile | 4 ++++ etc/bleachbit.profile | 4 ++++ etc/bless.profile | 4 ++++ etc/brasero.profile | 4 ++++ etc/brave.profile | 4 ++++ etc/cherrytree.profile | 4 ++++ etc/chromium-browser.profile | 4 ++++ etc/chromium.profile | 4 ++++ etc/claws-mail.profile | 4 ++++ etc/clementine.profile | 4 ++++ etc/cmus.profile | 4 ++++ etc/conkeror.profile | 4 ++++ etc/corebird.profile | 4 ++++ etc/cpio.profile | 4 ++++ etc/cryptocat.profile | 4 ++++ etc/cyberfox.profile | 4 ++++ etc/deadbeef.profile | 4 ++++ etc/default.profile | 4 ++++ etc/deluge.profile | 4 ++++ etc/dillo.profile | 4 ++++ etc/display.profile | 4 ++++ etc/dnscrypt-proxy.profile | 4 ++++ etc/dnsmasq.profile | 4 ++++ etc/dolphin.profile | 4 ++++ etc/dosbox.profile | 4 ++++ etc/dragon.profile | 4 ++++ etc/dropbox.profile | 4 ++++ etc/elinks.profile | 4 ++++ etc/emacs.profile | 4 ++++ etc/empathy.profile | 4 ++++ etc/enchant.profile | 4 ++++ etc/eog.profile | 4 ++++ etc/eom.profile | 4 ++++ etc/epiphany.profile | 4 ++++ etc/evince.profile | 4 ++++ etc/evolution.profile | 4 ++++ etc/exiftool.profile | 4 ++++ etc/fbreader.profile | 4 ++++ etc/feh.profile | 4 ++++ etc/file-roller.profile | 4 ++++ etc/file.profile | 4 ++++ etc/filezilla.profile | 4 ++++ etc/firefox-esr.profile | 4 ++++ etc/firefox.profile | 4 ++++ etc/flashpeak-slimjet.profile | 4 ++++ etc/flowblade.profile | 4 ++++ etc/fossamail.profile | 4 ++++ etc/franz.profile | 4 ++++ etc/gajim.profile | 4 ++++ etc/gedit.profile | 4 ++++ etc/gimp.profile | 4 ++++ etc/git.profile | 4 ++++ etc/gitter.profile | 4 ++++ etc/gjs.profile | 4 ++++ etc/gnome-2048.profile | 4 ++++ etc/gnome-books.profile | 4 ++++ etc/gnome-calculator.profile | 4 ++++ etc/gnome-chess.profile | 4 ++++ etc/gnome-clocks.profile | 4 ++++ etc/gnome-contacts.profile | 4 ++++ etc/gnome-documents.profile | 4 ++++ etc/gnome-maps.profile | 4 ++++ etc/gnome-mplayer.profile | 4 ++++ etc/gnome-music.profile | 4 ++++ etc/gnome-photos.profile | 4 ++++ etc/gnome-weather.profile | 4 ++++ etc/goobox.profile | 4 ++++ etc/google-chrome-beta.profile | 4 ++++ etc/google-chrome-stable.profile | 4 ++++ etc/google-chrome-unstable.profile | 4 ++++ etc/google-chrome.profile | 4 ++++ etc/google-play-music-desktop-player.profile | 4 ++++ etc/gpa.profile | 4 ++++ etc/gpg-agent.profile | 4 ++++ etc/gpg.profile | 4 ++++ etc/gpredict.profile | 4 ++++ etc/gtar.profile | 4 ++++ etc/gthumb.profile | 4 ++++ etc/guayadeque.profile | 4 ++++ etc/gwenview.profile | 4 ++++ etc/gzip.profile | 4 ++++ etc/hedgewars.profile | 4 ++++ etc/hexchat.profile | 4 ++++ etc/highlight.profile | 4 ++++ etc/icecat.profile | 4 ++++ etc/icedove.profile | 4 ++++ etc/iceweasel.profile | 4 ++++ etc/img2txt.profile | 4 ++++ etc/inkscape.profile | 4 ++++ etc/inox.profile | 4 ++++ etc/jd-gui.profile | 4 ++++ etc/jitsi.profile | 4 ++++ etc/k3b.profile | 4 ++++ etc/kate.profile | 4 ++++ etc/keepass.profile | 4 ++++ etc/keepass2.profile | 4 ++++ etc/keepassx.profile | 4 ++++ etc/keepassx2.profile | 4 ++++ etc/kmail.profile | 4 ++++ etc/konversation.profile | 4 ++++ etc/less.profile | 4 ++++ etc/libreoffice.profile | 4 ++++ etc/localc.profile | 4 ++++ etc/lodraw.profile | 4 ++++ etc/loffice.profile | 4 ++++ etc/lofromtemplate.profile | 4 ++++ etc/loimpress.profile | 4 ++++ etc/lollypop.profile | 4 ++++ etc/lomath.profile | 4 ++++ etc/loweb.profile | 4 ++++ etc/lowriter.profile | 4 ++++ etc/luminance-hdr.profile | 4 ++++ etc/lxterminal.profile | 4 ++++ etc/lynx.profile | 4 ++++ etc/mathematica.profile | 4 ++++ etc/mcabber.profile | 4 ++++ etc/mediainfo.profile | 4 ++++ etc/midori.profile | 4 ++++ etc/mpv.profile | 4 ++++ etc/multimc5.profile | 4 ++++ etc/mumble.profile | 4 ++++ etc/mupdf.profile | 4 ++++ etc/mupen64plus.profile | 4 ++++ etc/mutt.profile | 4 ++++ etc/nautilus.profile | 4 ++++ etc/netsurf.profile | 4 ++++ etc/odt2txt.profile | 4 ++++ etc/okular.profile | 4 ++++ etc/openbox.profile | 4 ++++ etc/openshot.profile | 4 ++++ etc/opera-beta.profile | 4 ++++ etc/opera.profile | 4 ++++ etc/palemoon.profile | 4 ++++ etc/parole.profile | 4 ++++ etc/pdfsam.profile | 4 ++++ etc/pdftotext.profile | 4 ++++ etc/pidgin.profile | 4 ++++ etc/pithos.profile | 4 ++++ etc/pix.profile | 4 ++++ etc/pluma.profile | 4 ++++ etc/polari.profile | 4 ++++ etc/psi-plus.profile | 4 ++++ etc/qbittorrent.profile | 4 ++++ etc/qemu-launcher.profile | 4 ++++ etc/qemu-system-x86_64.profile | 4 ++++ etc/qpdfview.profile | 4 ++++ etc/qtox.profile | 4 ++++ etc/quassel.profile | 4 ++++ etc/quiterss.profile | 4 ++++ etc/qupzilla.profile | 4 ++++ etc/qutebrowser.profile | 4 ++++ etc/ranger.profile | 4 ++++ etc/rhythmbox.profile | 4 ++++ etc/rtorrent.profile | 4 ++++ etc/seamonkey-bin.profile | 4 ++++ etc/seamonkey.profile | 4 ++++ etc/server.profile | 4 ++++ etc/simple-scan.profile | 4 ++++ etc/skanlite.profile | 4 ++++ etc/skype.profile | 4 ++++ etc/skypeforlinux.profile | 4 ++++ etc/slack.profile | 4 ++++ etc/snap.profile | 4 ++++ etc/soffice.profile | 4 ++++ etc/spotify.profile | 4 ++++ etc/ssh-agent.profile | 4 ++++ etc/ssh.profile | 4 ++++ etc/start-tor-browser.profile | 4 ++++ etc/steam.profile | 4 ++++ etc/stellarium.profile | 4 ++++ etc/strings.profile | 4 ++++ etc/synfigstudio.profile | 4 ++++ etc/tar.profile | 4 ++++ etc/telegram.profile | 4 ++++ etc/thunderbird.profile | 4 ++++ etc/totem.profile | 4 ++++ etc/tracker.profile | 4 ++++ etc/transmission-cli.profile | 4 ++++ etc/transmission-gtk.profile | 4 ++++ etc/transmission-qt.profile | 4 ++++ etc/transmission-show.profile | 4 ++++ etc/uget-gtk.profile | 4 ++++ etc/unbound.profile | 4 ++++ etc/unrar.profile | 4 ++++ etc/unzip.profile | 4 ++++ etc/uudeview.profile | 4 ++++ etc/uzbl-browser.profile | 4 ++++ etc/vim.profile | 4 ++++ etc/virtualbox.profile | 4 ++++ etc/vivaldi-beta.profile | 4 ++++ etc/vivaldi.profile | 4 ++++ etc/vlc.profile | 4 ++++ etc/w3m.profile | 4 ++++ etc/warzone2100.profile | 4 ++++ etc/weechat-curses.profile | 4 ++++ etc/weechat.profile | 4 ++++ etc/wesnoth.profile | 4 ++++ etc/wget.profile | 4 ++++ etc/wine.profile | 4 ++++ etc/wire.profile | 4 ++++ etc/wireshark.profile | 4 ++++ etc/xchat.profile | 4 ++++ etc/xed.profile | 4 ++++ etc/xfburn.profile | 4 ++++ etc/xiphos.profile | 4 ++++ etc/xmms.profile | 4 ++++ etc/xonotic-glx.profile | 4 ++++ etc/xonotic-sdl.profile | 4 ++++ etc/xonotic.profile | 4 ++++ etc/xpdf.profile | 4 ++++ etc/xplayer.profile | 4 ++++ etc/xpra.profile | 4 ++++ etc/xreader.profile | 4 ++++ etc/xviewer.profile | 4 ++++ etc/xz.profile | 4 ++++ etc/xzdec.profile | 4 ++++ etc/zathura.profile | 4 ++++ etc/zoom.profile | 4 ++++ 237 files changed, 948 insertions(+) diff --git a/etc/0ad.profile b/etc/0ad.profile index 1e7c06879..84addc229 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/0ad.local + # Firejail profile for 0ad. noblacklist ~/.cache/0ad noblacklist ~/.config/0ad diff --git a/etc/7z.profile b/etc/7z.profile index 319126540..102de44ee 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/7z.local + # 7zip crompression tool profile quiet ignore noroot diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index b61b88f68..da7f93791 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/Cryptocat.local + # Firejail profile for Cryptocat noblacklist ${HOME}/.config/Cryptocat diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile index 1f74606ce..bd2765bc7 100644 --- a/etc/Cyberfox.profile +++ b/etc/Cyberfox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/Cyberfox.local + # Firejail profile for Cyberfox (based on Mozilla Firefox) include /etc/firejail/cyberfox.profile diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile index 0da235467..e0ba131ed 100644 --- a/etc/FossaMail.profile +++ b/etc/FossaMail.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/FossaMail.local + # Firejail profile for FossaMail include /etc/firejail/fossamail.profile diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index e719f070f..2fe19c570 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/Mathematica.local + # Mathematica profile noblacklist ${HOME}/.Mathematica noblacklist ${HOME}/.Wolfram Research diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 2e0f97821..6ccda7929 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/Telegram.local + # Telegram IRC profile include /etc/firejail/telegram.profile diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index ff0a4b6ef..5e011b1fc 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile @@ -1 +1,5 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/VirtualBox.local + include /etc/firejail/virtualbox.profile diff --git a/etc/Wire.profile b/etc/Wire.profile index bd9645c7f..0895353d1 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/Wire.local + # wire messenger profile include /etc/firejail/wire.profile diff --git a/etc/abrowser.profile b/etc/abrowser.profile index f25bbd94d..8515f5143 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/abrowser.local + # Firejail profile for Abrowser noblacklist ~/.mozilla noblacklist ~/.cache/mozilla diff --git a/etc/amarok.profile b/etc/amarok.profile index 8d5b35d47..c2a400fe4 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/amarok.local + # amarok profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ark.profile b/etc/ark.profile index 61b4c6f60..20a2d10e0 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/ark.local + # ark profile noblacklist ~/.config/arkrc diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index fa0b316bb..4c50687aa 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/atom-beta.local + # Firejail profile for Atom Beta. noblacklist ~/.atom noblacklist ~/.config/Atom diff --git a/etc/atom.profile b/etc/atom.profile index 61930d5c1..fc0e1b69c 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/atom.local + # Firejail profile for Atom. noblacklist ~/.atom noblacklist ~/.config/Atom diff --git a/etc/atool.profile b/etc/atool.profile index 578a88fc7..37a2e09e4 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/atool.local + # atool profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/atril.profile b/etc/atril.profile index fbcca0c1b..1125f4f3c 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/atril.local + # Atril profile noblacklist ~/.config/atril noblacklist ~/.local/share diff --git a/etc/audacious.profile b/etc/audacious.profile index e5275213c..cf1281d42 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/audacious.local + # Audacious media player profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/audacity.profile b/etc/audacity.profile index 827fa4301..4394416ff 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/audacity.local + # Audacity profile noblacklist ~/.audacity-data diff --git a/etc/aweather.profile b/etc/aweather.profile index fa8654f1e..b6ed0de51 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/aweather.local + # Firejail profile for aweather. noblacklist ~/.config/aweather include /etc/firejail/disable-common.inc diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 87d2e843a..b056a54e3 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/bitlbee.local + # BitlBee instant messaging profile noblacklist /sbin noblacklist /usr/sbin diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 0a71db9f0..b406b9985 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/bleachbit.local + # bleachbit profile include /etc/firejail/disable-common.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/bless.profile b/etc/bless.profile index 752edadf7..b8325de39 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/bless.local + # #Profile for bless # diff --git a/etc/brasero.profile b/etc/brasero.profile index 66de6fa50..6d84b0ca5 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/brasero.local + # brasero profile noblacklist ~/.config/brasero diff --git a/etc/brave.profile b/etc/brave.profile index 21ea7f908..d7678d5d5 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/brave.local + # Profile for Brave browser noblacklist ~/.config/brave include /etc/firejail/disable-common.inc diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 139dec8ec..8d7585fb9 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/cherrytree.local + # cherrytree note taking application noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile index d989b736b..e7dd5afe3 100644 --- a/etc/chromium-browser.profile +++ b/etc/chromium-browser.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/chromium-browser.local + # Chromium browser profile include /etc/firejail/chromium.profile diff --git a/etc/chromium.profile b/etc/chromium.profile index 7610d9b26..dfdbf2dd4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/chromium.local + # Chromium browser profile noblacklist ~/.config/chromium noblacklist ~/.cache/chromium diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 8921bb25e..3bffb9b0a 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/claws-mail.local + # claws-mail profile noblacklist ~/.claws-mail noblacklist ~/.signature diff --git a/etc/clementine.profile b/etc/clementine.profile index 5ce085358..f92413a36 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/clementine.local + # Clementine media player profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/cmus.profile b/etc/cmus.profile index 2e2a6940c..50bfbf7c8 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/cmus.local + # cmus profile noblacklist ${HOME}/.config/cmus diff --git a/etc/conkeror.profile b/etc/conkeror.profile index e82eeec4c..b87aa835d 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/conkeror.local + # Firejail profile for Conkeror web browser profile noblacklist ${HOME}/.conkeror.mozdev.org include /etc/firejail/disable-common.inc diff --git a/etc/corebird.profile b/etc/corebird.profile index 6fb8219e8..a6514af5a 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/corebird.local + # Firejail corebird profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/cpio.profile b/etc/cpio.profile index cf89acdac..d4b0e6d2d 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/cpio.local + # cpio profile # /sbin and /usr/sbin are visible inside the sandbox # /boot is not visible and /var is heavily modified diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile index 0d392b272..ea5c5c69b 100644 --- a/etc/cryptocat.profile +++ b/etc/cryptocat.profile @@ -1 +1,5 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/cryptocat.local + include /etc/Cryptocat.profile diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index f722915f0..e885fc300 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/cyberfox.local + # Firejail profile for Cyberfox (based on Mozilla Firefox) noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 04abd0a92..603d6345c 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/deadbeef.local + # DeaDBeeF media player profile noblacklist ${HOME}/.config/deadbeef diff --git a/etc/default.profile b/etc/default.profile index 603321316..66b04896f 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/default.local + ################################ # Generic GUI application profile ################################ diff --git a/etc/deluge.profile b/etc/deluge.profile index c6ddec3ec..7b4a49db5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/deluge.local + # deluge bittorrernt client profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dillo.profile b/etc/dillo.profile index 108787920..f8a3e5252 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dillo.local + # Firejail profile for Dillo web browser noblacklist ~/.dillo include /etc/firejail/disable-common.inc diff --git a/etc/display.profile b/etc/display.profile index ec041bff7..83fbc965a 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/display.local + # display (ImageMagick tool) image viewer profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 926b8bfcc..c69707181 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dnscrypt-proxy.local + # security profile for dnscrypt-proxy noblacklist /sbin noblacklist /usr/sbin diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 3bd43f144..0af4a3f62 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dnsmasq.local + # dnsmasq profile noblacklist /sbin noblacklist /usr/sbin diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 09a86f811..2b7919083 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dolphin.local + # dolphin profile # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 diff --git a/etc/dosbox.profile b/etc/dosbox.profile index 45fbb712a..3ef6931fc 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dosbox.local + # Firejail profile for dosbox noblacklist ~/.dosbox diff --git a/etc/dragon.profile b/etc/dragon.profile index 09cb73802..b6228fd41 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dragon.local + # dragon player profile noblacklist ~/.config/dragonplayerrc diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 40efd62b2..b58fa0ed1 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/dropbox.local + # dropbox profile noblacklist ~/.config/autostart include /etc/firejail/disable-common.inc diff --git a/etc/elinks.profile b/etc/elinks.profile index ade15f203..1fad33d54 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/elinks.local + # elinks profile noblacklist ~/.elinks diff --git a/etc/emacs.profile b/etc/emacs.profile index 2b9c5805c..21767402f 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/emacs.local + # emacs profile noblacklist ~/.emacs noblacklist ~/.emacs.d diff --git a/etc/empathy.profile b/etc/empathy.profile index 2a0a6389c..4cf90908f 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/empathy.local + # Empathy instant messaging profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/enchant.profile b/etc/enchant.profile index cf8288919..8b1995a95 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/enchant.local + # enchant profile noblacklist ~/.config/enchant diff --git a/etc/eog.profile b/etc/eog.profile index d463f3a97..c5afec7fa 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/eog.local + # eog (gnome image viewer) profile noblacklist ~/.config/eog diff --git a/etc/eom.profile b/etc/eom.profile index dfcea82c1..a7e10ba9e 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/eom.local + # Firejail profile for Eye of Mate (eom) noblacklist ~/.config/mate/eom diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 0e898f02b..1bf259440 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/epiphany.local + # Epiphany browser profile noblacklist ${HOME}/.config/epiphany noblacklist ${HOME}/.cache/epiphany diff --git a/etc/evince.profile b/etc/evince.profile index 1ec384947..94cefdd8b 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/evince.local + # evince pdf reader profile noblacklist ~/.config/evince diff --git a/etc/evolution.profile b/etc/evolution.profile index 1707e562b..cb6615716 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/evolution.local + # evolution profile noblacklist ~/.config/evolution noblacklist ~/.local/share/evolution diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 1cae8c093..356735421 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/exiftool.local + # exiftool profile noblacklist /usr/bin/perl noblacklist /usr/share/perl* diff --git a/etc/fbreader.profile b/etc/fbreader.profile index ec098d5fe..77bf89f35 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/fbreader.local + # fbreader ebook reader profile noblacklist ${HOME}/.FBReader diff --git a/etc/feh.profile b/etc/feh.profile index 2812effc9..e00b6a821 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/feh.local + # feh image viewer profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 6116389db..804d20ce1 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/file-roller.local + # file-roller profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/file.profile b/etc/file.profile index d145fe12a..2f972212e 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/file.local + # file profile quiet include /etc/firejail/disable-common.inc diff --git a/etc/filezilla.profile b/etc/filezilla.profile index a40fceec1..5f2636bf5 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/filezilla.local + # FileZilla ftp profile noblacklist ${HOME}/.filezilla noblacklist ${HOME}/.config/filezilla diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index d2fde9a3f..753f64526 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/firefox-esr.local + # Firejail profile for Mozilla Firefox ESR include /etc/firejail/firefox.profile diff --git a/etc/firefox.profile b/etc/firefox.profile index c3a9b2a62..ba655dec6 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/firefox.local + # Firejail profile for Mozilla Firefox (Iceweasel in Debian) noblacklist ~/.mozilla noblacklist ~/.cache/mozilla diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 3c23ff6f6..532749c1e 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/flashpeak-slimjet.local + # SlimJet browser profile # This is a whitelisted profile, the internal browser sandbox # is disabled because it requires sudo password. The command diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 12afdb0aa..e60417081 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/flowblade.local + # FlowBlade profile noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade diff --git a/etc/fossamail.profile b/etc/fossamail.profile index a0dc8ae59..3caaad71c 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/fossamail.local + # Firejail profile for FossaMail noblacklist ~/.gnupg diff --git a/etc/franz.profile b/etc/franz.profile index 0b3be551b..9e79e35f4 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/franz.local + # Franz profile noblacklist ~/.config/Franz noblacklist ~/.cache/Franz diff --git a/etc/gajim.profile b/etc/gajim.profile index eb60f858b..bac6cc466 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gajim.local + # Firejail profile for Gajim noblacklist ${HOME}/.cache/gajim noblacklist ${HOME}/.local/share/gajim diff --git a/etc/gedit.profile b/etc/gedit.profile index a25286bfa..9f4eee9b3 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gedit.local + # gedit profile # when gedit is started via gnome-shell, firejail is not applied because systemd will start it diff --git a/etc/gimp.profile b/etc/gimp.profile index cb441fc9d..d07398a41 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gimp.local + # gimp noblacklist ${HOME}/.gimp* include /etc/firejail/disable-common.inc diff --git a/etc/git.profile b/etc/git.profile index 80e534e20..5fbacd7fa 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/git.local + # git profile quiet noblacklist ~/.gitconfig diff --git a/etc/gitter.profile b/etc/gitter.profile index f43f5f199..054d859f8 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gitter.local + # Firejail profile for Gitter noblacklist ~/.config/Gitter include /etc/firejail/disable-common.inc diff --git a/etc/gjs.profile b/etc/gjs.profile index 8d71728a2..24ec70e86 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gjs.local + # gjs (gnome javascript bindings) profile # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index f9982da61..95c0daccd 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-2048.local + # #Profile for gnome-2048 # diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 10b06e173..692e32896 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-books.local + # gnome-books profile # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 49e068171..714a97650 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-calculator.local + # #Profile for gnome-calculator # diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 4db485ea7..3dcc98b72 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-chess.local + # Firejail profile for gnome-chess noblacklist ~/.local/share/gnome-chess diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 6cccf9d32..30598f348 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-clocks.local + # gnome-clocks profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 9dc25b26c..b61cd3c74 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-contacts.local + # #Profile for gnome-contacts # diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index c5def7aff..9d3b8172b 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-documents.local + # gnome-documents profile # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index f1451506e..54c0eb99c 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-maps.local + # gnome-maps profile # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 25d2da085..cd268aed7 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-mplayer.local + # GNOME MPlayer profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 4a8adeb22..9136015e9 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-music.local + # gnome-music profile noblacklist ~/.local/share/gnome-music diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 8f9d60cb5..d1636e02e 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-photos.local + # gnome-photos profile # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 9f93b8f15..925420a5a 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gnome-weather.local + # gnome-weather profile # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/goobox.profile b/etc/goobox.profile index 8990943fc..6aaec1354 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/goobox.local + # goobox profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 3d483967c..2b2aa39d3 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/google-chrome-beta.local + # Google Chrome beta browser profile noblacklist ~/.config/google-chrome-beta noblacklist ~/.cache/google-chrome-beta diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 78c8ca6e5..b8d9d6917 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/google-chrome-stable.local + # Google Chrome browser profile include /etc/firejail/google-chrome.profile diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 0189ce40b..79ee6454b 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/google-chrome-unstable.local + # Google Chrome unstable browser profile noblacklist ~/.config/google-chrome-unstable noblacklist ~/.cache/google-chrome-unstable diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 3083c2afd..0fa69ea6a 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/google-chrome.local + # Google Chrome browser profile noblacklist ~/.config/google-chrome noblacklist ~/.cache/google-chrome diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index b4cf8d9ac..dbe07cfee 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/google-play-music-desktop-player.local + # Google Play Music desktop player profile noblacklist ~/.config/Google Play Music Desktop Player diff --git a/etc/gpa.profile b/etc/gpa.profile index 9da750f9e..7618fdd41 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gpa.local + # gpa profile noblacklist ~/.gnupg diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index f587f0d53..7beaca6f2 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gpg-agent.local + # gpg-agent profile noblacklist ~/.gnupg diff --git a/etc/gpg.profile b/etc/gpg.profile index 963ff5ed7..92e42cc4b 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gpg.local + # gpg profile noblacklist ~/.gnupg diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 801304c18..9e8af2016 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gpredict.local + # Firejail profile for gpredict. noblacklist ~/.config/Gpredict include /etc/firejail/disable-common.inc diff --git a/etc/gtar.profile b/etc/gtar.profile index 2f675cd9d..2fcdbaa83 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gtar.local + # gtar profile quiet include /etc/firejail/tar.profile diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 055d78935..d8c438181 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gthumb.local + # gthumb profile noblacklist ${HOME}/.config/gthumb diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 0c6ad00be..3c8da9e46 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/guayadeque.local + noblacklist ${HOME}/.guayadeque include /etc/firejail/disable-common.inc diff --git a/etc/gwenview.profile b/etc/gwenview.profile index c866c9e63..f636792f0 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gwenview.local + # KDE gwenview profile noblacklist ~/.kde/share/apps/gwenview noblacklist ~/.kde/share/config/gwenviewrc diff --git a/etc/gzip.profile b/etc/gzip.profile index feb27c150..2eca4d8b6 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/gzip.local + # gzip profile quiet ignore noroot diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 7910b7eb0..4e469bd42 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/hedgewars.local + # whitelist profile for Hedgewars (game) noblacklist ${HOME}/.hedgewars diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 5cefe45b5..53f447f7e 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/hexchat.local + # HexChat instant messaging profile # Currently in testing (may not work for all users) noblacklist ${HOME}/.config/hexchat diff --git a/etc/highlight.profile b/etc/highlight.profile index 4bab18349..446a3fbb7 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/highlight.local + # highlight profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/icecat.profile b/etc/icecat.profile index 038afc876..1525e8c31 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/icecat.local + # Firejail profile for GNU Icecat noblacklist ~/.mozilla noblacklist ~/.cache/mozilla diff --git a/etc/icedove.profile b/etc/icedove.profile index 310684bdb..b5265e992 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/icedove.local + # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) # Users have icedove set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index e9b32846a..d5c29a5ce 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/iceweasel.local + # Firejail profile for Mozilla Firefox (Iceweasel in Debian) include /etc/firejail/firefox.profile diff --git a/etc/img2txt.profile b/etc/img2txt.profile index d55a31cd0..15692b2b0 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/img2txt.local + # img2txt profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/inkscape.profile b/etc/inkscape.profile index a0e86b6c9..000a35fd9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/inkscape.local + # inkscape noblacklist ${HOME}/.inkscape include /etc/firejail/disable-common.inc diff --git a/etc/inox.profile b/etc/inox.profile index 6f6d140e2..8ba031ea4 100644 --- a/etc/inox.profile +++ b/etc/inox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/inox.local + # Inox browser profile noblacklist ~/.config/inox noblacklist ~/.cache/inox diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 1d6eb41f8..2ba1a4380 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/jd-gui.local + # #Profile for jd-gui # diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 046499abe..5d502fffe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/jitsi.local + # Firejail profile for jitsi noblacklist ~/.jitsi include /etc/firejail/disable-common.inc diff --git a/etc/k3b.profile b/etc/k3b.profile index 8a5fff0c6..68b825c5e 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/k3b.local + # k3b profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kate.profile b/etc/kate.profile index 4b07ea6cb..466786e61 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/kate.local + # kate profile noblacklist ~/.local/share/kate noblacklist ~/.config/katerc diff --git a/etc/keepass.profile b/etc/keepass.profile index 18a5f4ebd..e92ff4341 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/keepass.local + # keepass password manager profile noblacklist ${HOME}/.config/keepass noblacklist ${HOME}/.keepass diff --git a/etc/keepass2.profile b/etc/keepass2.profile index 9daa014e3..028b538ec 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/keepass2.local + # keepass password manager profile #noblacklist ${HOME}/.config/KeePass #noblacklist ${HOME}/.keepass diff --git a/etc/keepassx.profile b/etc/keepassx.profile index d8621773f..ec6d014bf 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/keepassx.local + # keepassx password manager profile noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index d8621773f..5bf79b891 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/keepassx2.local + # keepassx password manager profile noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx diff --git a/etc/kmail.profile b/etc/kmail.profile index 410ff36c6..b930f6e48 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/kmail.local + # kmail profile noblacklist ${HOME}/.gnupg diff --git a/etc/konversation.profile b/etc/konversation.profile index c00b91c18..0b920bd6a 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/konversation.local + # Firejail konversation profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/less.profile b/etc/less.profile index c01dfc466..23fbc4ba2 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/less.local + # less profile quiet ignore noroot diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index d6aceb7a8..685073e7c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/libreoffice.local + # Firejail profile for LibreOffice noblacklist ~/.config/libreoffice noblacklist /usr/local/sbin diff --git a/etc/localc.profile b/etc/localc.profile index fecd08822..14c34c722 100644 --- a/etc/localc.profile +++ b/etc/localc.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/localc.local + ################################ # LibreOffice profile ################################ diff --git a/etc/lodraw.profile b/etc/lodraw.profile index fecd08822..5be66c5de 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lodraw.local + ################################ # LibreOffice profile ################################ diff --git a/etc/loffice.profile b/etc/loffice.profile index fecd08822..5f931502c 100644 --- a/etc/loffice.profile +++ b/etc/loffice.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/loffice.local + ################################ # LibreOffice profile ################################ diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile index fecd08822..9899ddf58 100644 --- a/etc/lofromtemplate.profile +++ b/etc/lofromtemplate.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lofromtemplate.local + ################################ # LibreOffice profile ################################ diff --git a/etc/loimpress.profile b/etc/loimpress.profile index fecd08822..4de330d67 100644 --- a/etc/loimpress.profile +++ b/etc/loimpress.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/loimpress.local + ################################ # LibreOffice profile ################################ diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 41a662bca..06ed415d6 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lollypop.local + # #Profile for lollypop # diff --git a/etc/lomath.profile b/etc/lomath.profile index fecd08822..cbe13f474 100644 --- a/etc/lomath.profile +++ b/etc/lomath.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lomath.local + ################################ # LibreOffice profile ################################ diff --git a/etc/loweb.profile b/etc/loweb.profile index fecd08822..f5e13db02 100644 --- a/etc/loweb.profile +++ b/etc/loweb.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/loweb.local + ################################ # LibreOffice profile ################################ diff --git a/etc/lowriter.profile b/etc/lowriter.profile index fecd08822..b6c6ed407 100644 --- a/etc/lowriter.profile +++ b/etc/lowriter.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lowriter.local + ################################ # LibreOffice profile ################################ diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 76e864e0c..1b06b27c3 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/luminance-hdr.local + # luminance-hdr noblacklist ${HOME}/.config/Luminance include /etc/firejail/disable-common.inc diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 12765c299..5d76adf4c 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lxterminal.local + # lxterminal (LXDE) profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/lynx.profile b/etc/lynx.profile index 3e8d72103..de428c214 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/lynx.local + # lynx profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mathematica.profile b/etc/mathematica.profile index 9410054ae..c880b1daa 100644 --- a/etc/mathematica.profile +++ b/etc/mathematica.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mathematica.local + # Mathematica profile include /etc/firejail/Mathematica.profile diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 48b46dba0..87e672501 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mcabber.local + # mcabber profile noblacklist ${HOME}/.mcabber noblacklist ${HOME}/.mcabberrc diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 65d12c49e..9b4adc26f 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mediainfo.local + # mediainfo profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/midori.profile b/etc/midori.profile index 046c45d94..44e5e7417 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/midori.local + # Midori browser profile noblacklist ${HOME}/.config/midori include /etc/firejail/disable-common.inc diff --git a/etc/mpv.profile b/etc/mpv.profile index 80f8de54a..d7a8d37e8 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mpv.local + # mpv media player profile noblacklist ${HOME}/.config/mpv diff --git a/etc/multimc5.profile b/etc/multimc5.profile index cc310f294..6b8946be3 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/multimc5.local + # #Profile for multimc5 # diff --git a/etc/mumble.profile b/etc/mumble.profile index ddd70822d..d5405a6ae 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mumble.local + # mumble profile noblacklist ${HOME}/.config/Mumble noblacklist ${HOME}/.local/share/data/Mumble diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7f9261d8b..712552965 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mupdf.local + # mupdf reader profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index acb13e6b9..80e75e836 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mupen64plus.local + # mupen64plus profile # manually whitelist ROM files noblacklist ${HOME}/.config/mupen64plus diff --git a/etc/mutt.profile b/etc/mutt.profile index 5a714de4a..2f0809f02 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/mutt.local + # mutt email client profile noblacklist ~/.muttrc noblacklist ~/.mutt diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 264ee0b9d..85f9ab7d7 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/nautilus.local + # nautilus profile # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 644a1605b..4c10a3e98 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/netsurf.local + # Firejail profile for Mozilla Firefox (Iceweasel in Debian) noblacklist ~/.config/netsurf noblacklist ~/.cache/netsurf diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index c4e28f70e..3880895f3 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/odt2txt.local + # odt2txt profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/okular.profile b/etc/okular.profile index 22e223cea..2875d2ef5 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/okular.local + # KDE okular profile noblacklist ~/.kde/share/apps/okular noblacklist ~/.kde/share/config/okularrc diff --git a/etc/openbox.profile b/etc/openbox.profile index f812768a1..7e074f5b5 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/openbox.local + ####################################### # OpenBox window manager profile # - all applications started in OpenBox will run in this profile diff --git a/etc/openshot.profile b/etc/openshot.profile index f12bd7d11..25e9a4066 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/openshot.local + # OpenShot profile noblacklist ${HOME}/.openshot noblacklist ${HOME}/.openshot_qt diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 4cdb0a9eb..2c20024e2 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/opera-beta.local + # Opera-beta browser profile noblacklist ~/.config/opera-beta noblacklist ~/.cache/opera-beta diff --git a/etc/opera.profile b/etc/opera.profile index a337ccc5b..d6e44e7f6 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/opera.local + # Opera browser profile noblacklist ~/.config/opera noblacklist ~/.cache/opera diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 11ebe3d1f..41eef8d91 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/palemoon.local + # Firejail profile for Pale Moon noblacklist ~/.moonchild productions/pale moon noblacklist ~/.cache/moonchild productions/pale moon diff --git a/etc/parole.profile b/etc/parole.profile index 1440a9ef7..58a9f2c6c 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/parole.local + # Profile for Parole, the default XFCE4 media player include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 6e50f37cf..37adabb39 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/pdfsam.local + # #Profile for pdfsam # diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index fe9e9e3cd..ce19f1760 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/pdftotext.local + # pdftotext profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 850706145..5c5cb0a5b 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/pidgin.local + # Pidgin profile noblacklist ${HOME}/.purple diff --git a/etc/pithos.profile b/etc/pithos.profile index 8270b8bee..500e35989 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/pithos.local + # #Profile for pithos # diff --git a/etc/pix.profile b/etc/pix.profile index dc8192b01..c36a5f96e 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/pix.local + # Firejail profile for pix noblacklist ${HOME}/.config/pix noblacklist ${HOME}/.local/share/pix diff --git a/etc/pluma.profile b/etc/pluma.profile index 895cc2369..719a26928 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/pluma.local + # Firejail profile for Xed noblacklist ${HOME}/.config/pluma diff --git a/etc/polari.profile b/etc/polari.profile index ac9530c40..834a8b3d6 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/polari.local + # Polari IRC profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index e4e69b9f6..45cb22ee4 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/psi-plus.local + # Firejail profile for Psi+ noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 4106065cb..4a454d2f6 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qbittorrent.local + # qbittorrent bittorrent profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index f9c8e6345..328f1a30d 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qemu-launcher.local + # qemu-launcher profile noblacklist ~/.qemu-launcher diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 65e1e44ea..16e822901 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qemu-system-x86_64.local + # qemu profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 06c0db206..97f06f848 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qpdfview.local + # qpdfview profile noblacklist ${HOME}/.config/qpdfview noblacklist ${HOME}/.local/share/qpdfview diff --git a/etc/qtox.profile b/etc/qtox.profile index 81d8aa10e..40a959d05 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qtox.local + # qTox instant messaging profile noblacklist ${HOME}/.config/tox include /etc/firejail/disable-common.inc diff --git a/etc/quassel.profile b/etc/quassel.profile index f92dfeb9f..6fd438073 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/quassel.local + # Quassel IRC profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 47ab77675..f4e4f96d3 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/quiterss.local + noblacklist ${HOME}/.cache/QuiteRss noblacklist ${HOME}/.config/QuiteRss noblacklist ${HOME}/.config/QuiteRssrc diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 387ddeffa..3f5cb60c0 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qupzilla.local + # Firejail profile for Qupzilla web browser noblacklist ${HOME}/.config/qupzilla noblacklist ${HOME}/.cache/qupzilla diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index dcacd4f29..f43307ef9 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/qutebrowser.local + # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser diff --git a/etc/ranger.profile b/etc/ranger.profile index 3538f3eb2..0cabca11e 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/ranger.local + # ranger file manager profile noblacklist /usr/bin/perl #noblacklist /usr/bin/cpan* diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index e5e192486..0f7a3fa5b 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/rhythmbox.local + # Rhythmbox media player profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 55bfcd77f..2f8a527cc 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/rtorrent.local + # rtorrent bittorrent profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index fff8c1258..ff8936014 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/seamonkey-bin.local + # Firejail profile for Seamonkey based off Mozilla Firefox include /etc/firejail/seamonkey.profile diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 5d817acce..b98834d37 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/seamonkey.local + # Firejail profile for Seamoneky based off Mozilla Firefox noblacklist ~/.mozilla noblacklist ~/.cache/mozilla diff --git a/etc/server.profile b/etc/server.profile index b8a34feb2..d1d7dffa9 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/server.local + # generic server profile # it allows /sbin and /usr/sbin directories - this is where servers are installed noblacklist /sbin diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 03089482b..ee7e50ba7 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/simple-scan.local + # simple-scan profile noblacklist ~/.cache/simple-scan diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 667b775c8..b1b4b5a96 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/skanlite.local + # skanlite profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/skype.profile b/etc/skype.profile index 9cbcd5117..169a1dd51 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/skype.local + # Skype profile noblacklist ${HOME}/.Skype include /etc/firejail/disable-common.inc diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 3f0a274f9..d3bbf3e53 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/skypeforlinux.local + # skypeforlinux profile noblacklist ${HOME}/.config/skypeforlinux include /etc/firejail/disable-common.inc diff --git a/etc/slack.profile b/etc/slack.profile index a85a28f03..6a2dae253 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/slack.local + # Firejail profile for Slack noblacklist ${HOME}/.config/Slack noblacklist ${HOME}/Downloads diff --git a/etc/snap.profile b/etc/snap.profile index e2ada3a99..085ce8e2a 100644 --- a/etc/snap.profile +++ b/etc/snap.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/snap.local + ################################ # Generic Ubuntu snap application profile ################################ diff --git a/etc/soffice.profile b/etc/soffice.profile index fecd08822..737419a8f 100644 --- a/etc/soffice.profile +++ b/etc/soffice.