From 2f8f4be99a66afba3f9d0f2e7d6ada17a3c7538f Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 17 Oct 2017 00:14:39 +0200 Subject: Get rid of conffiles list, generate it during package build --- mkdeb.sh | 2 +- platform/debian/conffiles | 422 ---------------------------------------------- 2 files changed, 1 insertion(+), 423 deletions(-) delete mode 100644 platform/debian/conffiles diff --git a/mkdeb.sh b/mkdeb.sh index 68f0e12d4..026f58fc0 100755 --- a/mkdeb.sh +++ b/mkdeb.sh @@ -39,7 +39,7 @@ sed "s/FIREJAILVER/$2/g" platform/debian/control > $DEBIAN_CTRL_DIR/control mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ cp platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail -cp platform/debian/conffiles $DEBIAN_CTRL_DIR/. +find etc/ -type f -printf "/etc/firejail/%f\n" | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles find $INSTALL_DIR -type d | xargs chmod 755 cd $CODE_DIR fakeroot dpkg-deb --build debian diff --git a/platform/debian/conffiles b/platform/debian/conffiles deleted file mode 100644 index c24e13b61..000000000 --- a/platform/debian/conffiles +++ /dev/null @@ -1,422 +0,0 @@ -/etc/firejail/0ad.profile -/etc/firejail/2048-qt.profile -/etc/firejail/7z.profile -/etc/firejail/Cryptocat.profile -/etc/firejail/Cyberfox.profile -/etc/firejail/FossaMail.profile -/etc/firejail/Gitter.profile -/etc/firejail/Mathematica.profile -/etc/firejail/Telegram.profile -/etc/firejail/Thunar.profile -/etc/firejail/VirtualBox.profile -/etc/firejail/Wire.profile -/etc/firejail/Xephyr.profile -/etc/firejail/Xvfb.profile -/etc/firejail/abrowser.profile -/etc/firejail/akregator.profile -/etc/firejail/amarok.profile -/etc/firejail/android-studio.profile -/etc/firejail/apktool.profile -/etc/firejail/arduino.profile -/etc/firejail/ark.profile -/etc/firejail/arm.profile -/etc/firejail/atom-beta.profile -/etc/firejail/atom.profile -/etc/firejail/atool.profile -/etc/firejail/atril.profile -/etc/firejail/audacious.profile -/etc/firejail/audacity.profile -/etc/firejail/aweather.profile -/etc/firejail/baloo_file.profile -/etc/firejail/baobab.profile -/etc/firejail/bibletime.profile -/etc/firejail/bitlbee.profile -/etc/firejail/bleachbit.profile -/etc/firejail/blender.profile -/etc/firejail/bless.profile -/etc/firejail/brasero.profile -/etc/firejail/brave.profile -/etc/firejail/caja.profile -/etc/firejail/calibre.profile -/etc/firejail/catfish.profile -/etc/firejail/cherrytree.profile -/etc/firejail/chromium-browser.profile -/etc/firejail/chromium.profile -/etc/firejail/claws-mail.profile -/etc/firejail/clementine.profile -/etc/firejail/clipit.profile -/etc/firejail/cmus.profile -/etc/firejail/conkeror.profile -/etc/firejail/corebird.profile -/etc/firejail/cpio.profile -/etc/firejail/cryptocat.profile -/etc/firejail/curl.profile -/etc/firejail/cvlc.profile -/etc/firejail/cyberfox.profile -/etc/firejail/darktable.profile -/etc/firejail/deadbeef.profile -/etc/firejail/default.profile -/etc/firejail/deluge.profile -/etc/firejail/dex2jar.profile -/etc/firejail/dia.profile -/etc/firejail/digikam.profile -/etc/firejail/dillo.profile -/etc/firejail/dino.profile -/etc/firejail/disable-common.inc -/etc/firejail/disable-devel.inc -/etc/firejail/disable-passwdmgr.inc -/etc/firejail/disable-programs.inc -/etc/firejail/display.profile -/etc/firejail/dnscrypt-proxy.profile -/etc/firejail/dnsmasq.profile -/etc/firejail/dolphin.profile -/etc/firejail/dosbox.profile -/etc/firejail/dragon.profile -/etc/firejail/dropbox.profile -/etc/firejail/ebook-viewer.profile -/etc/firejail/electron.profile -/etc/firejail/elinks.profile -/etc/firejail/emacs.profile -/etc/firejail/empathy.profile -/etc/firejail/enchant.profile -/etc/firejail/engrampa.profile -/etc/firejail/eog.profile -/etc/firejail/eom.profile -/etc/firejail/epiphany.profile -/etc/firejail/etr.profile -/etc/firejail/evince.profile -/etc/firejail/evolution.profile -/etc/firejail/exiftool.profile -/etc/firejail/fbreader.profile -/etc/firejail/feh.profile -/etc/firejail/file-roller.profile -/etc/firejail/file.profile -/etc/firejail/filezilla.profile -/etc/firejail/firefox-esr.profile -/etc/firejail/firefox.profile -/etc/firejail/firefox-nightly.profile -/etc/firejail/firejail.config -/etc/firejail/flashpeak-slimjet.profile -/etc/firejail/flowblade.profile -/etc/firejail/fontforge.profile -/etc/firejail/fossamail.profile -/etc/firejail/franz.profile -/etc/firejail/frozen-bubble.profile -/etc/firejail/gajim.profile -/etc/firejail/galculator.profile -/etc/firejail/geany.profile -/etc/firejail/geary.profile -/etc/firejail/gedit.profile -/etc/firejail/geeqie.profile -/etc/firejail/ghb.profile -/etc/firejail/gimp-2.8.profile -/etc/firejail/gimp.profile -/etc/firejail/git.profile -/etc/firejail/gitg.profile -/etc/firejail/gitter.profile -/etc/firejail/gjs.profile -/etc/firejail/globaltime.profile -/etc/firejail/gnome-2048.profile -/etc/firejail/gnome-books.profile -/etc/firejail/gnome-calculator.profile -/etc/firejail/gnome-chess.profile -/etc/firejail/gnome-clocks.profile -/etc/firejail/gnome-contacts.profile -/etc/firejail/gnome-documents.profile -/etc/firejail/gnome-font-viewer.profile -/etc/firejail/gnome-maps.profile -/etc/firejail/gnome-mplayer.profile -/etc/firejail/gnome-music.profile -/etc/firejail/gnome-photos.profile -/etc/firejail/gnome-twitch.profile -/etc/firejail/gnome-weather.profile -/etc/firejail/goobox.profile -/etc/firejail/google-chrome-beta.profile -/etc/firejail/google-chrome-stable.profile -/etc/firejail/google-chrome-unstable.profile -/etc/firejail/google-chrome.profile -/etc/firejail/google-play-music-desktop-player.profile -/etc/firejail/gpa.profile -/etc/firejail/gpg-agent.profile -/etc/firejail/gpg.profile -/etc/firejail/gpicview.profile -/etc/firejail/gpredict.profile -/etc/firejail/gtar.profile -/etc/firejail/gthumb.profile -/etc/firejail/guayadeque.profile -/etc/firejail/gucharmap.profile -/etc/firejail/gwenview.profile -/etc/firejail/gzip.profile -/etc/firejail/handbrake-gtk.profile -/etc/firejail/handbrake.profile -/etc/firejail/hashcat.profile -/etc/firejail/hedgewars.profile -/etc/firejail/hexchat.profile -/etc/firejail/highlight.profile -/etc/firejail/hugin.profile -/etc/firejail/icecat.profile -/etc/firejail/icedove.profile -/etc/firejail/iceweasel.profile -/etc/firejail/idea.sh.profile -/etc/firejail/img2txt.profile -/etc/firejail/inkscape.profile -/etc/firejail/inox.profile -/etc/firejail/iridium-browser.profile -/etc/firejail/iridium.profile -/etc/firejail/jd-gui.profile -/etc/firejail/jitsi.profile -/etc/firejail/k3b.profile -/etc/firejail/kate.profile -/etc/firejail/kcalc.profile -/etc/firejail/keepass.profile -/etc/firejail/keepass2.profile -/etc/firejail/keepassx.profile -/etc/firejail/keepassx2.profile -/etc/firejail/keepassxc.profile -/etc/firejail/kino.profile -/etc/firejail/kmail.profile -/etc/firejail/knotes.profile -/etc/firejail/kodi.profile -/etc/firejail/konversation.profile -/etc/firejail/ktorrent.profile -/etc/firejail/kwrite.profile -/etc/firejail/leafpad.profile -/etc/firejail/less.profile -/etc/firejail/libreoffice.profile -/etc/firejail/liferea.profile -/etc/firejail/localc.profile -/etc/firejail/lodraw.profile -/etc/firejail/loffice.profile -/etc/firejail/lofromtemplate.profile -/etc/firejail/login.users -/etc/firejail/loimpress.profile -/etc/firejail/lollypop.profile -/etc/firejail/lomath.profile -/etc/firejail/loweb.profile -/etc/firejail/lowriter.profile -/etc/firejail/luminance-hdr.profile -/etc/firejail/lximage-qt.profile -/etc/firejail/lxmusic.profile -/etc/firejail/lynx.profile -/etc/firejail/mate-calc.profile -/etc/firejail/mate-calculator.profile -/etc/firejail/mate-color-select.profile -/etc/firejail/mate-dictionary.profile -/etc/firejail/mathematica.profile -/etc/firejail/mcabber.profile -/etc/firejail/mediainfo.profile -/etc/firejail/mediathekview.profile -/etc/firejail/meld.profile -/etc/firejail/midori.profile -/etc/firejail/minetest.profile -/etc/firejail/mousepad.profile -/etc/firejail/mplayer.profile -/etc/firejail/mpv.profile -/etc/firejail/multimc5.profile -/etc/firejail/mumble.profile -/etc/firejail/mupdf.profile -/etc/firejail/mupen64plus.profile -/etc/firejail/musescore.profile -/etc/firejail/mutt.profile -/etc/firejail/nautilus.profile -/etc/firejail/nemo.profile -/etc/firejail/neverball.profile -/etc/firejail/netsurf.profile -/etc/firejail/nolocal.net -/etc/firejail/nylas.profile -/etc/firejail/obs.profile -/etc/firejail/odt2txt.profile -/etc/firejail/okular.profile -/etc/firejail/open-invaders.profile -/etc/firejail/openbox.profile -/etc/firejail/openshot.profile -/etc/firejail/opera-beta.profile -/etc/firejail/opera.profile -/etc/firejail/orage.profile -/etc/firejail/palemoon.profile -/etc/firejail/parole.profile -/etc/firejail/pcmanfm.profile -/etc/firejail/pdfsam.profile -/etc/firejail/pdftotext.profile -/etc/firejail/peek.profile -/etc/firejail/picard.profile -/etc/firejail/pidgin.profile -/etc/firejail/pingus.profile -/etc/firejail/pithos.profile -/etc/firejail/pix.profile -/etc/firejail/pluma.profile -/etc/firejail/polari.profile -/etc/firejail/psi-plus.profile -/etc/firejail/qbittorrent.profile -/etc/firejail/qemu-launcher.profile -/etc/firejail/qemu-system-x86_64.profile -/etc/firejail/qlipper.profile -/etc/firejail/qpdfview.profile -/etc/firejail/qtox.profile -/etc/firejail/quassel.profile -/etc/firejail/quiterss.profile -/etc/firejail/qupzilla.profile -/etc/firejail/qutebrowser.profile -/etc/firejail/rambox.profile -/etc/firejail/ranger.profile -/etc/firejail/remmina.profile -/etc/firejail/rhythmbox.profile -/etc/firejail/riot-web.profile -/etc/firejail/ristretto.profile -/etc/firejail/rtorrent.profile -/etc/firejail/scribus.profile -/etc/firejail/sdat2img.profile -/etc/firejail/seamonkey-bin.profile -/etc/firejail/seamonkey.profile -/etc/firejail/server.profile -/etc/firejail/silentarmy.profile -/etc/firejail/simple-scan.profile -/etc/firejail/simutrans.profile -/etc/firejail/skanlite.profile -/etc/firejail/skype.profile -/etc/firejail/skypeforlinux.profile -/etc/firejail/slack.profile -/etc/firejail/smplayer.profile -/etc/firejail/snap.profile -/etc/firejail/soffice.profile -/etc/firejail/soundconverter.profile -/etc/firejail/spotify.profile -/etc/firejail/sqlitebrowser.profile -/etc/firejail/ssh-agent.profile -/etc/firejail/ssh.profile -/etc/firejail/start-tor-browser.profile -/etc/firejail/steam.profile -/etc/firejail/stellarium.profile -/etc/firejail/strings.profile -/etc/firejail/supertux2.profile -/etc/firejail/synfigstudio.profile -/etc/firejail/tar.profile -/etc/firejail/telegram-desktop.profile -/etc/firejail/telegram.profile -/etc/firejail/thunar.profile -/etc/firejail/thunderbird.profile -/etc/firejail/torbrowser-launcher.profile -/etc/firejail/totem.profile -/etc/firejail/tracker.profile -/etc/firejail/transmission-cli.profile -/etc/firejail/transmission-gtk.profile -/etc/firejail/transmission-qt.profile -/etc/firejail/transmission-show.profile -/etc/firejail/truecraft.profile -/etc/firejail/tuxguitar.profile -/etc/firejail/uget-gtk.profile -/etc/firejail/unbound.profile -/etc/firejail/unknown-horizons.profile -/etc/firejail/unrar.profile -/etc/firejail/unzip.profile -/etc/firejail/uudeview.profile -/etc/firejail/uzbl-browser.profile -/etc/firejail/viewnior.profile -/etc/firejail/viking.profile -/etc/firejail/vim.profile -/etc/firejail/virtualbox.profile -/etc/firejail/vivaldi-beta.profile -/etc/firejail/vivaldi-stable.profile -/etc/firejail/vivaldi.profile -/etc/firejail/vlc.profile -/etc/firejail/vym.profile -/etc/firejail/w3m.profile -/etc/firejail/warzone2100.profile -/etc/firejail/waterfox.profile -/etc/firejail/webserver.net -/etc/firejail/weechat-curses.profile -/etc/firejail/weechat.profile -/etc/firejail/wesnoth.profile -/etc/firejail/wget.profile -/etc/firejail/whitelist-common.inc -/etc/firejail/wine.profile -/etc/firejail/wire.profile -/etc/firejail/wireshark-gtk.profile -/etc/firejail/wireshark-qt.profile -/etc/firejail/wireshark.profile -/etc/firejail/xchat.profile -/etc/firejail/xed.profile -/etc/firejail/xfburn.profile -/etc/firejail/xfce4-dict.profile -/etc/firejail/xfce4-notes.profile -/etc/firejail/xiphos.profile -/etc/firejail/xmms.profile -/etc/firejail/xonotic-glx.profile -/etc/firejail/xonotic-sdl.profile -/etc/firejail/xonotic.profile -/etc/firejail/xpdf.profile -/etc/firejail/xplayer.profile -/etc/firejail/xpra.profile -/etc/firejail/xreader.profile -/etc/firejail/xviewer.profile -/etc/firejail/xz.profile -/etc/firejail/xzdec.profile -/etc/firejail/youtube-dl.profile -/etc/firejail/zathura.profile -/etc/firejail/zoom.profile -/etc/firejail/yandex-browser.profile -/etc/firejail/itch.profile -/etc/firejail/whitelist-var-common.inc -/etc/firejail/ffmpeg.profile -/etc/firejail/Natron.profile -/etc/firejail/Viber.profile -/etc/firejail/amule.profile -/etc/firejail/arch-audit.profile -/etc/firejail/ardour4.profile -/etc/firejail/ardour5.profile -/etc/firejail/bluefish.profile -/etc/firejail/brackets.profile -/etc/firejail/calligra.profile -/etc/firejail/calligraauthor.profile -/etc/firejail/calligraconverter.profile -/etc/firejail/calligraflow.profile -/etc/firejail/calligraplan.profile -/etc/firejail/calligraplanwork.profile -/etc/firejail/calligrasheets.profile -/etc/firejail/cin.profile -/etc/firejail/calligrastage.profile -/etc/firejail/calligrawords.profile -/etc/firejail/cinelerra.profile -/etc/firejail/clamav.profile -/etc/firejail/clamdscan.profile -/etc/firejail/clamdtop.profile -/etc/firejail/clamscan.profile -/etc/firejail/cliqz.profile -/etc/firejail/conky.profile -/etc/firejail/dooble-qt4.profile -/etc/firejail/dooble.profile -/etc/firejail/fetchmail.profile -/etc/firejail/freecad.profile -/etc/firejail/freecadcmd.profile -/etc/firejail/freshclam.profile -/etc/firejail/google-earth.profile -/etc/firejail/imagej.profile -/etc/firejail/karbon.profile -/etc/firejail/kdenlive.profile -/etc/firejail/krita.profile -/etc/firejail/linphone.profile -/etc/firejail/lmms.profile -/etc/firejail/macrofusion.profile -/etc/firejail/mpd.profile -/etc/firejail/natron.profile -/etc/firejail/openshot-qt.profile -/etc/firejail/pinta.profile -/etc/firejail/ricochet.profile -/etc/firejail/rocketchat.profile -/etc/firejail/shotcut.profile -/etc/firejail/smtube.profile -/etc/firejail/surf.profile -/etc/firejail/teamspeak3.profile -/etc/firejail/terasology.profile -/etc/firejail/tor-browser-en.profile -/etc/firejail/tor.profile -/etc/firejail/uefitool.profile -/etc/firejail/x-terminal-emulator.profile -/etc/firejail/xmr-stak-cpu.profile -/etc/firejail/zart.profile -/etc/firejail/xcalc.profile -/etc/firejail/aosp.profile -/etc/firejail/gnome-ring.profile -/etc/firejail/pdfmod.profile -/etc/firejail/signal-desktop.profile -/etc/firejail/zaproxy.profile -- cgit v1.2.3-54-g00ecf From d593c8b2ca1d471546a46792f065a9790ea87116 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 17 Oct 2017 01:03:47 +0200 Subject: Fix previous commit; etc/ contains also non-conffiles --- mkdeb.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdeb.sh b/mkdeb.sh index 026f58fc0..aa6b82a5e 100755 --- a/mkdeb.sh +++ b/mkdeb.sh @@ -39,7 +39,7 @@ sed "s/FIREJAILVER/$2/g" platform/debian/control > $DEBIAN_CTRL_DIR/control mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ cp platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail -find etc/ -type f -printf "/etc/firejail/%f\n" | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles +find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles find $INSTALL_DIR -type d | xargs chmod 755 cd $CODE_DIR fakeroot dpkg-deb --build debian -- cgit v1.2.3-54-g00ecf From 826bbf14599f8bf04c4a0452d734cbc596e35a4e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 16 Oct 2017 21:12:55 -0400 Subject: commented out private-etc in firefox profile, fixed whitelisting problems for /srv directory --- etc/firefox.profile | 5 ++++- src/firejail/fs_whitelist.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/firefox.profile b/etc/firefox.profile index 80cdb6ab0..551e1aa90 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -76,7 +76,10 @@ tracelog # firefox requires a shell to launch on Arch. We can possibly remove sh though. # private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash private-dev -private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse + +# private-etc below works fine on most distributions. There are some problems on CentOS. +# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse + private-tmp noexec ${HOME} diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 6e766f996..bfc773374 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -413,7 +413,7 @@ void fs_whitelist(void) { else if (strncmp(new_name, "/opt/", 5) == 0) opt_dir = 1; else if (strncmp(new_name, "/srv/", 5) == 0) - opt_dir = 1; + srv_dir = 1; } entry->data = EMPTY_STRING; -- cgit v1.2.3-54-g00ecf From e429a092c7821aabcc4bc0e470218e2aed058a79 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 17 Oct 2017 18:22:49 +0200 Subject: extra priority is deprecated, switch to optional --- platform/debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/debian/control b/platform/debian/control index 4161cbfb2..b8ea455f0 100644 --- a/platform/debian/control +++ b/platform/debian/control @@ -6,7 +6,7 @@ Installed-Size: 2024 Depends: libc6 Suggests: python, python3 Section: admin -Priority: extra +Priority: optional Homepage: http://github.com/netblue30/firejail Description: Linux namepaces sandbox program. Firejail is a SUID sandbox program that reduces the risk of security -- cgit v1.2.3-54-g00ecf