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/soffice.local + ################################ # LibreOffice profile ################################ diff --git a/etc/spotify.profile b/etc/spotify.profile index 6dbcc03ee..843038a2b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/spotify.local + # Spotify media player profile noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.cache/spotify diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index bea3a6061..43d9f62fa 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/ssh-agent.local + # ssh-agent quiet noblacklist ~/.ssh diff --git a/etc/ssh.profile b/etc/ssh.profile index b7a8ed2b9..b1ef6b27e 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/ssh.local + # ssh client quiet noblacklist ~/.ssh diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 16ef754f6..c13f85a66 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/start-tor-browser.local + # Firejail profile for the Tor Brower Bundle include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/steam.profile b/etc/steam.profile index 5dc5e80ff..b527589de 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/steam.local + # Steam profile (applies to games/apps launched from Steam as well) noblacklist ${HOME}/.steam noblacklist ${HOME}/.local/share/steam diff --git a/etc/stellarium.profile b/etc/stellarium.profile index d57c9e5f7..fc952be34 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/stellarium.local + # Firejail profile for Stellarium. noblacklist ~/.stellarium noblacklist ~/.config/stellarium diff --git a/etc/strings.profile b/etc/strings.profile index 2bbab1366..bfa089bd0 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/strings.local + # strings profile quiet ignore noroot diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 69b2a0db2..636b09bd0 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/synfigstudio.local + # synfigstudio noblacklist ${HOME}/.config/synfig noblacklist ${HOME}/.synfig diff --git a/etc/tar.profile b/etc/tar.profile index 3addb02fb..0162be718 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/tar.local + # tar profile quiet ignore noroot diff --git a/etc/telegram.profile b/etc/telegram.profile index 7615c8eef..c5e72fe76 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/telegram.local + # Telegram IRC profile noblacklist ${HOME}/.TelegramDesktop include /etc/firejail/disable-common.inc diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 568343ba6..88ab7501e 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/thunderbird.local + # Firejail profile for Mozilla Thunderbird # Users have thunderbird set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories diff --git a/etc/totem.profile b/etc/totem.profile index 252b46979..0b3942cf0 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/totem.local + # Totem media player profile noblacklist ~/.config/totem noblacklist ~/.local/share/totem diff --git a/etc/tracker.profile b/etc/tracker.profile index 7f4f371eb..56528785a 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/tracker.local + # tracker profile # Tracker is started by systemd on most systems. Therefore it is not firejailed by default diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 6cbc3415c..dbcc8d041 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/transmission-cli.local + # transmission-cli bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index fa54ea81b..dcd3317ef 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/transmission-gtk.local + # transmission-gtk bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 100fadc27..ed63f7cff 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/transmission-qt.local + # transmission-qt bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 5e5284b34..0b88789b1 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/transmission-show.local + # transmission-show profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 3ba28f772..cc5d4dda5 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/uget-gtk.local + # uGet profile noblacklist ${HOME}/.config/uGet diff --git a/etc/unbound.profile b/etc/unbound.profile index 5e2cb5f65..af8d7b374 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/unbound.local + # security profile for unbound (https://unbound.net) noblacklist /sbin noblacklist /usr/sbin diff --git a/etc/unrar.profile b/etc/unrar.profile index bde6f4e22..da187bfef 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/unrar.local + # unrar profile quiet ignore noroot diff --git a/etc/unzip.profile b/etc/unzip.profile index 8c10d11a0..24767c86f 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/unzip.local + # unzip profile quiet ignore noroot diff --git a/etc/uudeview.profile b/etc/uudeview.profile index d4b54067d..5f41188af 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/uudeview.local + # uudeview profile quiet ignore noroot diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 8dc90982e..ce0b0d0a5 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/uzbl-browser.local + # Firejail profile for uzbl-browser noblacklist ~/.config/uzbl diff --git a/etc/vim.profile b/etc/vim.profile index b161fcbb0..e89104e17 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/vim.local + # vim profile noblacklist ~/.vim noblacklist ~/.vimrc diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 1e765b89b..57ead818e 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/virtualbox.local + # virtualbox profile noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/VirtualBox VMs diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index 5426c4a2d..3b7c7d2b4 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/vivaldi-beta.local + # Vivaldi Beta browser profile include /etc/firejail/vivaldi.profile diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index b3a096069..0667c4114 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/vivaldi.local + # Vivaldi browser profile noblacklist ~/.config/vivaldi noblacklist ~/.cache/vivaldi diff --git a/etc/vlc.profile b/etc/vlc.profile index df9fcab03..9d1cdb4c8 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/vlc.local + # VLC media player profile noblacklist ${HOME}/.config/vlc diff --git a/etc/w3m.profile b/etc/w3m.profile index 7ee91bb70..45546440a 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/w3m.local + # w3m profile noblacklist ~/.w3m diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 7c7efade8..702097d98 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/warzone2100.local + # Firejail profile for warzone2100 # Currently supports warzone2100-3.1 noblacklist ~/.warzone2100-3.1 diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile index 4a92f0b34..345196dfb 100644 --- a/etc/weechat-curses.profile +++ b/etc/weechat-curses.profile @@ -1,2 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/weechat-curses.local + # Weechat IRC profile (Debian) include /etc/firejail/weechat.profile diff --git a/etc/weechat.profile b/etc/weechat.profile index 410061278..870e02677 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/weechat.local + # Weechat IRC profile noblacklist ${HOME}/.weechat include /etc/firejail/disable-common.inc diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index bb489ddeb..212466f5a 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/wesnoth.local + # Whitelist-based profile for "Battle for Wesnoth" (game). noblacklist ${HOME}/.config/wesnoth noblacklist ${HOME}/.cache/wesnoth diff --git a/etc/wget.profile b/etc/wget.profile index ff4b92bae..cd156a376 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/wget.local + # wget profile quiet include /etc/firejail/disable-common.inc diff --git a/etc/wine.profile b/etc/wine.profile index 18e5346af..c732d6edf 100644 --- a/etc/wine.profile +++ b/etc/wine.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/wine.local + # wine profile noblacklist ${HOME}/.steam noblacklist ${HOME}/.local/share/steam diff --git a/etc/wire.profile b/etc/wire.profile index ec8ed8771..79ac893a9 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/wire.local + # wire messenger profile noblacklist ~/.config/Wire noblacklist ~/.config/wire diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 898fc787e..54877b677 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/wireshark.local + # Firejail profile for noblacklist ${HOME}/.config/wireshark diff --git a/etc/xchat.profile b/etc/xchat.profile index 1f2865cab..0571746b3 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xchat.local + # XChat IRC profile noblacklist ${HOME}/.config/xchat diff --git a/etc/xed.profile b/etc/xed.profile index 051710a70..c8076923a 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xed.local + # Firejail profile for Xed noblacklist ${HOME}/.config/xed diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 1dd24aa61..a05d844d0 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xfburn.local + # xfburn profile noblacklist ~/.config/xfburn diff --git a/etc/xiphos.profile b/etc/xiphos.profile index b7fb6ecf3..7522c00d7 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xiphos.local + # Firejail profile for xiphos noblacklist ~/.sword noblacklist ~/.xiphos diff --git a/etc/xmms.profile b/etc/xmms.profile index 0d57f2f90..8c7e94070 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xmms.local + # Firejail profile for XMMS noblacklist ${HOME}/.xmms diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile index b255ffdbb..2f57340de 100644 --- a/etc/xonotic-glx.profile +++ b/etc/xonotic-glx.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xonotic-glx.local + # #Profile for xonotic:xonotic-glx # diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile index 783667304..9af845958 100644 --- a/etc/xonotic-sdl.profile +++ b/etc/xonotic-sdl.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xonotic-sdl.local + # #Profile for xonotic:xonotic-sdl # diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 75d649619..f2690c6c3 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xonotic.local + # #Profile for xonotic # diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 7ea368bbe..b77bc76ac 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xpdf.local + ################################ # xpdf application profile ################################ diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 191d2f67f..d5b80fbc0 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xplayer.local + # Xplayer profile noblacklist ~/.config/xplayer noblacklist ~/.local/share/xplayer diff --git a/etc/xpra.profile b/etc/xpra.profile index 32be90b19..d0fff2ebf 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xpra.local + # xpra profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xreader.profile b/etc/xreader.profile index d2a000bd0..2e6015aef 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xreader.local + # Xreader profile noblacklist ~/.config/xreader noblacklist ~/.cache/xreader diff --git a/etc/xviewer.profile b/etc/xviewer.profile index ca380b4c7..d784ddfb3 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xviewer.local + # xviewer profile noblacklist ~/.config/xviewer diff --git a/etc/xz.profile b/etc/xz.profile index 5b29f7338..2f7d9cae5 100644 --- a/etc/xz.profile +++ b/etc/xz.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xz.local + # xz profile quiet include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 6164e3200..e938b81ec 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/xzdec.local + # xzdec profile quiet ignore noroot diff --git a/etc/zathura.profile b/etc/zathura.profile index 6c93a2480..f75541dad 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/zathura.local + # zathura document viewer profile noblacklist ~/.config/zathura noblacklist ~/.local/share/zathura diff --git a/etc/zoom.profile b/etc/zoom.profile index 4c08868cf..809356d95 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/zoom.local + # Firejail profile for zoom.us noblacklist ~/.config/zoomus.conf -- cgit v1.2.3-70-g09d2 From 8abd288ce8f32ab49d8a85a7ac0d355037230009 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Feb 2017 09:45:05 -0500 Subject: copyright 2017 --- src/faudit/faudit.h | 2 +- src/firejail/firejail.h | 2 +- src/firemon/firemon.h | 2 +- src/fnet/fnet.h | 2 +- src/fseccomp/fseccomp.h | 2 +- src/ftee/ftee.h | 2 +- src/include/common.h | 2 +- src/include/euid_common.h | 2 +- src/include/pid.h | 2 +- src/include/seccomp.h | 2 +- src/include/syscall.h | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 17c754c3b..16a13d0ff 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 40d81f3aa..f7b3ce0ac 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index c78023888..caf6b50c2 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index 0c5e5baef..d6080e283 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 504f1c23f..e0d423b4a 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h index 15d1a090e..b663f1f38 100644 --- a/src/ftee/ftee.h +++ b/src/ftee/ftee.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/include/common.h b/src/include/common.h index 108820290..fc4059334 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/include/euid_common.h b/src/include/euid_common.h index 752df5fff..29a3bdf4b 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/include/pid.h b/src/include/pid.h index b7878ddb5..e8e20d575 100644 --- a/src/include/pid.h +++ b/src/include/pid.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 7d646dd9e..ced1ed2e3 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/include/syscall.h b/src/include/syscall.h index 9a29779c9..c49760703 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * -- cgit v1.2.3-70-g09d2 From 84feed23bd275f194722791ecdacd39ddb97e8d9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Feb 2017 09:45:47 -0500 Subject: copyright 2017 --- src/faudit/caps.c | 2 +- src/faudit/dbus.c | 2 +- src/faudit/dev.c | 2 +- src/faudit/files.c | 2 +- src/faudit/main.c | 2 +- src/faudit/network.c | 2 +- src/faudit/pid.c | 2 +- src/faudit/seccomp.c | 2 +- src/faudit/syscall.c | 2 +- src/faudit/x11.c | 2 +- src/fcopy/main.c | 2 +- src/firecfg/main.c | 2 +- src/firejail/appimage.c | 2 +- src/firejail/appimage_size.c | 2 +- src/firejail/arp.c | 2 +- src/firejail/bandwidth.c | 2 +- src/firejail/caps.c | 2 +- src/firejail/cgroup.c | 2 +- src/firejail/checkcfg.c | 2 +- src/firejail/cmdline.c | 2 +- src/firejail/cpu.c | 2 +- src/firejail/env.c | 2 +- src/firejail/fs.c | 2 +- src/firejail/fs_bin.c | 2 +- src/firejail/fs_dev.c | 2 +- src/firejail/fs_etc.c | 2 +- src/firejail/fs_home.c | 2 +- src/firejail/fs_hostname.c | 2 +- src/firejail/fs_logger.c | 2 +- src/firejail/fs_mkdir.c | 2 +- src/firejail/fs_trace.c | 2 +- src/firejail/fs_var.c | 2 +- src/firejail/fs_whitelist.c | 2 +- src/firejail/git.c | 2 +- src/firejail/join.c | 2 +- src/firejail/ls.c | 2 +- src/firejail/main.c | 2 +- src/firejail/netfilter.c | 2 +- src/firejail/network.c | 2 +- src/firejail/network_main.c | 2 +- src/firejail/no_sandbox.c | 2 +- src/firejail/output.c | 2 +- src/firejail/paths.c | 2 +- src/firejail/preproc.c | 2 +- src/firejail/profile.c | 2 +- src/firejail/protocol.c | 2 +- src/firejail/pulseaudio.c | 2 +- src/firejail/restrict_users.c | 2 +- src/firejail/restricted_shell.c | 2 +- src/firejail/rlimit.c | 2 +- src/firejail/run_symlink.c | 2 +- src/firejail/sandbox.c | 2 +- src/firejail/sbox.c | 2 +- src/firejail/seccomp.c | 2 +- src/firejail/shutdown.c | 2 +- src/firejail/usage.c | 2 +- src/firejail/util.c | 2 +- src/firejail/x11.c | 2 +- src/firemon/arp.c | 2 +- src/firemon/caps.c | 2 +- src/firemon/cgroup.c | 2 +- src/firemon/firemon.c | 2 +- src/firemon/interface.c | 2 +- src/firemon/list.c | 2 +- src/firemon/netstats.c | 2 +- src/firemon/procevent.c | 2 +- src/firemon/route.c | 2 +- src/firemon/seccomp.c | 2 +- src/firemon/top.c | 2 +- src/firemon/tree.c | 2 +- src/firemon/usage.c | 2 +- src/firemon/x11.c | 2 +- src/fnet/arp.c | 2 +- src/fnet/interface.c | 2 +- src/fnet/main.c | 2 +- src/fnet/veth.c | 2 +- src/fseccomp/errno.c | 2 +- src/fseccomp/main.c | 2 +- src/fseccomp/protocol.c | 2 +- src/fseccomp/seccomp.c | 2 +- src/fseccomp/seccomp_file.c | 2 +- src/fseccomp/seccomp_print.c | 2 +- src/fseccomp/seccomp_secondary.c | 2 +- src/fseccomp/syscall.c | 2 +- src/ftee/main.c | 2 +- src/lib/common.c | 2 +- src/lib/pid.c | 2 +- src/libconnect/libconnect.c | 2 +- src/libtrace/libtrace.c | 2 +- src/libtracelog/libtracelog.c | 2 +- src/tools/extract_caps.c | 2 +- src/tools/extract_syscalls.c | 2 +- src/tools/rvtest.c | 2 +- test/filters/syscall_test.c | 2 +- 94 files changed, 94 insertions(+), 94 deletions(-) diff --git a/src/faudit/caps.c b/src/faudit/caps.c index d4a62b34f..b200c6792 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index d92660536..1b1fbb817 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/dev.c b/src/faudit/dev.c index 92f615958..74adbca9c 100644 --- a/src/faudit/dev.c +++ b/src/faudit/dev.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/files.c b/src/faudit/files.c index 67b43f22b..46256f5f0 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/main.c b/src/faudit/main.c index 7f47ccaf0..2572bf332 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/network.c b/src/faudit/network.c index cf1eede69..67c11e835 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 84b23fe0a..34f6d1691 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 7b2999467..fe814598b 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 4cd2526ba..40b1ecc84 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/faudit/x11.c b/src/faudit/x11.c index 43f40f4e9..4cf1511a5 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fcopy/main.c b/src/fcopy/main.c index a4f5ace11..43fc8fc99 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 15ee78384..054df9e09 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 0d1f8cb4d..4cc5cc180 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 3f5c3150c..1632440ed 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/arp.c b/src/firejail/arp.c index ddb75905f..55ffbb301 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 84c9dc53a..998fe5ffe 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 6cfa36629..521187e3a 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016Firejail Authors + * Copyright (C) 2014-2017Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index d9c7af9cf..143180bfb 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 73fa6e46b..3a2101c6a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index a17758f8b..60301ed58 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 7f53fed0f..7a3e056c1 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/env.c b/src/firejail/env.c index 783f019a6..c54b429c3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 2a2e97419..27de337bb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 7c56d524e..547978b47 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index bd9b9e828..fd21e7515 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index f14e90deb..19c2210b3 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8a52314ed..3364ef797 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 3b586b276..535526409 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 052a41457..a2b6b317e 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index d29f58a58..a0bda7443 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 719b55048..9e1dd546e 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f742e7e22..bbea3b392 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 0970642db..b0e4463ae 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/git.c b/src/firejail/git.c index b67339c8b..c4dd54a1b 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/join.c b/src/firejail/join.c index bcf951f33..fa19243b8 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 1af56751a..7b51ee697 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/main.c b/src/firejail/main.c index 4149f1342..310795abf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 9e759ec70..ea1d45dd7 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/network.c b/src/firejail/network.c index 6d09d770f..673c607ca 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 9fbc09d2b..924a94091 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index c56d90994..1828405db 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/output.c b/src/firejail/output.c index 91fe7f164..4872c57ba 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/paths.c b/src/firejail/paths.c index 97a1d5a98..69c4b359b 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index e17f39caa..b834e6275 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9b3e58ab4..5684a2d95 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 2a09ed010..382d469f1 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 4ec84ec61..ead5dd361 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 393851148..774e2908f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 979bb1eed..9919c4656 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index 47dd846d2..5e30e56a3 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 753c50208..57f04485b 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 81cce7e98..3fddc654b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index f28bbaf1a..467745a64 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 96dfdaff2..ee10f3abf 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index c23e87321..3c150738b 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/usage.c b/src/firejail/usage.c index dc8fcdfef..ae3993aec 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/util.c b/src/firejail/util.c index fbaf0b5ac..fbb0a1e87 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 4e0b46fb8..2fedcc355 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/firemon/arp.c b/src/firemon/arp.c index 014f6a904..cef48fb0d 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 3f8a139ae..8837c9ee7 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index e20e1d449..bbb28f619 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index b63e37444..da5cc2d97 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/interface.c b/src/firemon/interface.c index def9cd5ac..ba3c9fceb 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/list.c b/src/firemon/list.c index acff13a28..1df737e8c 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 534d783cb..8d78b094b 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 8cec404f8..ebcb7a72c 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/route.c b/src/firemon/route.c index fb58b169d..dff594431 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index f11c624ea..d50692b37 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/top.c b/src/firemon/top.c index 94271523c..3ed976af1 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/tree.c b/src/firemon/tree.c index 6d8b37ecb..3fdcc4d37 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 74a2a61f0..1768237b3 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/firemon/x11.c b/src/firemon/x11.c index 73dc310d3..97cfffe64 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 96684fdf9..a7f0a603a 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 3958efddd..5813db337 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fnet/main.c b/src/fnet/main.c index 4e7807d07..6ec8e5f84 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 546fafcec..86d9d5190 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c @@ -26,7 +26,7 @@ * */ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c index dbee916d4..3e92a1f9d 100644 --- a/src/fseccomp/errno.c +++ b/src/fseccomp/errno.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 2f85a786b..134b840f2 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 7bf560fe1..e9f65e7e8 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index cc6edc8ca..f252e36b6 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 10ef9dd31..d706b3359 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index e22c682dc..d18f2efa5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index a856e5aef..79c85eb75 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 7c2c4cbb2..398a49578 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/ftee/main.c b/src/ftee/main.c index 2b27baa5a..d425be07c 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/lib/common.c b/src/lib/common.c index 3f66fa72a..6f2cebf12 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/lib/pid.c b/src/lib/pid.c index 42687274e..7ae5a8d3e 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c index 18c4d81f5..d79dcc4cb 100644 --- a/src/libconnect/libconnect.c +++ b/src/libconnect/libconnect.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index dde3df2ea..1be89052c 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 90fe726de..abacb7115 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 Firejail Authors + * Copyright (C) 2014-2017 Firejail Authors * * This file is part of firejail project * diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c index ed6319be5..66d86e1a6 100644 --- a/src/tools/extract_caps.c +++ b/src/tools/extract_caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c index 3ab4d66e0..9af24b8cd 100644 --- a/src/tools/extract_syscalls.c +++ b/src/tools/extract_syscalls.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c index 4dbeb7ffc..d108672d2 100644 --- a/src/tools/rvtest.c +++ b/src/tools/rvtest.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) + * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) * * This file is part of firejail project * diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c index 422af619d..48e8f29f5 100644 --- a/test/filters/syscall_test.c +++ b/test/filters/syscall_test.c @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2016 Firejail Authors +// Copyright (C) 2014-2017 Firejail Authors // License GPL v2 #include -- cgit v1.2.3-70-g09d2 From 385873f38fb90f045f46c5943261076edca72df9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Feb 2017 09:50:20 -0500 Subject: copyright 2017 --- test/appimage/appimage-args.exp | 2 +- test/appimage/appimage-v1.exp | 2 +- test/appimage/appimage-v2.exp | 2 +- test/appimage/filename.exp | 2 +- test/apps-x11-xorg/firefox.exp | 2 +- test/apps-x11-xorg/icedove.exp | 2 +- test/apps-x11-xorg/transmission-gtk.exp | 2 +- test/apps-x11/chromium.exp | 2 +- test/apps-x11/firefox.exp | 2 +- test/apps-x11/icedove.exp | 2 +- test/apps-x11/transmission-gtk.exp | 2 +- test/apps-x11/x11-none.exp | 2 +- test/apps-x11/x11-xephyr.exp | 2 +- test/apps-x11/xterm-xephyr.exp | 2 +- test/apps-x11/xterm-xorg.exp | 2 +- test/apps-x11/xterm-xpra.exp | 2 +- test/apps/chromium.exp | 2 +- test/apps/deluge.exp | 2 +- test/apps/evince.exp | 2 +- test/apps/fbreader.exp | 2 +- test/apps/filezilla.exp | 2 +- test/apps/firefox.exp | 2 +- test/apps/gnome-mplayer.exp | 2 +- test/apps/gthumb.exp | 2 +- test/apps/hexchat.exp | 2 +- test/apps/icedove.exp | 2 +- test/apps/midori.exp | 2 +- test/apps/opera.exp | 2 +- test/apps/qbittorrent.exp | 2 +- test/apps/transmission-gtk.exp | 2 +- test/apps/transmission-qt.exp | 2 +- test/apps/uget-gtk.exp | 2 +- test/apps/vlc.exp | 2 +- test/apps/wine.exp | 2 +- test/apps/xchat.exp | 2 +- test/environment/csh.exp | 2 +- test/environment/env.exp | 2 +- test/environment/firejail-in-firejail.exp | 2 +- test/environment/firejail-in-firejail2.exp | 2 +- test/environment/nice.exp | 2 +- test/environment/quiet.exp | 2 +- test/environment/shell-none.exp | 2 +- test/environment/sound.exp | 2 +- test/environment/zsh.exp | 2 +- test/fcopy/cmdline.exp | 2 +- test/fcopy/dircopy.exp | 2 +- test/fcopy/filecopy.exp | 2 +- test/fcopy/linkcopy.exp | 2 +- test/filters/caps-print.exp | 2 +- test/filters/caps.exp | 2 +- test/filters/fseccomp.exp | 2 +- test/filters/noroot.exp | 2 +- test/filters/protocol.exp | 2 +- test/filters/seccomp-bad-empty.exp | 2 +- test/filters/seccomp-chmod-profile.exp | 2 +- test/filters/seccomp-chmod.exp | 2 +- test/filters/seccomp-chown.exp | 2 +- test/filters/seccomp-debug.exp | 2 +- test/filters/seccomp-dualfilter.exp | 2 +- test/filters/seccomp-empty.exp | 2 +- test/filters/seccomp-errno.exp | 2 +- test/filters/seccomp-ptrace.exp | 2 +- test/filters/seccomp-su.exp | 2 +- test/fs/fs_dev_shm.exp | 2 +- test/fs/fs_var_lock.exp | 2 +- test/fs/fs_var_tmp.exp | 2 +- test/fs/invalid_filename.exp | 2 +- test/fs/kmsg.exp | 2 +- test/fs/mkdir_mkfile.exp | 2 +- test/fs/option_blacklist.exp | 2 +- test/fs/option_blacklist_glob.exp | 2 +- test/fs/private-bin.exp | 2 +- test/fs/private-etc-empty.exp | 2 +- test/fs/private-etc.exp | 2 +- test/fs/private-home-dir.exp | 2 +- test/fs/private-home.exp | 2 +- test/fs/private-homedir.exp | 2 +- test/fs/private-whitelist.exp | 2 +- test/fs/private.exp | 2 +- test/fs/read-write.exp | 2 +- test/fs/sys_fs.exp | 2 +- test/fs/whitelist-dev.exp | 2 +- test/fs/whitelist-double.exp | 2 +- test/fs/whitelist-downloads.exp | 2 +- test/fs/whitelist-empty.exp | 2 +- test/fs/whitelist.exp | 2 +- test/network/4bridges_arp.exp | 2 +- test/network/4bridges_ip.exp | 2 +- test/network/bandwidth.exp | 2 +- test/network/firemon-interfaces.exp | 2 +- test/network/hostname.exp | 2 +- test/network/ip6.exp | 2 +- test/network/iprange.exp | 2 +- test/network/net_arp.exp | 2 +- test/network/net_badip.exp | 2 +- test/network/net_defaultgw.exp | 2 +- test/network/net_defaultgw2.exp | 2 +- test/network/net_defaultgw3.exp | 2 +- test/network/net_ip.exp | 2 +- test/network/net_local.exp | 2 +- test/network/net_mac.exp | 2 +- test/network/net_macvlan2.exp | 2 +- test/network/net_mtu.exp | 2 +- test/network/net_netfilter.exp | 2 +- test/network/net_noip.exp | 2 +- test/network/net_noip2.exp | 2 +- test/network/net_none.exp | 2 +- test/network/net_profile.exp | 2 +- test/network/net_scan.exp | 2 +- test/network/net_veth.exp | 2 +- test/network/netstats.exp | 2 +- test/network/veth-name.exp | 2 +- test/overlay/firefox-x11-xorg.exp | 2 +- test/overlay/firefox-x11.exp | 2 +- test/overlay/firefox.exp | 2 +- test/profiles/ignore.exp | 2 +- test/profiles/profile_syntax.exp | 2 +- test/profiles/profile_syntax2.exp | 2 +- test/profiles/test-profile.exp | 2 +- test/root/firecfg.exp | 2 +- test/root/join.exp | 2 +- test/root/private.exp | 2 +- test/root/seccomp-chmod.exp | 2 +- test/root/seccomp-chown.exp | 2 +- test/root/seccomp-umount.exp | 2 +- test/root/whitelist.exp | 2 +- test/stress/net_macvlan.exp | 2 +- test/sysutils/cpio.exp | 2 +- test/sysutils/file.exp | 2 +- test/sysutils/gzip.exp | 2 +- test/sysutils/less.exp | 2 +- test/sysutils/strings.exp | 2 +- test/sysutils/tar.exp | 2 +- test/sysutils/xz.exp | 2 +- test/sysutils/xzdec.exp | 2 +- test/utils/audit.exp | 2 +- test/utils/caps-print.exp | 2 +- test/utils/cpu-print.exp | 2 +- test/utils/dns-print.exp | 2 +- test/utils/firemon-caps.exp | 2 +- test/utils/firemon-cgroup.exp | 2 +- test/utils/firemon-cpu.exp | 2 +- test/utils/firemon-interface.exp | 2 +- test/utils/firemon-name.exp | 2 +- test/utils/firemon-seccomp.exp | 2 +- test/utils/firemon-version.exp | 2 +- test/utils/fs-print.exp | 2 +- test/utils/help.exp | 2 +- test/utils/join.exp | 2 +- test/utils/join2.exp | 2 +- test/utils/join3.exp | 2 +- test/utils/join4.exp | 2 +- test/utils/list.exp | 2 +- test/utils/man.exp | 2 +- test/utils/protocol-print.exp | 2 +- test/utils/seccomp-print.exp | 2 +- test/utils/shutdown.exp | 2 +- test/utils/shutdown2.exp | 2 +- test/utils/shutdown3.exp | 2 +- test/utils/shutdown4.exp | 2 +- test/utils/top.exp | 2 +- test/utils/trace.exp | 2 +- test/utils/tree.exp | 2 +- test/utils/version.exp | 2 +- 164 files changed, 164 insertions(+), 164 deletions(-) diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index 93dba69ad..f304f5b94 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index f1c1c10f5..d9b64af1d 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 5cb9d0849..10443a1c7 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp index ce8d70464..5038ab21c 100755 --- a/test/appimage/filename.exp +++ b/test/appimage/filename.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index 66b82fe92..f66aeddd8 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp index 667c2259f..f7a08aa8f 100755 --- a/test/apps-x11-xorg/icedove.exp +++ b/test/apps-x11-xorg/icedove.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index c52cb5b3a..de8a7f7c6 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 2505c0c37..eeedd99c4 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp index 6a50c8884..5464e39cd 100755 --- a/test/apps-x11/firefox.exp +++ b/test/apps-x11/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp index e306e33ce..f81d814a7 100755 --- a/test/apps-x11/icedove.exp +++ b/test/apps-x11/icedove.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp index 4083a121f..8dae20e31 100755 --- a/test/apps-x11/transmission-gtk.exp +++ b/test/apps-x11/transmission-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp index e9908839b..1f3e1439a 100755 --- a/test/apps-x11/x11-none.exp +++ b/test/apps-x11/x11-none.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp index 41a413890..31a434103 100755 --- a/test/apps-x11/x11-xephyr.exp +++ b/test/apps-x11/x11-xephyr.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp index 5b4299478..c36121a75 100755 --- a/test/apps-x11/xterm-xephyr.exp +++ b/test/apps-x11/xterm-xephyr.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp index fbc88f196..04fc4b960 100755 --- a/test/apps-x11/xterm-xorg.exp +++ b/test/apps-x11/xterm-xorg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp index 1fb5df486..e769e5e20 100755 --- a/test/apps-x11/xterm-xpra.exp +++ b/test/apps-x11/xterm-xpra.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index d43f70f8e..635c07afa 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index 0bf1baae2..3f83a1e01 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/evince.exp b/test/apps/evince.exp index 71f760a9c..dbad46068 100755 --- a/test/apps/evince.exp +++ b/test/apps/evince.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index 99c48d87c..b5c58c909 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp index 2f7038184..7bef9dc27 100755 --- a/test/apps/filezilla.exp +++ b/test/apps/filezilla.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 5745d9270..06b5a3bc3 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 6f0e5a312..0e879d33b 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp index 13132cef6..ae2976910 100755 --- a/test/apps/gthumb.exp +++ b/test/apps/gthumb.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index 5d0bc1093..74f0a9fb6 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp index c0fbd9fc8..1acb59112 100755 --- a/test/apps/icedove.exp +++ b/test/apps/icedove.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/midori.exp b/test/apps/midori.exp index 45d70eda1..764f3e4a4 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/opera.exp b/test/apps/opera.exp index 036fc2e21..8a8885afa 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp index 8bc6d8564..bf23390a1 100755 --- a/test/apps/qbittorrent.exp +++ b/test/apps/qbittorrent.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 70700d523..d9e5869c8 100755 --- a/test/apps/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 3773b1dc2..189919720 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp index 22c2a0831..10a14e11a 100755 --- a/test/apps/uget-gtk.exp +++ b/test/apps/uget-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index b94ef8e12..a1d4cc6b2 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/wine.exp b/test/apps/wine.exp index a2f465acb..fc181c0cc 100755 --- a/test/apps/wine.exp +++ b/test/apps/wine.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index f3284caf7..8df9f8925 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 46e4bb3ca..bd0cf8c86 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/env.exp b/test/environment/env.exp index 8f72400b0..9e2ba1e1c 100755 --- a/test/environment/env.exp +++ b/test/environment/env.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 2b851ee72..c2e2be596 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp index 330e5e372..db64d59ed 100755 --- a/test/environment/firejail-in-firejail2.exp +++ b/test/environment/firejail-in-firejail2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/nice.exp b/test/environment/nice.exp index 2e0e95ea1..2c00d1485 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp index 8d7c8d4c0..bab395f71 100755 --- a/test/environment/quiet.exp +++ b/test/environment/quiet.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 4 diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp index 8f3df794f..69c8db067 100755 --- a/test/environment/shell-none.exp +++ b/test/environment/shell-none.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/sound.exp b/test/environment/sound.exp index dd55add89..f1a251f34 100755 --- a/test/environment/sound.exp +++ b/test/environment/sound.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 578951ce0..4380f476c 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index 24bb19351..3ea33b01b 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index dc8c80569..a0fd409a6 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 # diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp index d1f0a4424..a89eaf40f 100755 --- a/test/fcopy/filecopy.exp +++ b/test/fcopy/filecopy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 # diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp index 9927e18fe..beceb3675 100755 --- a/test/fcopy/linkcopy.exp +++ b/test/fcopy/linkcopy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 # diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp index d9d662239..605041e22 100755 --- a/test/filters/caps-print.exp +++ b/test/filters/caps-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/caps.exp b/test/filters/caps.exp index 2954f2e58..aff5f03c2 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 8a9a8f9dc..4d876df08 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index b011f2bf9..2c7218c87 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 835f645b2..71f54b08a 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 1bd9c9b1f..9cfbac109 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 463ce05e9..22615420d 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index b17990e3a..35c6f69c2 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp index a54d279f1..7d9da5e5a 100755 --- a/test/filters/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index dbc0d37a9..a95f3bd23 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 958dab528..abf093201 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 1 diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp index d150dac7d..2cd316953 100755 --- a/test/filters/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index c3af2fbe9..eeb0824f2 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index bb87b96ea..2c6d9d25e 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 3feabc20f..62135abb8 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index 8150dfa61..1d810084c 100755 --- a/test/fs/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp index 5879dca52..919b75f34 100755 --- a/test/fs/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index a3bc5afe2..50679db6d 100755 --- a/test/fs/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp index a6efc24b6..db15bb6ba 100755 --- a/test/fs/invalid_filename.exp +++ b/test/fs/invalid_filename.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp index abc711aee..9d9467eac 100755 --- a/test/fs/kmsg.exp +++ b/test/fs/kmsg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp index 98163bf77..e2e7d3ef0 100755 --- a/test/fs/mkdir_mkfile.exp +++ b/test/fs/mkdir_mkfile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp index 6554d438f..dcdf5facc 100755 --- a/test/fs/option_blacklist.exp +++ b/test/fs/option_blacklist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp index 5a96cacc9..f682ed619 100755 --- a/test/fs/option_blacklist_glob.exp +++ b/test/fs/option_blacklist_glob.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index f7181d218..b8722130a 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 5ddce8678..b91da07f3 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index 36b5d247c..c4b0da7b2 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index f85a939b1..77baeeb5f 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index 3840d1cb8..f2f30914d 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp index 35085948a..4a8cf8369 100755 --- a/test/fs/private-homedir.exp +++ b/test/fs/private-homedir.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index 6a1ad535c..0e75868b3 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private.exp b/test/fs/private.exp index 8114ee45d..c7059079d 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index 19a915f66..c648f83dd 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp index f512776d9..8f63aedf7 100755 --- a/test/fs/sys_fs.exp +++ b/test/fs/sys_fs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index 827f32126..213542c88 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index fc05f9322..dd2336ce1 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp index 6af318d2b..f3eb0d6a2 100755 --- a/test/fs/whitelist-downloads.exp +++ b/test/fs/whitelist-downloads.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index 71bb8f914..e1c3ffb4a 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 30 diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9b631b884..20492c739 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index 6383aad5e..80760eb3a 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index e762ac285..5e136926b 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index 8a2e46e04..25845c728 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp index deb8594af..7a95ccb18 100755 --- a/test/network/firemon-interfaces.exp +++ b/test/network/firemon-interfaces.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 73d06725f..0acb6a5ac 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/ip6.exp b/test/network/ip6.exp index 1db16c28a..d03cb7c37 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/iprange.exp b/test/network/iprange.exp index a1b2ccab4..d37a44e4f 100755 --- a/test/network/iprange.exp +++ b/test/network/iprange.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp index fdd30f218..98ed8d9f1 100755 --- a/test/network/net_arp.exp +++ b/test/network/net_arp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index d13a6144e..2467b3ef2 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 6291ae5ba..c7178616a 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index 7620e4899..088dfeee8 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index a47324adc..bf5d00b34 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 0fa84243a..c6b84781c 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_local.exp b/test/network/net_local.exp index d58135785..4e0cef329 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index d3cd8163f..dd3391d8e 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp index 7f21fc083..b6cab7c7b 100755 --- a/test/network/net_macvlan2.exp +++ b/test/network/net_macvlan2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index eb9c5d08c..6748d9ec5 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index 737485d07..3c43a481f 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index b557d116c..dfe0abb66 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index c86ea4900..b6f725523 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 1761eb423..0d3701f22 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index 29008d811..febbcfcd7 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp index 5afbbeea6..bb46f9c60 100755 --- a/test/network/net_scan.exp +++ b/test/network/net_scan.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index 04091047b..e31f5da55 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/netstats.exp b/test/network/netstats.exp index 41232061d..2e6649ae3 100755 --- a/test/network/netstats.exp +++ b/test/network/netstats.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp index 36ed41d92..ccfb208ff 100755 --- a/test/network/veth-name.exp +++ b/test/network/veth-name.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp index 76c0e55fc..723431baa 100755 --- a/test/overlay/firefox-x11-xorg.exp +++ b/test/overlay/firefox-x11-xorg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp index aa248f328..982bd8149 100755 --- a/test/overlay/firefox-x11.exp +++ b/test/overlay/firefox-x11.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp index 6ef23558d..5614198cd 100755 --- a/test/overlay/firefox.exp +++ b/test/overlay/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 0c5691e9a..cdb38e97b 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index d1be2074a..74b0d5a53 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 9dca35ca2..5726c0408 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index a6b4a5aad..6bc47f33f 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index b4864988d..c9085e8c8 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/join.exp b/test/root/join.exp index e4a4e87af..c70fff93d 100755 --- a/test/root/join.exp +++ b/test/root/join.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/private.exp b/test/root/private.exp index 9ce9716f9..479d7afb1 100755 --- a/test/root/private.exp +++ b/test/root/private.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp index b17990e3a..35c6f69c2 100755 --- a/test/root/seccomp-chmod.exp +++ b/test/root/seccomp-chmod.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp index a54d279f1..7d9da5e5a 100755 --- a/test/root/seccomp-chown.exp +++ b/test/root/seccomp-chown.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp index c441c5fc4..90e240e74 100755 --- a/test/root/seccomp-umount.exp +++ b/test/root/seccomp-umount.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp index f6936c048..06a9a5419 100755 --- a/test/root/whitelist.exp +++ b/test/root/whitelist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp index 6ea4a6adf..187b5c39f 100755 --- a/test/stress/net_macvlan.exp +++ b/test/stress/net_macvlan.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp index 9755d8737..e7e69df45 100755 --- a/test/sysutils/cpio.exp +++ b/test/sysutils/cpio.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp index a8ad84d12..c220ab82e 100755 --- a/test/sysutils/file.exp +++ b/test/sysutils/file.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp index ab0e727de..b56c27ceb 100755 --- a/test/sysutils/gzip.exp +++ b/test/sysutils/gzip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 720830304..5ff11174d 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp index 1fd0f5dc0..0d18b8079 100755 --- a/test/sysutils/strings.exp +++ b/test/sysutils/strings.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp index f41d67d6f..989f9ada2 100755 --- a/test/sysutils/tar.exp +++ b/test/sysutils/tar.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp index 11d0e560c..13ae6007b 100755 --- a/test/sysutils/xz.exp +++ b/test/sysutils/xz.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp index 0ea6f5fb0..e60c1af64 100755 --- a/test/sysutils/xzdec.exp +++ b/test/sysutils/xzdec.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/audit.exp b/test/utils/audit.exp index 931b46981..566493947 100755 --- a/test/utils/audit.exp +++ b/test/utils/audit.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp index fa5239da2..d9d48bd50 100755 --- a/test/utils/caps-print.exp +++ b/test/utils/caps-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index 0a6f46102..f639f7c9f 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp index 406ab5149..461231735 100755 --- a/test/utils/dns-print.exp +++ b/test/utils/dns-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp index 76aa13725..dd02611df 100755 --- a/test/utils/firemon-caps.exp +++ b/test/utils/firemon-caps.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp index b1ab083ae..156edaa8f 100755 --- a/test/utils/firemon-cgroup.exp +++ b/test/utils/firemon-cgroup.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp index 00156c909..7cb20105f 100755 --- a/test/utils/firemon-cpu.exp +++ b/test/utils/firemon-cpu.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp index edafd1639..8fbdf7740 100755 --- a/test/utils/firemon-interface.exp +++ b/test/utils/firemon-interface.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp index c5dbfabab..dc7cbee99 100755 --- a/test/utils/firemon-name.exp +++ b/test/utils/firemon-name.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp index 26c478344..56727a0be 100755 --- a/test/utils/firemon-seccomp.exp +++ b/test/utils/firemon-seccomp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp index 639c15c29..c297bec43 100755 --- a/test/utils/firemon-version.exp +++ b/test/utils/firemon-version.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp index 4d4ceb718..11b4c9b7e 100755 --- a/test/utils/fs-print.exp +++ b/test/utils/fs-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/help.exp b/test/utils/help.exp index 5b9864578..4c3aede9b 100755 --- a/test/utils/help.exp +++ b/test/utils/help.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join.exp b/test/utils/join.exp index 79fe99f2d..b74b0b17a 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 5895eb730..b7d1f345f 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join3.exp b/test/utils/join3.exp index 3ccc47bf9..c0cc7c2e4 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join4.exp b/test/utils/join4.exp index c367dd770..c953320e0 100755 --- a/test/utils/join4.exp +++ b/test/utils/join4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/list.exp b/test/utils/list.exp index 69db1f568..321f2bc50 100755 --- a/test/utils/list.exp +++ b/test/utils/list.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/man.exp b/test/utils/man.exp index d29f760b0..a28370c65 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp index b4b94ea93..12ad98a41 100755 --- a/test/utils/protocol-print.exp +++ b/test/utils/protocol-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index f6ff1e721..5a76d7fcc 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 1ab231bf4..eb87c5d4f 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp index 777a73ec9..f92c8b2b1 100755 --- a/test/utils/shutdown2.exp +++ b/test/utils/shutdown2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp index a74fb3386..4c2c616b2 100755 --- a/test/utils/shutdown3.exp +++ b/test/utils/shutdown3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index 2942ba3d5..7d3c27164 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/top.exp b/test/utils/top.exp index d530e5a85..7117cb883 100755 --- a/test/utils/top.exp +++ b/test/utils/top.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/trace.exp b/test/utils/trace.exp index eedc0f23f..614580016 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 30 diff --git a/test/utils/tree.exp b/test/utils/tree.exp index a8ef763f1..53f8cf795 100755 --- a/test/utils/tree.exp +++ b/test/utils/tree.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/version.exp b/test/utils/version.exp index 2ce6f1680..261e40466 100755 --- a/test/utils/version.exp +++ b/test/utils/version.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 set timeout 10 -- cgit v1.2.3-70-g09d2 From 7fb214324f7fdbb3725493305581e00654389a5a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Feb 2017 09:56:48 -0500 Subject: copyright 2017 --- test/appimage/appimage.sh | 2 +- test/apps-x11-xorg/apps-x11-xorg.sh | 2 +- test/apps-x11/apps-x11.sh | 2 +- test/apps/apps.sh | 2 +- test/chroot/chroot.sh | 2 +- test/environment/environment.sh | 2 +- test/fcopy/fcopy.sh | 2 +- test/filters/filters.sh | 2 +- test/fs/fs.sh | 2 +- test/network/network.sh | 2 +- test/overlay/overlay.sh | 2 +- test/profiles/profiles.sh | 2 +- test/stress/stress.sh | 2 +- test/sysutils/sysutils.sh | 2 +- test/test.sh | 2 +- test/utils/utils.sh | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index bb646e189..6d0fcf081 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh index b05914b52..d39d8390e 100755 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ b/test/apps-x11-xorg/apps-x11-xorg.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 4a8671dbd..739a94f2e 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 38307b284..4b7afe1a9 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 34bff2a67..e7911caa0 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 2bb5a249e..e2b9cb9d4 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index dcda5ca31..0ae50399a 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/filters/filters.sh b/test/filters/filters.sh index fea4a0296..73e0e4d5c 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 611b62b09..85eeaaf81 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/network/network.sh b/test/network/network.sh index 94df9935e..2c60be0a5 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh index 4c9ebe5b0..94ad6a3cd 100755 --- a/test/overlay/overlay.sh +++ b/test/overlay/overlay.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index ca0b9fb29..3be10bedd 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/stress/stress.sh b/test/stress/stress.sh index 35c846071..96bbaf61b 100755 --- a/test/stress/stress.sh +++ b/test/stress/stress.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 99939133d..02eb0f41d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/test.sh b/test/test.sh index 4b7d5bb6d..f0330e139 100755 --- a/test/test.sh +++ b/test/test.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 ./chk_config.exp diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 04702597f..751f1f8e7 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors +# Copyright (C) 2014-2017 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 -- cgit v1.2.3-70-g09d2 From 39692e4adbb2ca85e9db40c9b70724bc9aaaada3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Feb 2017 10:12:32 -0500 Subject: README.md --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 696096924..144906e65 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,10 @@ $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail /etc/init.d/nginx start ````` + +[![IMAGE ALT TEXT HERE](http://img.youtube.com/vi/Yk1HVPOeoTc/0.jpg)](http://www.youtube.com/watch?v=Yk1HVPOeoTc) + + Project webpage: https://firejail.wordpress.com/ Download and Installation: https://firejail.wordpress.com/download-2/ @@ -35,6 +39,13 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` +## Compile and install +````` +$ git clone https://github.com/netblue30/firejail.git +$ cd firejail +$ ./configure && make && sudo make install-strip +````` + ## User submitted profile repositories If you keep your Firejail profiles in a public repository, please give us a link: -- cgit v1.2.3-70-g09d2 From b4f584334fc3b7fe0d665a29999dda4a5ecf5503 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Feb 2017 10:23:03 -0500 Subject: README.md --- README.md | 2 +- video.png | Bin 0 -> 41252 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 video.png diff --git a/README.md b/README.md index 144906e65..5bc7868c2 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ $ firejail vlc # starting VideoLAN Client $ sudo firejail /etc/init.d/nginx start ````` -[![IMAGE ALT TEXT HERE](http://img.youtube.com/vi/Yk1HVPOeoTc/0.jpg)](http://www.youtube.com/watch?v=Yk1HVPOeoTc) +[![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc) Project webpage: https://firejail.wordpress.com/ diff --git a/video.png b/video.png new file mode 100644 index 000000000..f9642f466 Binary files /dev/null and b/video.png differ -- cgit v1.2.3-70-g09d2 From e133e44e67eac8b7e7b7f075f89b238a0ea34a4d Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 12 Feb 2017 11:16:40 +0100 Subject: added iridium browser profile --- etc/iridium.profile | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 etc/iridium.profile diff --git a/etc/iridium.profile b/etc/iridium.profile new file mode 100644 index 000000000..c4da902c5 --- /dev/null +++ b/etc/iridium.profile @@ -0,0 +1,33 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/chromium.local + +# Iridium browser profile +noblacklist ~/.config/iridium +noblacklist ~/.cache/iridium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium/iridium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/iridium +whitelist ~/.config/iridium +mkdir ~/.cache/iridium +whitelist ~/.cache/iridium +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From dd4b0fe76692d1bd7caccb47e9ab752814c407df Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 12 Feb 2017 12:05:17 +0100 Subject: included alternative name for iridium browser --- etc/iridium-browser.profile | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 etc/iridium-browser.profile diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile new file mode 100644 index 000000000..690cb53cf --- /dev/null +++ b/etc/iridium-browser.profile @@ -0,0 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/chromium.local + +include /etc/firejail/iridium.profile + -- cgit v1.2.3-70-g09d2 From 4c71d23ede44ac9d1157aed71fe41e22e404e75e Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 12 Feb 2017 12:10:02 +0100 Subject: iridium fix --- etc/iridium-browser.profile | 2 +- etc/iridium.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile index 690cb53cf..7a2f889dc 100644 --- a/etc/iridium-browser.profile +++ b/etc/iridium-browser.profile @@ -1,6 +1,6 @@ # This file is overwritten during software install. # Persistent customizations should go in a .local file. -include /etc/firejail/chromium.local +include /etc/firejail/iridium-browser.local include /etc/firejail/iridium.profile diff --git a/etc/iridium.profile b/etc/iridium.profile index c4da902c5..69ea483aa 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile @@ -1,6 +1,6 @@ # This file is overwritten during software install. # Persistent customizations should go in a .local file. -include /etc/firejail/chromium.local +include /etc/firejail/iridium.local # Iridium browser profile noblacklist ~/.config/iridium -- cgit v1.2.3-70-g09d2 From 3383c69aaf1369a6959f6af3538c5ad8def45f2f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Feb 2017 09:19:10 -0500 Subject: firecfg.config fix --- src/firecfg/firecfg.config | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 4e4e5488a..d5030bae0 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -80,7 +80,7 @@ xchat # dns dnscrypt-proxy -dnsmaq +dnsmasq unbound # emulators/compatibility layers @@ -135,6 +135,7 @@ spotify totem vlc xfburn +xmms xplayer xviewer eom -- cgit v1.2.3-70-g09d2 From 3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Feb 2017 10:17:32 -0500 Subject: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config --- RELNOTES | 1 + etc/firejail.config | 6 ++++++ src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/fs_whitelist.c | 10 ++++++---- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/RELNOTES b/RELNOTES index 16360bc64..0af08404c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -28,6 +28,7 @@ firejail (0.9.45) baseline; urgency=low * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come * feature: added a number o Python scripts for handling sandboxes * feature: allow local customization using .local files under /etc/firejail + * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/etc/firejail.config b/etc/firejail.config index 824e3f503..5498b2112 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -20,6 +20,12 @@ # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no +# Follow symlink as user. While using --whitelist feature, +# symlinks pointing outside home directory are followed only +# if both the link and the real file are owned by the user. +# Enabled by default +# follow-symlink-as-user yes + # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3a2101c6a..4fdc3b22a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -124,6 +124,15 @@ int checkcfg(int val) { else goto errout; } + // follow symlink as user + else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { + if (strcmp(ptr + 23, "yes") == 0) + cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; + else if (strcmp(ptr + 23, "no") == 0) + cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; + else + goto errout; + } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f7b3ce0ac..b7d2c4304 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -678,6 +678,7 @@ enum { CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, CFG_FIREJAIL_PROMPT, + CFG_FOLLOW_SYMLINK_AS_USER, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b0e4463ae..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -406,10 +406,12 @@ void fs_whitelist(void) { // both path and absolute path are under /home if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { - // check if the file is owned by the user - struct stat s; - if (stat(fname, &s) == 0 && s.st_uid != getuid()) - goto errexit; + if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { + // check if the file is owned by the user + struct stat s; + if (stat(fname, &s) == 0 && s.st_uid != getuid()) + goto errexit; + } } } else if (strncmp(new_name, "/tmp/", 5) == 0) { -- cgit v1.2.3-70-g09d2 From a842f6464f54890c9faf409712f6449176b23633 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Feb 2017 10:30:39 -0500 Subject: force-nonewprivs fix for /etc/firejail/firejail.config --- src/firejail/checkcfg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 4fdc3b22a..dff892ea3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -136,9 +136,9 @@ int checkcfg(int val) { // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) - cfg_val[CFG_SECCOMP] = 1; + cfg_val[CFG_FORCE_NONEWPRIVS] = 1; else if (strcmp(ptr + 17, "no") == 0) - cfg_val[CFG_SECCOMP] = 0; + cfg_val[CFG_FORCE_NONEWPRIVS] = 0; else goto errout; } -- cgit v1.2.3-70-g09d2 From 68e10f174920746c306bc431d0a66008bdcb8082 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Feb 2017 10:44:28 -0500 Subject: profile merges --- README | 1 + README.md | 2 +- RELNOTES | 2 +- platform/debian/conffiles | 3 +++ 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README b/README index 70577700c..66e196e97 100644 --- a/README +++ b/README @@ -100,6 +100,7 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user + - added iridium browser profile Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/README.md b/README.md index 5bc7868c2..dd97057c0 100644 --- a/README.md +++ b/README.md @@ -150,5 +150,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome- goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms +PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser diff --git a/RELNOTES b/RELNOTES index 0af08404c..bef255458 100644 --- a/RELNOTES +++ b/RELNOTES @@ -34,7 +34,7 @@ firejail (0.9.45) baseline; urgency=low * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, - * new profiles: Uzbl browser + * new profiles: Uzbl browser, iridium browser * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 61e72583e..4d63c3d54 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -244,3 +244,6 @@ /etc/firejail/fossamail.profile /etc/firejail/uzbl-browser.profile /etc/firejail/xmms.profile +/etc/firejail/iridium-browser.profile +/etc/firejail/iridium.profile + -- cgit v1.2.3-70-g09d2 From b286a6bc3a13161038dc918660722628057d28d7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 14 Feb 2017 11:38:19 -0500 Subject: merge #1100 from zackw: removed libconnect --- .gitignore | 1 + Makefile.in | 4 +-- README | 2 ++ configure | 3 +-- configure.ac | 2 +- etc/firejail.config | 2 +- platform/rpm/old-mkrpm.sh | 2 -- src/firejail/fs_trace.c | 3 --- src/firejail/sandbox.c | 8 +++--- src/libconnect/Makefile.in | 25 ----------------- src/libconnect/libconnect.c | 66 --------------------------------------------- 11 files changed, 11 insertions(+), 107 deletions(-) delete mode 100644 src/libconnect/Makefile.in delete mode 100644 src/libconnect/libconnect.c diff --git a/.gitignore b/.gitignore index 89bf3c4fa..1b2c7fc7b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ *.gcda *.gcno Makefile +autom4te.cache/ config.log config.status firejail-login.5 diff --git a/Makefile.in b/Makefile.in index 7152019d4..7ed27c89d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man filters MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 @@ -79,7 +79,6 @@ realinstall: install -m 0755 -d $(DESTDIR)/$(libdir)/firejail install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. @@ -142,7 +141,6 @@ install-strip: all strip src/firecfg/firecfg strip src/libtrace/libtrace.so strip src/libtracelog/libtracelog.so - strip src/libconnect/libconnect.so strip src/ftee/ftee strip src/faudit/faudit strip src/fnet/fnet diff --git a/README b/README index 66e196e97..617ec3ec8 100644 --- a/README +++ b/README @@ -101,6 +101,8 @@ valoq (https://github.com/valoq) - added wget profile - disable gnupg and systemd directories under /run/user - added iridium browser profile +Zack Weinberg (https://github.com/zackw) + - removed libconnect Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/configure b/configure index 74f47a7c4..4ff257b66 100755 --- a/configure +++ b/configure @@ -3793,7 +3793,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4513,7 +4513,6 @@ do "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; - "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index 6a6c40b40..c04bfed89 100644 --- a/configure.ac +++ b/configure.ac @@ -168,7 +168,7 @@ fi AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ -src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) +src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile) echo echo "Configuration options:" diff --git a/etc/firejail.config b/etc/firejail.config index 5498b2112..766802a7d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -85,6 +85,6 @@ # Firejail window title in Xephyr, default enabled. # xephyr-window-title yes -# Xephyr command extra parameters. None by default, and the declaration is commented out. +# Xephyr command extra parameters. None by default; these are examples. # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev # xephyr-extra-params -grayscale diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 017d5e1c3..6c8a4c240 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh @@ -24,7 +24,6 @@ install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/ install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. -install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. mkdir -p firejail-$VERSION/usr/share/man/man1 install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. @@ -436,7 +435,6 @@ rm -rf %{buildroot} /usr/lib/firejail/libtrace.so /usr/lib/firejail/libtracelog.so -/usr/lib/firejail/libconnect.so /usr/lib/firejail/faudit /usr/lib/firejail/ftee /usr/lib/firejail/firecfg.config diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 9e1dd546e..2a58d1eb2 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -60,9 +60,6 @@ void fs_trace(void) { printf("Blacklist violations are logged to syslog\n"); } - if (mask_x11_abstract_socket) - fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR); - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); fclose(fp); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3fddc654b..1af9e7286 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -585,7 +585,7 @@ int sandbox(void* sandbox_arg) { #endif // trace pre-install - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace_preload(); // store hosts file @@ -622,7 +622,7 @@ int sandbox(void* sandbox_arg) { //**************************** // trace pre-install, this time inside chroot //**************************** - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace_preload(); } else @@ -685,7 +685,7 @@ int sandbox(void* sandbox_arg) { else { fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); // create /etc/ld.so.preload file again - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace_preload(); } } @@ -781,7 +781,7 @@ int sandbox(void* sandbox_arg) { //**************************** // install trace //**************************** - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace(); //**************************** diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in deleted file mode 100644 index 5b7a8d0f1..000000000 --- a/src/libconnect/Makefile.in +++ /dev/null @@ -1,25 +0,0 @@ -PREFIX=@prefix@ -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ - -H_FILE_LIST = $(sort $(wildcard *.[h])) -C_FILE_LIST = $(sort $(wildcard *.c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now - -all: libconnect.so - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ - -libconnect.so: $(OBJS) - $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - - -clean:; rm -f $(OBJS) libconnect.so - -distclean: clean - rm -fr Makefile diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c deleted file mode 100644 index d79dcc4cb..000000000 --- a/src/libconnect/libconnect.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2014-2017 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//#define DEBUG - -//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { -static int check_sockaddr(const struct sockaddr *addr) { - if (addr->sa_family == AF_UNIX) { - struct sockaddr_un *a = (struct sockaddr_un *) addr; - if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) { -// printf("@%s\n", a->sun_path + 1); - errno = ENOENT; - return -1; - } - } - - return 0; -} - -// -// syscalls -// - -// connect -typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); -static orig_connect_t orig_connect = NULL; -int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { - if (!orig_connect) - orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); - - if (check_sockaddr(addr) == -1) - return -1; - - return orig_connect(sockfd, addr, addrlen); -} -- cgit v1.2.3-70-g09d2 From b0cb1b40c3dd23e9584ab6b0686871ab02d298d0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 14 Feb 2017 15:00:09 -0500 Subject: merge #1100 from zackw: fix ugly memeory corruption in noblacklist processing --- src/firejail/firejail.h | 2 + src/firejail/fs.c | 36 +++++---- src/firejail/paths.c | 191 ++++++++++++++++++++++++++++++------------------ 3 files changed, 144 insertions(+), 85 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b7d2c4304..fbf83abb3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -636,6 +636,8 @@ void run_symlink(int argc, char **argv); // paths.c char **build_paths(void); +unsigned int count_paths(void); +int program_in_path(const char *program); // fs_mkdir.c void fs_mkdir(const char *name); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 27de337bb..c386f70cf 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -289,26 +289,35 @@ void fs_blacklist(void) { // Process noblacklist command if (strncmp(entry->data, "noblacklist ", 12) == 0) { - char **paths = build_paths(); - - char *enames[sizeof(paths)+1] = {0}; - int i = 0; + char **enames; + int i; if (strncmp(entry->data + 12, "${PATH}", 7) == 0) { // expand ${PATH} macro - while (paths[i] != NULL) { - if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1) + char **paths = build_paths(); + unsigned int npaths = count_paths(); + enames = calloc(npaths, sizeof(char *)); + if (!enames) + errExit("calloc"); + + for (i = 0; paths[i]; i++) { + if (asprintf(&enames[i], "%s%s", paths[i], + entry->data + 19) == -1) errExit("asprintf"); - i++; } - } else { + assert(enames[npaths-1] == 0); + + } + else { // expand ${HOME} macro if found or pass as is + enames = calloc(2, sizeof(char *)); + if (!enames) + errExit("calloc"); enames[0] = expand_home(entry->data + 12, homedir); - enames[1] = NULL; + assert(enames[1] == 0); } - i = 0; - while (enames[i] != NULL) { + for (i = 0; enames[i]; i++) { if (noblacklist_c >= noblacklist_m) { noblacklist_m *= 2; noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); @@ -316,12 +325,9 @@ void fs_blacklist(void) { errExit("failed increasing memory for noblacklist entries"); } noblacklist[noblacklist_c++] = enames[i]; - i++; } - while (enames[i] != NULL) { - free(enames[i]); - } + free(enames); entry = entry->next; continue; diff --git a/src/firejail/paths.c b/src/firejail/paths.c index 69c4b359b..454255717 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c @@ -18,83 +18,134 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include -static char **paths = NULL; -static int path_cnt = 0; -static char initialized = 0; +static char **paths = 0; +static unsigned int path_cnt = 0; +static unsigned int longest_path_elt = 0; -static void add_path(const char *path) { - assert(paths); - assert(path_cnt); - - // filter out duplicates - int i; - int empty = 0; - for (i = 0; i < path_cnt; i++) { - if (paths[i] && strcmp(path, paths[i]) == 0) { - return; - } - if (!paths[i]) { - empty = i; - break; - } +static void init_paths(void) { + char *path = getenv("PATH"); + char *p; + if (!path) { + path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; + setenv("PATH", path, 1); } - - paths[empty] = strdup(path); - if (!paths[empty]) + path = strdup(path); + if (!path) errExit("strdup"); + + // size the paths array + for (p = path; *p; p++) + if (*p == ':') + path_cnt++; + path_cnt += 2; // one because we were counting fenceposts, one for the NULL at the end + + paths = calloc(path_cnt, sizeof(char *)); + if (!paths) + errExit("calloc"); + + // fill in 'paths' with pointers to elements of 'path' + char *elt; + unsigned int i = 0, j; + unsigned int len; + while ((elt = strsep(&path, ":")) != 0) { + // skip any entry that is not absolute + if (elt[0] != '/') + goto skip; + + // strip trailing slashes (this also prevents '/' from being a path entry). + len = strlen(elt); + while (len > 0 && elt[len-1] == '/') + elt[--len] = '\0'; + if (len == 0) + goto skip; + + // filter out duplicate entries + for (j = 0; j < i; j++) + if (strcmp(elt, paths[j]) == 0) + goto skip; + + paths[i++] = elt; + if (len > longest_path_elt) + longest_path_elt = len; + + skip:; + } + + assert(paths[i] == 0); + // path_cnt may be too big now, if entries were skipped above + path_cnt = i+1; } + char **build_paths(void) { - if (initialized) { - assert(paths); - return paths; - } - initialized = 1; - - int cnt = 5; // 4 default paths + 1 NULL to end the array - char *path1 = getenv("PATH"); - if (path1) { - char *path2 = strdup(path1); - if (!path2) - errExit("strdup"); - - // use path2 to count the entries - char *ptr = strtok(path2, ":"); - while (ptr) { - cnt++; - ptr = strtok(NULL, ":"); - } - free(path2); - path_cnt = cnt; - - // allocate paths array - paths = malloc(sizeof(char *) * cnt); - if (!paths) - errExit("malloc"); - memset(paths, 0, sizeof(char *) * cnt); - - // add default paths - add_path("/usr/local/bin"); - add_path("/usr/bin"); - add_path("/bin"); - add_path("/usr/local/sbin"); - add_path("/usr/sbin"); - add_path("/sbin"); - - path2 = strdup(path1); - if (!path2) - errExit("strdup"); - - // use path2 to count the entries - ptr = strtok(path2, ":"); - while (ptr) { - cnt++; - add_path(ptr); - ptr = strtok(NULL, ":"); + if (!paths) + init_paths(); + assert(paths); + return paths; +} + +// Note: the NULL element at the end of 'paths' is included in this count. +unsigned int count_paths(void) { + if (!path_cnt) + init_paths(); + assert(path_cnt); + return path_cnt; +} + +// Return 1 if PROGRAM exists in $PATH and is runnable by the +// invoking user (not root). +// In other words, tests "will execvp(PROGRAM, ...) succeed?" +int program_in_path(const char *program) { + assert(program && *program); + assert(strchr(program, '/') == 0); + assert(strcmp(program, ".") != 0); + assert(strcmp(program, "..") != 0); + + if (!paths) + init_paths(); + assert(paths); + + size_t proglen = strlen(program); + char *scratch = malloc(longest_path_elt + proglen + 2); + if (!scratch) + errExit("malloc"); + + int found = 0; + size_t dlen; + char **p; + for (p = paths; *p; p++) { + char *dir = *p; + dlen = strlen(dir); + + // init_paths should ensure that this is true; as long + // as it is true, 'scratch' has enough space for "$p/$program". + assert(dlen <= longest_path_elt); + + memcpy(scratch, dir, dlen); + scratch[dlen++] = '/'; + + // copy proglen+1 bytes to copy the nul terminator at + // the end of 'program'. + memcpy(scratch + dlen, program, proglen+1); + + if (access(scratch, X_OK) == 0) { + // must also verify that this is a regular file + // ('x' permission means something different for directories). + // exec follows symlinks, so use stat, not lstat. + struct stat st; + if (stat(scratch, &st)) { + perror(scratch); + exit(1); + } + if (S_ISREG(st.st_mode)) { + found = 1; + break; + } } - free(path2); } - - return paths; + + free(scratch); + return found; } -- cgit v1.2.3-70-g09d2 From 402071d4762e120a73e965a0f193ff438fd344fc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 14 Feb 2017 16:20:44 -0500 Subject: compile cleanup --- src/firejail/sandbox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1af9e7286..84ee5ee11 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -386,7 +386,7 @@ static void enforce_filters(void) { } // disable all capabilities - if (arg_caps_default_filter || arg_caps_list && !arg_quiet) + if ((arg_caps_default_filter || arg_caps_list) && !arg_quiet) fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); arg_caps_drop_all = 1; -- cgit v1.2.3-70-g09d2 From 75a10497476ea1feb6275951e33eedcbe0110b8b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 14 Feb 2017 18:42:34 -0500 Subject: merge #1100 from zackw: rework DISPLAY environment parsing, rework masking X11 sockets in /tmp/.X11-unix directory --- README | 2 + src/firejail/x11.c | 109 +++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 95 insertions(+), 16 deletions(-) diff --git a/README b/README index 617ec3ec8..52c5f7dd2 100644 --- a/README +++ b/README @@ -103,6 +103,8 @@ valoq (https://github.com/valoq) - added iridium browser profile Zack Weinberg (https://github.com/zackw) - removed libconnect + - fixed memory corruption in noblacklist processing + - rework DISPLAY environment parsing, rework masking X11 sockets in /tmp/.X11-unix directory Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2fedcc355..b551a2d2a 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -27,6 +27,8 @@ #include #include #include +#include +#include int mask_x11_abstract_socket = 0; #ifdef HAVE_X11 @@ -103,21 +105,44 @@ static int random_display_number(void) { } #endif -// return display number, -1 if not configured + +// Parse the DISPLAY environment variable and return a display number. +// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. int x11_display(void) { - // extract display - char *d = getenv("DISPLAY"); - if (!d) - return - 1; - - int display; - int rv = sscanf(d, ":%d", &display); - if (rv != 1) - return -1; - if (arg_debug) - printf("DISPLAY %s, %d\n", d, display); - - return display; + const char *display_str = getenv("DISPLAY"); + char *endp; + unsigned long display; + + if (!display_str) { + if (arg_debug) + fputs("DISPLAY is not set\n", stderr); + return -1; + } + + if (display_str[0] != ':' || display_str[1] < '0' || display_str[1] > '9') { + if (arg_debug) + fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); + return -1; + } + + errno = 0; + display = strtoul(display_str+1, &endp, 10); + if (endp == display_str+1 || (*endp != '\0' && *endp != '.')) { // handling DISPLAY=:0 and also :0.0 + if (arg_debug) + fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); + return -1; + } + if (errno || display > (unsigned long)INT_MAX) { + if (arg_debug) + fprintf(stderr, "display number %s is outside the valid range\n", + display_str+1); + return -1; + } + + if (arg_debug) + fprintf(stderr, "DISPLAY=%s parsed as %lu\n", display_str, display); + + return (int)display; } void fs_x11(void) { @@ -129,10 +154,60 @@ void fs_x11(void) { char *x11file; if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) errExit("asprintf"); - struct stat s; - if (stat(x11file, &s) == -1) + struct stat x11stat; + if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) { + free(x11file); return; + } + if (arg_debug || arg_debug_whitelists) + fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); + + // Move the real /tmp/.X11-unix to a scratch location + // so we can still access x11file after we mount a + // tmpfs over /tmp/.X11-unix. + int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700); + if (rv == -1) + errExit("mkdir"); + if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700)) + errExit("set_perms"); + + if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) + errExit("mount bind"); + + // This directory must be mode 1777, or Xlib will barf. + if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", + MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, + "mode=1777,uid=0,gid=0") < 0) + errExit("mounting tmpfs on /tmp/.X11-unix"); + fs_logger("tmpfs /tmp/.X11-unix"); + + // create an empty file which will have the desired socket bind-mounted over it + int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); + if (fd < 0) + errExit(x11file); + if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) + errExit("fchown"); + close(fd); + + // do the mount + char *wx11file; + if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) + errExit("asprintf"); + if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + fs_logger2("whitelist", x11file); + + free(x11file); + free(wx11file); + + // block access to RUN_WHITELIST_X11_DIR + if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) + errExit("mount"); + fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); + + +#if 0 // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); if (rv == -1) @@ -177,6 +252,8 @@ void fs_x11(void) { errExit("mount"); fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); #endif + +#endif } -- cgit v1.2.3-70-g09d2 From fe45ca43c468a21e225a05beda867f93db88f897 Mon Sep 17 00:00:00 2001 From: "Austin S. Hemmelgarn" Date: Wed, 15 Feb 2017 07:52:22 -0500 Subject: Update unbound profile to block 3D acceleration. There is no legitimate reason for a caching DNS resolver to need 3D acceleration. Unbound adheres to this already, so any attempts to access GPU hardware from it are by definition either bugs or the result of an exploit, so let's just block access to the GPU. --- etc/unbound.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/unbound.profile b/etc/unbound.profile index af8d7b374..0bd46b7f4 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -13,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev nosound +no3d seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open -- cgit v1.2.3-70-g09d2 From a73a89f3c403d61e8b5588b759e4438b4206e2e3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 08:12:41 -0500 Subject: merge #1100 from zackw: rework xpra and xephyr detection --- src/firejail/x11.c | 78 +++--------------------------------------------------- 1 file changed, 4 insertions(+), 74 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index b551a2d2a..f81a52b70 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -32,28 +32,6 @@ int mask_x11_abstract_socket = 0; #ifdef HAVE_X11 -// return 1 if xpra is installed on the system -static int x11_check_xpra(void) { - struct stat s; - - // check xpra - if (stat("/usr/bin/xpra", &s) == -1) - return 0; - - return 1; -} - -// return 1 if xephyr is installed on the system -static int x11_check_xephyr(void) { - struct stat s; - - // check xephyr - if (stat("/usr/bin/Xephyr", &s) == -1) - return 0; - - return 1; -} - // check for X11 abstract sockets static int x11_abstract_sockets_present(void) { char *path; @@ -205,54 +183,6 @@ void fs_x11(void) { if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) errExit("mount"); fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); - - -#if 0 - // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR - int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777)) - errExit("set_perms"); - - if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /tmp/.X11-unix - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /tmp/.X11-unix directory\n"); - if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) - errExit("mounting tmpfs on /tmp"); - fs_logger("tmpfs /tmp/.X11-unix"); - - // create an empty file - /* coverity[toctou] */ - FILE *fp = fopen(x11file, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); - exit(1); - } - // set file properties - SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); - fclose(fp); - - // mount - char *wx11file; - if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) - errExit("asprintf"); - if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("whitelist", x11file); - - free(x11file); - free(wx11file); - - // block access to RUN_WHITELIST_X11_DIR - if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1) - errExit("mount"); - fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); -#endif - #endif } @@ -277,7 +207,7 @@ void x11_start_xephyr(int argc, char **argv) { drop_privs(0); // check xephyr - if (x11_check_xephyr() == 0) { + if (!program_in_path("Xephyr")) { fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); @@ -477,7 +407,7 @@ void x11_start_xpra(int argc, char **argv) { drop_privs(0); // check xpra - if (x11_check_xpra() == 0) { + if (!program_in_path("xpra")) { fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); exit(0); @@ -670,9 +600,9 @@ void x11_start(int argc, char **argv) { } // check xpra - if (x11_check_xpra() == 1) + if (program_in_path("xpra")) x11_start_xpra(argc, argv); - else if (x11_check_xephyr() == 1) + else if (program_in_path("Xephyr")) x11_start_xephyr(argc, argv); else { fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); -- cgit v1.2.3-70-g09d2 From 6a8d393f25a9c6e525a450ba474e402decccee95 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 09:02:53 -0500 Subject: merge #1100 from zackw: rework abstract X11 socket detection --- README | 5 ++- src/firejail/x11.c | 115 ++++++++++++++++++++++++++++++----------------------- 2 files changed, 70 insertions(+), 50 deletions(-) diff --git a/README b/README index 52c5f7dd2..e729b4580 100644 --- a/README +++ b/README @@ -104,7 +104,10 @@ valoq (https://github.com/valoq) Zack Weinberg (https://github.com/zackw) - removed libconnect - fixed memory corruption in noblacklist processing - - rework DISPLAY environment parsing, rework masking X11 sockets in /tmp/.X11-unix directory + - rework DISPLAY environment parsing + - rework masking X11 sockets in /tmp/.X11-unix directory + - rework xpra and xephyr detection + - rework abstract X11 socket detection Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index f81a52b70..328ecce18 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -31,30 +31,85 @@ #include int mask_x11_abstract_socket = 0; + +// Parse the DISPLAY environment variable and return a display number. +// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. +int x11_display(void) { + const char *display_str = getenv("DISPLAY"); + char *endp; + unsigned long display; + + if (!display_str) { + if (arg_debug) + fputs("DISPLAY is not set\n", stderr); + return -1; + } + + if (display_str[0] != ':' || display_str[1] < '0' || display_str[1] > '9') { + if (arg_debug) + fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); + return -1; + } + + errno = 0; + display = strtoul(display_str+1, &endp, 10); + if (endp == display_str+1 || (*endp != '\0' && *endp != '.')) { // handling DISPLAY=:0 and also :0.0 + if (arg_debug) + fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); + return -1; + } + if (errno || display > (unsigned long)INT_MAX) { + if (arg_debug) + fprintf(stderr, "display number %s is outside the valid range\n", + display_str+1); + return -1; + } + + if (arg_debug) + fprintf(stderr, "DISPLAY=%s parsed as %lu\n", display_str, display); + + return (int)display; +} + + #ifdef HAVE_X11 // check for X11 abstract sockets static int x11_abstract_sockets_present(void) { - char *path; EUID_ROOT(); // grsecurity fix FILE *fp = fopen("/proc/net/unix", "r"); - EUID_USER(); - if (!fp) errExit("fopen"); + EUID_USER(); + + char *linebuf = 0; + size_t bufsz = 0; + int found = 0; + errno = 0; - while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) { - if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) { - free(path); - fclose(fp); - return 1; + for (;;) { + if (getline(&linebuf, &bufsz, fp) == -1) { + if (errno) + errExit("getline"); + break; + } + // The last space-separated field in 'linebuf' is the + // pathname of the socket. Abstract sockets' pathnames + // all begin with '@/', normal ones begin with '/'. + char *p = strrchr(linebuf, ' '); + if (!p) { + fputs("error parsing /proc/net/unix\n", stderr); + exit(1); + } + if (strncmp(p+1, "@/tmp/.X11-unix/", 16) == 0) { + found = 1; + break; } } - free(path); + free(linebuf); fclose(fp); - - return 0; + return found; } static int random_display_number(void) { @@ -84,44 +139,6 @@ static int random_display_number(void) { #endif -// Parse the DISPLAY environment variable and return a display number. -// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. -int x11_display(void) { - const char *display_str = getenv("DISPLAY"); - char *endp; - unsigned long display; - - if (!display_str) { - if (arg_debug) - fputs("DISPLAY is not set\n", stderr); - return -1; - } - - if (display_str[0] != ':' || display_str[1] < '0' || display_str[1] > '9') { - if (arg_debug) - fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); - return -1; - } - - errno = 0; - display = strtoul(display_str+1, &endp, 10); - if (endp == display_str+1 || (*endp != '\0' && *endp != '.')) { // handling DISPLAY=:0 and also :0.0 - if (arg_debug) - fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); - return -1; - } - if (errno || display > (unsigned long)INT_MAX) { - if (arg_debug) - fprintf(stderr, "display number %s is outside the valid range\n", - display_str+1); - return -1; - } - - if (arg_debug) - fprintf(stderr, "DISPLAY=%s parsed as %lu\n", display_str, display); - - return (int)display; -} void fs_x11(void) { #ifdef HAVE_X11 -- cgit v1.2.3-70-g09d2 From be71ace09007086b0444cf00e51458df4faf2e6f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 09:10:07 -0500 Subject: merge #1100 from zackw: rework X11 display number assignment --- README | 1 + src/firejail/x11.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) diff --git a/README b/README index e729b4580..08617425f 100644 --- a/README +++ b/README @@ -108,6 +108,7 @@ Zack Weinberg (https://github.com/zackw) - rework masking X11 sockets in /tmp/.X11-unix directory - rework xpra and xephyr detection - rework abstract X11 socket detection + - rework X11 display number assignment Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 328ecce18..a415929b1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -20,6 +20,8 @@ #include "firejail.h" #include #include +#include +#include #include #include #include @@ -112,6 +114,92 @@ static int x11_abstract_sockets_present(void) { return found; } +// Choose a random, unallocated display number. This has an inherent +// and unavoidable TOCTOU race, since we cannot create either the +// socket or a lockfile ourselves. +static int random_display_number(void) { + int display; + int found = 0; + int i; + + struct sockaddr_un sa; + // The -1 here is because we need space to inject a + // leading nul byte. + int sun_pathmax = (int)(sizeof sa.sun_path - 1); + assert((size_t)sun_pathmax == sizeof sa.sun_path - 1); + int sun_pathlen; + + int sockfd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sockfd == -1) + errExit("socket"); + + for (i = 0; i < 100; i++) { + // We try display numbers in the range 21 through 1000. + // Normal X servers typically use displays in the 0-10 range; + // ssh's X11 forwarding uses 10-20, and login screens + // (e.g. gdm3) may use displays above 1000. + display = rand() % 979 + 21; + + // The display number might be claimed by a server listening + // in _either_ the normal or the abstract namespace; they + // don't necessarily do both. The easiest way to check is + // to try to connect, both ways. + memset(&sa, 0, sizeof sa); + sa.sun_family = AF_UNIX; + sun_pathlen = snprintf(sa.sun_path, sun_pathmax, + "/tmp/.X11-unix/X%d", display); + if (sun_pathlen >= sun_pathmax) { + fprintf(stderr, "sun_path too small for display :%d" + " (only %d bytes usable)\n", display, sun_pathmax); + exit(1); + } + + if (connect(sockfd, (struct sockaddr *)&sa, + offsetof(struct sockaddr_un, sun_path) + sun_pathlen + 1) == 0) { + close(sockfd); + sockfd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sockfd == -1) + errExit("socket"); + continue; + } + if (errno != ECONNREFUSED && errno != ENOENT) + errExit("connect"); + + // Name not claimed in the normal namespace; now try it + // in the abstract namespace. Note that abstract-namespace + // names are NOT nul-terminated; they extend to the length + // specified as the third argument to 'connect'. + memmove(sa.sun_path + 1, sa.sun_path, sun_pathlen + 1); + sa.sun_path[0] = '\0'; + if (connect(sockfd, (struct sockaddr *)&sa, + offsetof(struct sockaddr_un, sun_path) + 1 + sun_pathlen) == 0) { + close(sockfd); + sockfd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sockfd == -1) + errExit("socket"); + continue; + } + if (errno != ECONNREFUSED && errno != ENOENT) + errExit("connect"); + + // This display number is unclaimed. Of course, it could + // be claimed before we get around to doing it... + found = 1; + break; + } + close(sockfd); + + if (!found) { + fputs("Error: cannot find an unallocated X11 display number, " + "exiting...\n", stderr); + exit(1); + } + return display; +} + + + +#if 0 static int random_display_number(void) { int i; int found = 1; @@ -137,6 +225,7 @@ static int random_display_number(void) { return display; } #endif +#endif -- cgit v1.2.3-70-g09d2 From 7c1035634d4e72c7d8d1b14a032cf415f9d4294d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 10:25:43 -0500 Subject: merge #1100 from zackw: rework X11 xorg processing - this is a partial merge --- README | 1 + src/firejail/x11.c | 333 ++++++++++++++++++++++++++++------------------------- 2 files changed, 177 insertions(+), 157 deletions(-) diff --git a/README b/README index 08617425f..a01e5fa86 100644 --- a/README +++ b/README @@ -109,6 +109,7 @@ Zack Weinberg (https://github.com/zackw) - rework xpra and xephyr detection - rework abstract X11 socket detection - rework X11 display number assignment + - rework X11 xorg processing Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index a415929b1..bde33821d 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -196,101 +196,9 @@ static int random_display_number(void) { } return display; } - - - -#if 0 -static int random_display_number(void) { - int i; - int found = 1; - int display; - for (i = 0; i < 100; i++) { - display = rand() % 1024; - if (display < 10) - continue; - char *fname; - if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) - errExit("asprintf"); - struct stat s; - if (stat(fname, &s) == -1) { - found = 1; - break; - } - } - if (!found) { - fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n"); - exit(1); - } - - return display; -} #endif -#endif - -void fs_x11(void) { -#ifdef HAVE_X11 - int display = x11_display(); - if (display <= 0) - return; - - char *x11file; - if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) - errExit("asprintf"); - struct stat x11stat; - if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) { - free(x11file); - return; - } - - if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); - - // Move the real /tmp/.X11-unix to a scratch location - // so we can still access x11file after we mount a - // tmpfs over /tmp/.X11-unix. - int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700)) - errExit("set_perms"); - - if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) - errExit("mount bind"); - - // This directory must be mode 1777, or Xlib will barf. - if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", - MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, - "mode=1777,uid=0,gid=0") < 0) - errExit("mounting tmpfs on /tmp/.X11-unix"); - fs_logger("tmpfs /tmp/.X11-unix"); - - // create an empty file which will have the desired socket bind-mounted over it - int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); - if (fd < 0) - errExit(x11file); - if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) - errExit("fchown"); - close(fd); - - // do the mount - char *wx11file; - if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) - errExit("asprintf"); - if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("whitelist", x11file); - - free(x11file); - free(wx11file); - - // block access to RUN_WHITELIST_X11_DIR - if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) - errExit("mount"); - fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); -#endif -} #ifdef HAVE_X11 @@ -720,58 +628,39 @@ void x11_start(int argc, char **argv) { #endif -void x11_block(void) { +// Porting notes: +// +// 1. merge #1100 from zackw: +// Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8 +// with this message: +// xauth: timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4 +// Failed to create untrusted X cookie: xauth: exit 1 +// For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was +// a partial merge. +// +// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home +// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not +// something picked up on $PATH. +// +void x11_xorg(void) { #ifdef HAVE_X11 - mask_x11_abstract_socket = 1; - // check abstract socket presence and network namespace options - if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) - && x11_abstract_sockets_present()) { - fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" - "Additional setup required. To block abstract X11 socket you can either:\n" - " * use network namespace in firejail (--net=none, --net=...)\n" - " * add \"-nolisten local\" to xserver options\n" - " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); + // check xauth utility is present in the system + struct stat s; + if (stat("/usr/bin/xauth", &s) == -1) { + fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n" + " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); exit(1); } - - // blacklist sockets - profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); - profile_add(strdup("blacklist /tmp/.X11-unix")); - - // blacklist .Xauthority - profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); - profile_add(strdup("blacklist ${HOME}/.Xauthority")); - char *xauthority = getenv("XAUTHORITY"); - if (xauthority) { - char *line; - if (asprintf(&line, "blacklist %s", xauthority) == -1) - errExit("asprintf"); - profile_check_line(line, 0, NULL); - profile_add(line); - } - - // clear environment - env_store("DISPLAY", RMENV); - env_store("XAUTHORITY", RMENV); -#endif -} - -void x11_xorg(void) { -#ifdef HAVE_X11 - // destination - create an empty ~/.Xauthotrity file if it doesn't exist already, and use it as a mount point - char *dest; - if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) - errExit("asprintf"); - struct stat s; - if (stat(dest, &s) == -1) { - // create an .Xauthority file - touch_file_as_user(dest, getuid(), getgid(), 0600); + if (s.st_uid != 0 && s.st_gid != 0) { + fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); + exit(1); } - // check xauth utility is present in the system - if (stat("/usr/bin/xauth", &s) == -1) { - fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n"); + // get DISPLAY env + char *display = getenv("DISPLAY"); + if (!display) { + fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); exit(1); } @@ -779,7 +668,9 @@ void x11_xorg(void) { if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) errExit("mounting /tmp"); - // create a temporary .Xauthority file + // create the temporary .Xauthority file + if (arg_debug) + printf("Generating a new .Xauthority file\n"); char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; int fd = mkstemp(tmpfname); if (fd == -1) { @@ -794,38 +685,48 @@ void x11_xorg(void) { if (child < 0) errExit("fork"); if (child == 0) { - // generate the new .Xauthority file using xauth utility - if (arg_debug) - printf("Generating a new .Xauthority file\n"); drop_privs(1); - - char *display = getenv("DISPLAY"); - if (!display) - display = ":0.0"; - clearenv(); - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, - "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); - #ifdef HAVE_GCOV __gcov_flush(); #endif - _exit(0); + execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, + "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); + + _exit(127); + } + + // wait for the xauth process to finish + int status; + if (waitpid(child, &status, 0) != child) + errExit("waitpid"); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { + /* success */ + } else if (WIFEXITED(status)) { + fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n", + WEXITSTATUS(status)); + exit(1); + } else if (WIFSIGNALED(status)) { + fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n", + strsignal(WTERMSIG(status))); + exit(1); + } else { + fprintf(stderr, "Failed to create untrusted X cookie: " + "xauth: un-decodable exit status %04x\n", status); + exit(1); } - // wait for the child to finish - waitpid(child, NULL, 0); - - // check the file was created and set mode and ownership + // ensure the file has the correct permissions and move it + // into the correct location. if (stat(tmpfname, &s) == -1) { - fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); + fprintf(stderr, "Error: .Xauthority file was mpt created\n"); exit(1); } if (set_perms(tmpfname, getuid(), getgid(), 0600)) errExit("set_perms"); // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted - // automatically when the sandbox is closed + // automatically when the sandbox is closed (rename doesn't work) if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); exit(1); @@ -834,12 +735,29 @@ void x11_xorg(void) { errExit("set_perms"); /* coverity[toctou] */ unlink(tmpfname); + umount("/tmp"); + + // Ensure there is already a file in the usual location, so that bind-mount below will work. + // todo: fix TOCTOU races, currently managed by imposing /usr/bin/xauth as executable + char *dest; + if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dest, &s) == -1) { + // create an .Xauthority file + touch_file_as_user(dest, getuid(), getgid(), 0600); + } + if (is_link(dest)) { + fprintf(stderr, "Error: .Xauthority is a symbolic link\n"); + exit(1); + } + // mount if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) { fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); exit(1); } + // just in case... if (set_perms(dest, getuid(), getgid(), 0600)) errExit("set_perms"); free(dest); @@ -848,3 +766,104 @@ void x11_xorg(void) { umount("/tmp"); #endif } + +void fs_x11(void) { +#ifdef HAVE_X11 + int display = x11_display(); + if (display <= 0) + return; + + char *x11file; + if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) + errExit("asprintf"); + struct stat x11stat; + if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) { + free(x11file); + return; + } + + if (arg_debug || arg_debug_whitelists) + fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); + + // Move the real /tmp/.X11-unix to a scratch location + // so we can still access x11file after we mount a + // tmpfs over /tmp/.X11-unix. + int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700); + if (rv == -1) + errExit("mkdir"); + if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700)) + errExit("set_perms"); + + if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) + errExit("mount bind"); + + // This directory must be mode 1777, or Xlib will barf. + if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", + MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, + "mode=1777,uid=0,gid=0") < 0) + errExit("mounting tmpfs on /tmp/.X11-unix"); + fs_logger("tmpfs /tmp/.X11-unix"); + + // create an empty file which will have the desired socket bind-mounted over it + int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); + if (fd < 0) + errExit(x11file); + if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) + errExit("fchown"); + close(fd); + + // do the mount + char *wx11file; + if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) + errExit("asprintf"); + if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + fs_logger2("whitelist", x11file); + + free(x11file); + free(wx11file); + + // block access to RUN_WHITELIST_X11_DIR + if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) + errExit("mount"); + fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); +#endif +} + +void x11_block(void) { +#ifdef HAVE_X11 + mask_x11_abstract_socket = 1; + + // check abstract socket presence and network namespace options + if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) + && x11_abstract_sockets_present()) { + fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" + "Additional setup required. To block abstract X11 socket you can either:\n" + " * use network namespace in firejail (--net=none, --net=...)\n" + " * add \"-nolisten local\" to xserver options\n" + " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); + exit(1); + } + + // blacklist sockets + profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); + profile_add(strdup("blacklist /tmp/.X11-unix")); + + // blacklist .Xauthority + profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); + profile_add(strdup("blacklist ${HOME}/.Xauthority")); + char *xauthority = getenv("XAUTHORITY"); + if (xauthority) { + char *line; + if (asprintf(&line, "blacklist %s", xauthority) == -1) + errExit("asprintf"); + profile_check_line(line, 0, NULL); + profile_add(line); + } + + // clear environment + env_store("DISPLAY", RMENV); + env_store("XAUTHORITY", RMENV); +#endif +} + -- cgit v1.2.3-70-g09d2 From bd712448df10c185bc507e860ebcdc069249e743 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 10:52:50 -0500 Subject: cleanup --- src/firejail/x11.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index bde33821d..0fa789ff1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -761,9 +761,6 @@ void x11_xorg(void) { if (set_perms(dest, getuid(), getgid(), 0600)) errExit("set_perms"); free(dest); - - // unmount /tmp - umount("/tmp"); #endif } -- cgit v1.2.3-70-g09d2 From 9ab25b908d759da1671e910759a44f38652084d9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 15:57:20 -0500 Subject: merge #1100 from zackw: fcopy rework, --follow-link support in fcopy --- README | 1 + src/fcopy/main.c | 530 ++++++++++++++++++++++++++++--------------------------- 2 files changed, 273 insertions(+), 258 deletions(-) diff --git a/README b/README index a01e5fa86..f1b41bcf3 100644 --- a/README +++ b/README @@ -110,6 +110,7 @@ Zack Weinberg (https://github.com/zackw) - rework abstract X11 socket detection - rework X11 display number assignment - rework X11 xorg processing + - rework fcopy, --follow-link support in fcopy Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 43fc8fc99..089152efc 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -21,6 +21,7 @@ #include "../include/common.h" #include #include +#include #define COPY_LIMIT (500 * 1024 *1024) @@ -34,245 +35,244 @@ static char *inpath = NULL; // modified version of the function from util.c static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) { - assert(srcname); - assert(destname); - mode &= 07777; - - // open source - int src = open(srcname, O_RDONLY); - if (src < 0) { - fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", srcname); - return; - } - - // open destination - int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); - if (dst < 0) { - fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); - close(src); - return; - } - - // copy - ssize_t len; - static const int BUFLEN = 1024; - unsigned char buf[BUFLEN]; - while ((len = read(src, buf, BUFLEN)) > 0) { - int done = 0; - while (done != len) { - int rv = write(dst, buf + done, len - done); - if (rv == -1) - goto errexit; - done += rv; - } - } - fflush(0); - - if (fchown(dst, uid, gid) == -1) - goto errexit; - if (fchmod(dst, mode) == -1) - goto errexit; - - close(src); - close(dst); - - return; + assert(srcname); + assert(destname); + mode &= 07777; + + // open source + int src = open(srcname, O_RDONLY); + if (src < 0) { + fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", srcname); + return; + } + + // open destination + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); + if (dst < 0) { + fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); + close(src); + return; + } + + // copy + ssize_t len; + static const int BUFLEN = 1024; + unsigned char buf[BUFLEN]; + while ((len = read(src, buf, BUFLEN)) > 0) { + int done = 0; + while (done != len) { + int rv = write(dst, buf + done, len - done); + if (rv == -1) + goto errexit; + done += rv; + } + } + fflush(0); + + if (fchown(dst, uid, gid) == -1) + goto errexit; + if (fchmod(dst, mode) == -1) + goto errexit; + + close(src); + close(dst); + + return; errexit: - close(src); - close(dst); - unlink(destname); - fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname); + close(src); + close(dst); + unlink(destname); + fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname); } // modified version of the function in firejail/util.c static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { - assert(fname); - mode &= 07777; - - if (mkdir(fname, mode) == -1 || - chmod(fname, mode) == -1) { - fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname); - errExit("mkdir/chmod"); - } - if (chown(fname, uid, gid)) - fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname); + assert(fname); + mode &= 07777; + + if (mkdir(fname, mode) == -1 || + chmod(fname, mode) == -1) { + fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname); + errExit("mkdir/chmod"); + } + if (chown(fname, uid, gid)) + fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname); } void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { - (void) mode; - (void) uid; - (void) gid; - char *rp = realpath(target, NULL); - if (rp) { - if (symlink(rp, linkpath) == -1) - goto errout; - free(rp); - } - else - goto errout; - - return; + (void) mode; + (void) uid; + (void) gid; + char *rp = realpath(target, NULL); + if (rp) { + if (symlink(rp, linkpath) == -1) + goto errout; + free(rp); + } + else + goto errout; + + return; errout: - fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); + fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); } static int first = 1; static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) { - (void) st; - (void) sftw; - assert(infname); - assert(*infname != '\0'); - assert(outpath); - assert(*outpath != '\0'); - assert(inpath); - - // check size limit - if (size_limit_reached) - return 0; - - - char *outfname; - if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1) - errExit("asprintf"); - -//printf("outpaht %s\n", outpath); -//printf("inpath %s\n", inpath); -//printf("infname %s\n", infname); -//printf("outfname %s\n\n", outfname); - - // don't copy it if we already have the file - struct stat s; - if (stat(outfname, &s) == 0) { - if (first) - first = 0; - else - fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); - free(outfname); - return 0; - } - - // extract mode and ownership - if (stat(infname, &s) != 0) { - fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); - free(outfname); - return 0; - } - uid_t uid = s.st_uid; - gid_t gid = s.st_gid; - mode_t mode = s.st_mode; - - // recalculate size - if ((s.st_size + size_cnt) > COPY_LIMIT) { - fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); - size_limit_reached = 1; - free(outfname); - return 0; - } - - file_cnt++; - size_cnt += s.st_size; - - if(ftype == FTW_F) { - copy_file(infname, outfname, mode, uid, gid); - } - else if (ftype == FTW_D) { - mkdir_attr(outfname, mode, uid, gid); - } - else if (ftype == FTW_SL) { - copy_link(infname, outfname, mode, uid, gid); - } - - return(0); + (void) st; + (void) sftw; + assert(infname); + assert(*infname != '\0'); + assert(outpath); + assert(*outpath != '\0'); + assert(inpath); + + // check size limit + if (size_limit_reached) + return 0; + + + char *outfname; + if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1) + errExit("asprintf"); + + // don't copy it if we already have the file + struct stat s; + if (stat(outfname, &s) == 0) { + if (first) + first = 0; + else + fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); + free(outfname); + return 0; + } + + // extract mode and ownership + if (stat(infname, &s) != 0) { + fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); + free(outfname); + return 0; + } + uid_t uid = s.st_uid; + gid_t gid = s.st_gid; + mode_t mode = s.st_mode; + + // recalculate size + if ((s.st_size + size_cnt) > COPY_LIMIT) { + fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); + size_limit_reached = 1; + free(outfname); + return 0; + } + + file_cnt++; + size_cnt += s.st_size; + + if(ftype == FTW_F) { + copy_file(infname, outfname, mode, uid, gid); + } + else if (ftype == FTW_D) { + mkdir_attr(outfname, mode, uid, gid); + } + else if (ftype == FTW_SL) { + copy_link(infname, outfname, mode, uid, gid); + } + + return(0); } static char *check(const char *src) { - struct stat s; - char *rsrc = realpath(src, NULL); - if (!rsrc || stat(rsrc, &s) == -1) - goto errexit; - - // check uid - if (s.st_uid != getuid() || s.st_gid != getgid()) - goto errexit; - - // dir, link, regular file - if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) - return rsrc; // normal exit from the function - + struct stat s; + char *rsrc = realpath(src, NULL); + if (!rsrc || stat(rsrc, &s) == -1) + goto errexit; + + // check uid + if (s.st_uid != getuid() || s.st_gid != getgid()) + goto errexit; + + // dir, link, regular file + if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) + return rsrc; // normal exit from the function + errexit: - fprintf(stderr, "Error fcopy: invalid file %s\n", src); - exit(1); + fprintf(stderr, "Error fcopy: invalid file %s\n", src); + exit(1); } static void duplicate_dir(const char *src, const char *dest, struct stat *s) { - (void) s; - char *rsrc = check(src); - char *rdest = check(dest); - inpath = rsrc; - outpath = rdest; - - // walk - if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) { - fprintf(stderr, "Error: unable to copy file\n"); - exit(1); - } - - free(rsrc); - free(rdest); + (void) s; + char *rsrc = check(src); + char *rdest = check(dest); + inpath = rsrc; + outpath = rdest; + + // walk + if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) { + fprintf(stderr, "Error: unable to copy file\n"); + exit(1); + } + + free(rsrc); + free(rdest); } static void duplicate_file(const char *src, const char *dest, struct stat *s) { - char *rsrc = check(src); - char *rdest = check(dest); - uid_t uid = s->st_uid; - gid_t gid = s->st_gid; - mode_t mode = s->st_mode; - - // build destination file name - char *name; - char *ptr = strrchr(rsrc, '/'); - ptr++; - if (asprintf(&name, "%s/%s", rdest, ptr) == -1) - errExit("asprintf"); - - // copy - copy_file(rsrc, name, mode, uid, gid); - - free(name); - free(rsrc); - free(rdest); + char *rsrc = check(src); // we drop the result and use the original name + char *rdest = check(dest); + uid_t uid = s->st_uid; + gid_t gid = s->st_gid; + mode_t mode = s->st_mode; + + // build destination file name + char *name; + char *ptr = strrchr(src, '/'); + ptr++; + if (asprintf(&name, "%s/%s", rdest, ptr) == -1) + errExit("asprintf"); + + // copy + copy_file(rsrc, name, mode, uid, gid); + + free(name); + free(rsrc); + free(rdest); } static void duplicate_link(const char *src, const char *dest, struct stat *s) { - char *rsrc = check(src); // we drop the result and use the original name - char *rdest = check(dest); - uid_t uid = s->st_uid; - gid_t gid = s->st_gid; - mode_t mode = s->st_mode; - - // build destination file name - char *name; + char *rsrc = check(src); // we drop the result and use the original name + char *rdest = check(dest); + uid_t uid = s->st_uid; + gid_t gid = s->st_gid; + mode_t mode = s->st_mode; + + // build destination file name + char *name; // char *ptr = strrchr(rsrc, '/'); - char *ptr = strrchr(src, '/'); - ptr++; - if (asprintf(&name, "%s/%s", rdest, ptr) == -1) - errExit("asprintf"); - - // copy - copy_link(rsrc, name, mode, uid, gid); - - free(name); - free(rsrc); - free(rdest); + char *ptr = strrchr(src, '/'); + ptr++; + if (asprintf(&name, "%s/%s", rdest, ptr) == -1) + errExit("asprintf"); + + // copy + copy_link(rsrc, name, mode, uid, gid); + + free(name); + free(rsrc); + free(rdest); } static void usage(void) { - printf("Usage: fcopy src dest\n"); - printf("Copy src file in dest directory. If src is a directory, copy all the files in\n"); - printf("src recoursively. If the destination directory does not exist, it will be created.\n"); + fputs("Usage: fcopy [--follow-link] src dest\n" + "\n" + "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n" + "If SRC is a directory it is copied recursively. If it is a symlink,\n" + "the link itself is duplicated, unless --follow-link is given,\n" + "in which case the destination of the link is copied.\n" + "DEST must already exist and must be a directory.\n", stderr); } int main(int argc, char **argv) { @@ -285,56 +285,70 @@ for (i = 0; i < argc; i++) printf("\n"); } #endif - if (argc != 3) { - fprintf(stderr, "Error fcopy: files missing\n"); - usage(); - exit(1); - } - - // check the two files; remove ending / - char *src = argv[1]; - int len = strlen(src); - if (src[len - 1] == '/') - src[len - 1] = '\0'; - if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { - fprintf(stderr, "Error fcopy: invalid file name %s\n", src); - exit(1); - } - - char *dest = argv[2]; - len = strlen(dest); - if (dest[len - 1] == '/') - dest[len - 1] = '\0'; - if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { - fprintf(stderr, "Error fcopy: invalid file name %s\n", dest); - exit(1); - } - - - // the destination should be a directory; - struct stat s; - if (stat(dest, &s) == -1 || - !S_ISDIR(s.st_mode)) { - fprintf(stderr, "Error fcopy: invalid destination directory\n"); - exit(1); - } - - // copy files - if (lstat(src, &s) == -1) { - fprintf(stderr, "Error fcopy: cannot find source file\n"); - exit(1); - } - - if (S_ISDIR(s.st_mode)) - duplicate_dir(src, dest, &s); - else if (S_ISREG(s.st_mode)) - duplicate_file(src, dest, &s); - else if (S_ISLNK(s.st_mode)) - duplicate_link(src, dest, &s); - else { - fprintf(stderr, "Error fcopy: source file unsupported\n"); - exit(1); - } - - return 0; + char *src; + char *dest; + int follow_link; + + if (argc == 3) { + src = argv[1]; + dest = argv[2]; + follow_link = 0; + } + else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { + src = argv[2]; + dest = argv[3]; + follow_link = 1; + } + else { + usage(); + exit(1); + } + + // check the two files; remove ending / + int len = strlen(src); + if (src[len - 1] == '/') + src[len - 1] = '\0'; + if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { + fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); + exit(1); + } + + len = strlen(dest); + if (dest[len - 1] == '/') + dest[len - 1] = '\0'; + if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { + fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); + exit(1); + } + + + // the destination should be a directory; + struct stat s; + if (stat(dest, &s) == -1) { + fprintf(stderr, "Error fcopy: dest dir %s: %s\n", dest, strerror(errno)); + exit(1); + } + if (!S_ISDIR(s.st_mode)) { + fprintf(stderr, "Error fcopy: dest %s is not a directory\n", dest); + exit(1); + } + + // copy files + if ((follow_link ? stat : lstat)(src, &s) == -1) { + fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); + exit(1); + } + + if (S_ISDIR(s.st_mode)) + duplicate_dir(src, dest, &s); + else if (S_ISREG(s.st_mode)) + duplicate_file(src, dest, &s); + else if (S_ISLNK(s.st_mode)) + duplicate_link(src, dest, &s); + else { + fprintf(stderr, "Error fcopy: src %s is an unsupported type of file\n", src); + exit(1); + } + + return 0; } -- cgit v1.2.3-70-g09d2 From f4ab39bfce61aa7b61b860fab96488b7f3e8fb66 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Feb 2017 19:51:50 -0500 Subject: merge #1100 from zackw: follow link support in --private-bin --- README | 1 + src/fcopy/main.c | 16 +++++++++------- src/firejail/fs_bin.c | 2 +- test/fcopy/cmdline.exp | 8 ++++---- test/fs/private-home.exp | 2 +- 5 files changed, 16 insertions(+), 13 deletions(-) diff --git a/README b/README index f1b41bcf3..b12ad7b59 100644 --- a/README +++ b/README @@ -111,6 +111,7 @@ Zack Weinberg (https://github.com/zackw) - rework X11 display number assignment - rework X11 xorg processing - rework fcopy, --follow-link support in fcopy + - follow link support in --private-bin Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 089152efc..9f19b6dd8 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -23,6 +23,8 @@ #include #include +static int arg_follow_link = 0; + #define COPY_LIMIT (500 * 1024 *1024) static int size_limit_reached = 0; @@ -221,7 +223,7 @@ static void duplicate_dir(const char *src, const char *dest, struct stat *s) { } static void duplicate_file(const char *src, const char *dest, struct stat *s) { - char *rsrc = check(src); // we drop the result and use the original name + char *rsrc = check(src); char *rdest = check(dest); uid_t uid = s->st_uid; gid_t gid = s->st_gid; @@ -229,7 +231,7 @@ static void duplicate_file(const char *src, const char *dest, struct stat *s) { // build destination file name char *name; - char *ptr = strrchr(src, '/'); + char *ptr = (arg_follow_link)? strrchr(src, '/'): strrchr(rsrc, '/'); ptr++; if (asprintf(&name, "%s/%s", rdest, ptr) == -1) errExit("asprintf"); @@ -251,7 +253,7 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { // build destination file name char *name; -// char *ptr = strrchr(rsrc, '/'); +// char *ptr = strrchr(rsrc, '/'); char *ptr = strrchr(src, '/'); ptr++; if (asprintf(&name, "%s/%s", rdest, ptr) == -1) @@ -287,19 +289,19 @@ printf("\n"); #endif char *src; char *dest; - int follow_link; if (argc == 3) { src = argv[1]; dest = argv[2]; - follow_link = 0; + arg_follow_link = 0; } else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { src = argv[2]; dest = argv[3]; - follow_link = 1; + arg_follow_link = 1; } else { + fprintf(stderr, "Error: arguments missing\n"); usage(); exit(1); } @@ -334,7 +336,7 @@ printf("\n"); } // copy files - if ((follow_link ? stat : lstat)(src, &s) == -1) { + if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); exit(1); } diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 547978b47..3473fca4c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -111,7 +111,7 @@ static void duplicate(char *fname) { errExit("asprintf"); // copy the file - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); fs_logger2("clone", fname); free(full_path); } diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index 3ea33b01b..10dd8da58 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp @@ -10,7 +10,7 @@ match_max 100000 send -- "/usr/lib/firejail/fcopy\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "files missing" + "arguments missing" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -21,7 +21,7 @@ after 100 send -- "/usr/lib/firejail/fcopy foo\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "files missing" + "arguments missing" } expect { timeout {puts "TESTING ERROR 3\n";exit} @@ -32,14 +32,14 @@ after 100 send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "invalid file name" + "invalid source file name" } after 100 send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "invalid file name" + "invalid dest file name" } after 100 diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index f2f30914d..259eb4f9e 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp @@ -89,7 +89,7 @@ expect { "Child process initialized" } after 100 -send -- "file file ~/_firejail_test_link2\r" +send -- "file ~/_firejail_test_link2\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "broken symbolic link" -- cgit v1.2.3-70-g09d2 From 89d3c606f9a9c2b19e22799280080139e5a2ac94 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 17 Feb 2017 08:21:52 -0500 Subject: profile merge --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index b12ad7b59..0d6fab91e 100644 --- a/README +++ b/README @@ -112,6 +112,8 @@ Zack Weinberg (https://github.com/zackw) - rework X11 xorg processing - rework fcopy, --follow-link support in fcopy - follow link support in --private-bin +Austin S. Hemmelgarn (https://github.com/Ferroin) + - unbound profile update Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) -- cgit v1.2.3-70-g09d2 From da20ab3c5e31a6633f49d6ec1bd7697941032c49 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 17 Feb 2017 08:50:17 -0500 Subject: kino profile --- README.md | 4 +++- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dd97057c0..7d2386a2b 100644 --- a/README.md +++ b/README.md @@ -150,5 +150,7 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome- goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser +PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, +Kino + diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 98cd2125f..802812fe7 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -282,3 +282,5 @@ blacklist ${HOME}/.xpdfrc blacklist ${HOME}/.zoom blacklist ${HOME}/wallet.dat blacklist /tmp/ssh-* +blacklist ${HOME}/.kinorc +blacklist ${HOME}/.kino-history diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 4d63c3d54..e004e93ce 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -246,4 +246,4 @@ /etc/firejail/xmms.profile /etc/firejail/iridium-browser.profile /etc/firejail/iridium.profile - +/etc/firejail/kino.profile -- cgit v1.2.3-70-g09d2 From ae7c2f508b0f27b5e7115dd3e75cec19eb40befa Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 17 Feb 2017 10:08:12 -0500 Subject: merge #1100 from zackw: x11=xorg testing --- src/firejail/x11.c | 10 +++++++--- test/apps-x11-xorg/firefox.exp | 2 +- test/apps-x11-xorg/icedove.exp | 2 +- test/apps-x11-xorg/transmission-gtk.exp | 2 +- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0fa789ff1..74eb00268 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -625,7 +625,6 @@ void x11_start(int argc, char **argv) { exit(0); } } - #endif // Porting notes: @@ -642,6 +641,11 @@ void x11_start(int argc, char **argv) { // directory, we need to make sure /usr/bin/xauth executable is the real thing, and not // something picked up on $PATH. // +// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens +// when using a network namespace. Somehow, xauth tries to connect to the abstract socket, +// and it failes because of the network namespace - it should try to connect to the regular +// Unix socket! If we ignore the fail condition, the program will be started on X server without +// the security extension loaded. void x11_xorg(void) { #ifdef HAVE_X11 @@ -690,7 +694,7 @@ void x11_xorg(void) { #ifdef HAVE_GCOV __gcov_flush(); #endif - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, + execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); _exit(127); @@ -719,7 +723,7 @@ void x11_xorg(void) { // ensure the file has the correct permissions and move it // into the correct location. if (stat(tmpfname, &s) == -1) { - fprintf(stderr, "Error: .Xauthority file was mpt created\n"); + fprintf(stderr, "Error: .Xauthority file was not created\n"); exit(1); } if (set_perms(tmpfname, getuid(), getgid(), 0600)) diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index f66aeddd8..4da9e5a16 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" +send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r" sleep 10 spawn $env(SHELL) diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp index f7a08aa8f..ce1d38222 100755 --- a/test/apps-x11-xorg/icedove.exp +++ b/test/apps-x11-xorg/icedove.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --x11=xorg icedove\r" +send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r" sleep 10 spawn $env(SHELL) diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index de8a7f7c6..c6d9ba13a 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --x11=xorg transmission-gtk\r" +send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r" sleep 10 spawn $env(SHELL) -- cgit v1.2.3-70-g09d2 From 400ece953865d42a2619323e82b60257c8ac8f31 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Fri, 17 Feb 2017 14:41:48 -0600 Subject: Tightened keepassx profiles. --- etc/keepassx.profile | 9 ++++++--- etc/keepassx2.profile | 6 ++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/etc/keepassx.profile b/etc/keepassx.profile index ec6d014bf..6c36697e5 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,6 +1,6 @@ # This file is overwritten during software install. # Persistent customizations should go in a .local file. -include /etc/firejail/keepassx.local +include /etc/firejail/keepassx2.local # keepassx password manager profile noblacklist ${HOME}/.config/keepassx @@ -13,14 +13,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot nosound protocol unix seccomp -netfilter shell none +tracelog +private-bin keepassx +private-etc fonts +private-dev private-tmp -private-dev diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 5bf79b891..83f93e9f7 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -13,14 +13,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot nosound protocol unix seccomp -netfilter shell none +private-bin keepassx2 +private-etc fonts +private-dev private-tmp -private-dev -- cgit v1.2.3-70-g09d2 From d3580ea355a6582203a929162d6ee7c1d1b634ee Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Fri, 17 Feb 2017 14:44:28 -0600 Subject: Oops... typo --- etc/keepassx.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 6c36697e5..4665f5596 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,6 +1,6 @@ # This file is overwritten during software install. # Persistent customizations should go in a .local file. -include /etc/firejail/keepassx2.local +include /etc/firejail/keepassx.local # keepassx password manager profile noblacklist ${HOME}/.config/keepassx -- cgit v1.2.3-70-g09d2 From 884fdb721708c1658743f9c6dd33e8d0f2266207 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Feb 2017 10:07:05 -0500 Subject: profile merges --- README | 12 ++++++++++++ README.md | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/README b/README index 0d6fab91e..ac520da06 100644 --- a/README +++ b/README @@ -15,6 +15,17 @@ Documentation and support: https://firejail.wordpress.com/ Development: https://github.com/netblue30/firejail License: GPL v2 +Compile and install + +$ git clone https://github.com/netblue30/firejail.git +$ cd firejail +$ ./configure && make && sudo make install-strip + +On Debian/Ubuntu you will need to install git and a compiler: + +$ sudo apt-get install build-essential + + Firejail Authors: netblue30 (netblue30@yahoo.com) @@ -86,6 +97,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - uudeview profile fix - fixed palemoon and qbittorrent profiles - compile/install scripts for --git-install/--git-uninstall commands + - tighten keepassx valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 7d2386a2b..df1a66226 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,10 @@ $ git clone https://github.com/netblue30/firejail.git $ cd firejail $ ./configure && make && sudo make install-strip ````` +On Debian/Ubuntu you will need to install git and a compiler: +````` +$ sudo apt-get install git build-essential +````` ## User submitted profile repositories -- cgit v1.2.3-70-g09d2 From 0d2044aa09a8d54d06d4c6dc2c93a0c63091c44c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Feb 2017 15:31:01 -0500 Subject: spelling --- src/firejail/x11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 74eb00268..5bbc327a6 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -643,7 +643,7 @@ void x11_start(int argc, char **argv) { // // 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens // when using a network namespace. Somehow, xauth tries to connect to the abstract socket, -// and it failes because of the network namespace - it should try to connect to the regular +// and it fails because of the network namespace - it should try to connect to the regular // Unix socket! If we ignore the fail condition, the program will be started on X server without // the security extension loaded. void x11_xorg(void) { -- cgit v1.2.3-70-g09d2 From eba2c50c45301698a035f8c86e0e50e77329c1dc Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 19 Feb 2017 15:42:30 -0600 Subject: Added thunar profile --- etc/Thunar.profile | 23 +++++++++++++++++++++++ etc/thunar.profile | 1 + 2 files changed, 24 insertions(+) create mode 100644 etc/Thunar.profile create mode 100644 etc/thunar.profile diff --git a/etc/Thunar.profile b/etc/Thunar.profile new file mode 100644 index 000000000..5a27177e0 --- /dev/null +++ b/etc/Thunar.profile @@ -0,0 +1,23 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/Thunar.local + +# Firejail profile for thunar +noblacklist ~/.config/Thunar +noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog diff --git a/etc/thunar.profile b/etc/thunar.profile new file mode 100644 index 000000000..868f80912 --- /dev/null +++ b/etc/thunar.profile @@ -0,0 +1 @@ +include /etc/firejail/Thunar.profile -- cgit v1.2.3-70-g09d2 From e68b40e59cbe1f396fc6dc0d386ca7d101dc12b5 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 19 Feb 2017 15:43:10 -0600 Subject: extra thunar files --- README | 3 ++- README.md | 4 +--- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/README b/README index ac520da06..ab5577382 100644 --- a/README +++ b/README @@ -98,6 +98,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed palemoon and qbittorrent profiles - compile/install scripts for --git-install/--git-uninstall commands - tighten keepassx + - added Thunar profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature @@ -407,4 +408,4 @@ pstn (https://github.com/pstn) Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) - src/lib/libnetlink.c extracted from iproute2 software package -Copyright (C) 2014-2016 Firejail Authors +Copyright (C) 2014-2017 Firejail Authors diff --git a/README.md b/README.md index df1a66226..687877c73 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,4 @@ goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nau simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, -Kino - - +Kino, Thunar diff --git a/RELNOTES b/RELNOTES index bef255458..9f1d22730 100644 --- a/RELNOTES +++ b/RELNOTES @@ -34,7 +34,7 @@ firejail (0.9.45) baseline; urgency=low * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, - * new profiles: Uzbl browser, iridium browser + * new profiles: Uzbl browser, iridium browser, Thunar * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 802812fe7..cf654825a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -70,6 +70,7 @@ blacklist ${HOME}/.config/Mumble blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/Wire blacklist ${HOME}/.config/ardour4 @@ -149,6 +150,7 @@ blacklist ${HOME}/.config/wireshark blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer diff --git a/platform/debian/conffiles b/platform/debian/conffiles index e004e93ce..edaf1781b 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -247,3 +247,5 @@ /etc/firejail/iridium-browser.profile /etc/firejail/iridium.profile /etc/firejail/kino.profile +/etc/firejail/Thunar.profile +/etc/firejail/thunar.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d5030bae0..7c959cd04 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -191,6 +191,8 @@ keepass2 keepassx keepassx2 pluma +Thunar +thunar tracker wireshark xiphos -- cgit v1.2.3-70-g09d2 From 9d5f377dd3cdc599890c274686045f857d33a3b4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 20 Feb 2017 10:55:40 -0500 Subject: security: ~/.pki directory whitelisted and later blacklisted. This affects most browsers, and disables the custom certificates installed by the user. --- RELNOTES | 2 ++ etc/abrowser.profile | 1 + etc/chromium.profile | 1 + etc/cyberfox.profile | 1 + etc/firefox.profile | 2 ++ etc/flashpeak-slimjet.profile | 1 + etc/franz.profile | 1 + etc/google-chrome-beta.profile | 1 + etc/google-chrome-unstable.profile | 1 + etc/google-chrome.profile | 1 + etc/icecat.profile | 1 + etc/inox.profile | 1 + etc/opera-beta.profile | 1 + etc/opera.profile | 1 + etc/seamonkey.profile | 1 + 15 files changed, 17 insertions(+) diff --git a/RELNOTES b/RELNOTES index bef255458..5e787aca5 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,6 +13,8 @@ firejail (0.9.45) baseline; urgency=low * security: split seccomp filter code configuration in a separate executable * security: split file copying in private option in a separate executable * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) + * security: ~/.pki directory whitelisted and later blacklisted. This affects + most browsers, and disables the custom certificates installed by the user. * feature: disable gnupg and systemd directories under /run/user * feature: test coverage (gcov) support * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 8515f5143..bdd56e42f 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -5,6 +5,7 @@ include /etc/firejail/abrowser.local # Firejail profile for Abrowser noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/chromium.profile b/etc/chromium.profile index dfdbf2dd4..531f9156c 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -5,6 +5,7 @@ include /etc/firejail/chromium.local # Chromium browser profile noblacklist ~/.config/chromium noblacklist ~/.cache/chromium +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index e885fc300..3dffe187c 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -5,6 +5,7 @@ include /etc/firejail/cyberfox.local # Firejail profile for Cyberfox (based on Mozilla Firefox) noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/firefox.profile b/etc/firefox.profile index ba655dec6..5f891ea3c 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -8,6 +8,7 @@ noblacklist ~/.cache/mozilla noblacklist ~/.config/qpdfview noblacklist ~/.local/share/qpdfview noblacklist ~/.kde/share/apps/okular +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -34,6 +35,7 @@ whitelist ~/.pentadactyl whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin +mkdir ~/.pki whitelist ~/.pki whitelist ~/.config/qpdfview whitelist ~/.local/share/qpdfview diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 532749c1e..56437ba06 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -11,6 +11,7 @@ include /etc/firejail/flashpeak-slimjet.local # noblacklist ~/.config/slimjet noblacklist ~/.cache/slimjet +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/franz.profile b/etc/franz.profile index 9e79e35f4..05ff72a47 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -5,6 +5,7 @@ include /etc/firejail/franz.local # Franz profile noblacklist ~/.config/Franz noblacklist ~/.cache/Franz +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 2b2aa39d3..2f09edb7a 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -5,6 +5,7 @@ include /etc/firejail/google-chrome-beta.local # Google Chrome beta browser profile noblacklist ~/.config/google-chrome-beta noblacklist ~/.cache/google-chrome-beta +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 79ee6454b..e0dc37034 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -5,6 +5,7 @@ include /etc/firejail/google-chrome-unstable.local # Google Chrome unstable browser profile noblacklist ~/.config/google-chrome-unstable noblacklist ~/.cache/google-chrome-unstable +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 0fa69ea6a..dfb30dc7e 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -5,6 +5,7 @@ include /etc/firejail/google-chrome.local # Google Chrome browser profile noblacklist ~/.config/google-chrome noblacklist ~/.cache/google-chrome +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/icecat.profile b/etc/icecat.profile index 1525e8c31..144f5c4eb 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -5,6 +5,7 @@ include /etc/firejail/icecat.local # Firejail profile for GNU Icecat noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/inox.profile b/etc/inox.profile index 8ba031ea4..8e95208ab 100644 --- a/etc/inox.profile +++ b/etc/inox.profile @@ -5,6 +5,7 @@ include /etc/firejail/inox.local # Inox browser profile noblacklist ~/.config/inox noblacklist ~/.cache/inox +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 2c20024e2..dba7cf68c 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -5,6 +5,7 @@ include /etc/firejail/opera-beta.local # Opera-beta browser profile noblacklist ~/.config/opera-beta noblacklist ~/.cache/opera-beta +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/opera.profile b/etc/opera.profile index d6e44e7f6..57395ea72 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -6,6 +6,7 @@ include /etc/firejail/opera.local noblacklist ~/.config/opera noblacklist ~/.cache/opera noblacklist ~/.opera +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b98834d37..bfcdf5873 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -5,6 +5,7 @@ include /etc/firejail/seamonkey.local # Firejail profile for Seamoneky based off Mozilla Firefox noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 3715f49a535fa22a21df31b1f4ae4175cf8e604a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 20 Feb 2017 11:04:52 -0500 Subject: fix kino profile chekcin --- etc/kino.profile | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 etc/kino.profile diff --git a/etc/kino.profile b/etc/kino.profile new file mode 100644 index 000000000..70269e75a --- /dev/null +++ b/etc/kino.profile @@ -0,0 +1,30 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/kino.local + +################################ +# Generic GUI application profile +################################ +noblacklist ~/.kinorc +noblacklist ~/.kino-history +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none +# private-bin program +# private-etc none +# private-dev +# private-tmp + -- cgit v1.2.3-70-g09d2 From b74d3870246ce03aaff4a1c40867f10aa9d87267 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 21 Feb 2017 10:03:59 -0500 Subject: merge #1100 from zackw: wait_for_other function rewrite --- README | 1 + src/firejail/util.c | 25 +++++++++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/README b/README index ab5577382..58690663b 100644 --- a/README +++ b/README @@ -125,6 +125,7 @@ Zack Weinberg (https://github.com/zackw) - rework X11 xorg processing - rework fcopy, --follow-link support in fcopy - follow link support in --private-bin + - wait_for_other function rewrite Austin S. Hemmelgarn (https://github.com/Ferroin) - unbound profile update Igor Bukanov (https://github.com/ibukanov) diff --git a/src/firejail/util.c b/src/firejail/util.c index fbb0a1e87..9b9308670 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -605,16 +605,37 @@ void wait_for_other(int fd) { *ptr = '\0'; } else { - fprintf(stderr, "Error: cannot establish communication with the parent, exiting...\n"); + fprintf(stderr, "Error: proc %d cannot sync with peer: %s\n", + getpid(), ferror(stream) ? strerror(errno) : "unexpected EOF"); + + int status = 0; + pid_t pid = wait(&status); + if (pid != -1) { + if (WIFEXITED(status)) + fprintf(stderr, "Peer %d unexpectedly exited with status %d\n", + pid, WEXITSTATUS(status)); + else if (WIFSIGNALED(status)) + fprintf(stderr, "Peer %d unexpectedly killed (%s)\n", + pid, strsignal(WTERMSIG(status))); + else + fprintf(stderr, "Peer %d unexpectedly exited " + "(un-decodable wait status %04x)\n", pid, status); + } exit(1); } + if (strcmp(childstr, "arg_noroot=0") == 0) arg_noroot = 0; + else if (strcmp(childstr, "arg_noroot=1") == 0) + arg_noroot = 1; + else { + fprintf(stderr, "Error: unexpected message from peer: %s\n", childstr); + exit(1); + } fclose(stream); } - void notify_other(int fd) { FILE* stream; int newfd = dup(fd); -- cgit v1.2.3-70-g09d2 From 31fd17e9af3e2fdf16fc5c9741d3d0ac1aad37f8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 21 Feb 2017 11:22:46 -0500 Subject: audacious profile fixes --- etc/audacious.profile | 1 + etc/disable-programs.inc | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/audacious.profile b/etc/audacious.profile index cf1281d42..63ba9af9c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -3,6 +3,7 @@ include /etc/firejail/audacious.local # Audacious media player profile +noblacklist ~/.config/audacious include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index cf654825a..c59285e85 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -77,6 +77,7 @@ blacklist ${HOME}/.config/ardour4 blacklist ${HOME}/.config/ardour5 blacklist ${HOME}/.config/arkrc blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/audacious blacklist ${HOME}/.config/autostart blacklist ${HOME}/.config/autostart/dropbox.desktop blacklist ${HOME}/.config/aweather -- cgit v1.2.3-70-g09d2 From 2a4abddef9fddd584504a1ada37762a5f17d0bc8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 24 Feb 2017 10:42:38 -0500 Subject: fixed wireshark profile --- etc/wireshark.profile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 54877b677..90909edf1 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -10,17 +10,21 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -caps.drop all +# +# The profile allows users to run wireshark as root +# +#caps.drop all +#noroot +#protocol unix,inet,inet6,netlink + netfilter nogroups nonewprivs -noroot nosound -protocol unix,inet,inet6,netlink seccomp shell none tracelog -private-bin wireshark +#private-bin wireshark private-dev private-tmp -- cgit v1.2.3-70-g09d2 From 89081fa7b455775024638e29fd8de6b40be5b500 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 25 Feb 2017 08:38:42 -0500 Subject: xmms profile fix --- etc/xmms.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/xmms.profile b/etc/xmms.profile index 8c7e94070..b33727c2c 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile @@ -17,6 +17,7 @@ noroot protocol unix,inet,inet6 seccomp shell none +no3d private-bin xmms private-dev -- cgit v1.2.3-70-g09d2 From adee913b3999269681f495dc76ca468e7ba1ecfe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Feb 2017 12:13:59 -0500 Subject: profile merges --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 58690663b..71e329792 100644 --- a/README +++ b/README @@ -153,6 +153,7 @@ SYN-cook (https://github.com/SYN-cook) - keepass/keepassx browser fixes - disable-common.inc fixes - blacklist GNOME keyring and Konqueror + - fixed Keepass(x) profiles thewisenerd (https://github.com/thewisenerd) - appimage: pass commandline arguments KOLANICH (https://github.com/KOLANICH) -- cgit v1.2.3-70-g09d2