From 4222217198ceedc3e5fd7c356bcd798548eb94ff Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Thu, 20 May 2021 21:38:01 -0400
Subject: --buid fixes

---
 src/fbuilder/build_profile.c | 54 +++++++++++++++++---------------------------
 src/fbuilder/build_seccomp.c | 29 +++++++++++++-----------
 src/man/firejail-profile.txt | 11 ++++++---
 3 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 1726b4dbb..5df19f511 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -24,21 +24,6 @@
 #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
 #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
 
-/* static char *cmdlist[] = { */
-/* 	"/usr/bin/firejail", */
-/* 	"--quiet", */
-/* 	"--output=" TRACE_OUTPUT, */
-/* 	"--noprofile", */
-/* 	"--caps.drop=all", */
-/* 	"--nonewprivs", */
-/* 	"--trace", */
-/* 	"--shell=none", */
-/* 	"/usr/bin/strace", // also used as a marker in build_profile() */
-/* 	"-c", */
-/* 	"-f", */
-/* 	"-o" STRACE_OUTPUT, */
-/* }; */
-
 void build_profile(int argc, char **argv, int index, FILE *fp) {
 	// next index is the application name
 	if (index >= argc) {
@@ -158,14 +143,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 		fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
 		fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
 		fprintf(fp, "### and /tmp directories non-executable.\n");
-		fprintf(fp, "include disable-common.inc\n");
-		fprintf(fp, "#include disable-devel.inc\n");
-		fprintf(fp, "#include disable-exec.inc\n");
-		fprintf(fp, "#include disable-interpreters.inc\n");
-		fprintf(fp, "include disable-passwdmgr.inc\n");
-		fprintf(fp, "include disable-programs.inc\n");
-		fprintf(fp, "#include disable-shell.inc\n");
-		fprintf(fp, "#include disable-xdg.inc\n");
+		fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n");
+		fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n");
+		fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n");
+		fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n");
+		fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n");
+		fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n");
+		fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n");
+		fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n");
 		fprintf(fp, "\n");
 
 		fprintf(fp, "### Home Directory Whitelisting ###\n");
@@ -180,18 +165,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 		build_var(trace_output, fp);
 		fprintf(fp, "\n");
 
-		fprintf(fp, "#apparmor\n");
+		fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n");
 		fprintf(fp, "caps.drop all\n");
 		fprintf(fp, "ipc-namespace\n");
 		fprintf(fp, "netfilter\n");
-		fprintf(fp, "#nodvd\n");
-		fprintf(fp, "#nogroups\n");
-		fprintf(fp, "#noinput\n");
+		fprintf(fp, "#no3d\t# disable 3D acceleration\n");
+		fprintf(fp, "#nodvd\t# disable DVD and CD devices\n");
+		fprintf(fp, "#nogroups\t# disable supplementary user groups\n");
+		fprintf(fp, "#noinput\t# disable input devices\n");
 		fprintf(fp, "nonewprivs\n");
 		fprintf(fp, "noroot\n");
-		fprintf(fp, "#notv\n");
-		fprintf(fp, "#nou2f\n");
-		fprintf(fp, "#novideo\n");
+		fprintf(fp, "#notv\t# disable DVB TV devices\n");
+		fprintf(fp, "#nou2f\t# disable U2F devices\n");
+		fprintf(fp, "#novideo\t# disable video capture devices\n");
 		build_protocol(trace_output, fp);
 		fprintf(fp, "seccomp\n");
 		if (!have_strace) {
@@ -203,19 +189,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 		else
 			build_seccomp(strace_output, fp);
 		fprintf(fp, "shell none\n");
-		fprintf(fp, "#tracelog\n");
+		fprintf(fp, "tracelog\n");
 		fprintf(fp, "\n");
 
-		fprintf(fp, "#disable-mnt\n");
+		fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n");
 		build_bin(trace_output, fp);
-		fprintf(fp, "#private-lib\n");
+		fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n");
 		build_dev(trace_output, fp);
 		build_etc(trace_output, fp);
+		fprintf(fp, "#private-lib\n");
 		build_tmp(trace_output, fp);
 		fprintf(fp, "\n");
 
 		fprintf(fp, "#dbus-user none\n");
 		fprintf(fp, "#dbus-system none\n");
+		fprintf(fp, "\n");
 		fprintf(fp, "#memory-deny-write-execute\n");
 
 		if (!arg_debug) {
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index dc3cce456..b3187227e 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -82,11 +82,12 @@ void build_seccomp(const char *fname, FILE *fp) {
 //***************************************
 // protocol
 //***************************************
-int unix_s = 0;
-int inet = 0;
-int inet6 = 0;
-int netlink = 0;
-int packet = 0;
+static int unix_s = 0;
+static int inet = 0;
+static int inet6 = 0;
+static int netlink = 0;
+static int packet = 0;
+static int bluetooth = 0;
 static void process_protocol(const char *fname) {
 	assert(fname);
 
@@ -135,6 +136,8 @@ static void process_protocol(const char *fname) {
 			netlink = 1;
 		else if (strncmp(ptr, "AF_PACKET ", 10) == 0)
 			packet = 1;
+		else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0)
+			bluetooth = 1;
 	}
 
 	fclose(fp);
@@ -161,22 +164,22 @@ void build_protocol(const char *fname, FILE *fp) {
 	}
 
 	int net = 0;
-	if (unix_s || inet || inet6 || netlink || packet) {
+	if (unix_s || inet || inet6 || netlink || packet || bluetooth) {
 		fprintf(fp, "protocol ");
 		if (unix_s)
 			fprintf(fp, "unix,");
-		if (inet) {
-			fprintf(fp, "inet,");
-			net = 1;
-		}
-		if (inet6) {
-			fprintf(fp, "inet6,");
+		if (inet || inet6) {
+			fprintf(fp, "inet,inet6,");
 			net = 1;
 		}
 		if (netlink)
 			fprintf(fp, "netlink,");
 		if (packet) {
-			fprintf(fp, "packet");
+			fprintf(fp, "packet,");
+			net = 1;
+		}
+		if (bluetooth) {
+			fprintf(fp, "bluetooth");
 			net = 1;
 		}
 		fprintf(fp, "\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3d59705b9..12e841af5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -160,6 +160,11 @@ Example: "blacklist ~/My Virtual Machines"
 
 .TP
 \fB# this is a comment
+Example:
+
+# disable networking
+.br
+net none # this command creates an empty network namespace
 
 .TP
 \fB?CONDITIONAL: profile line
@@ -731,6 +736,9 @@ Disable DVD and audio CD devices.
 \fBnogroups
 Disable supplementary user groups
 .TP
+\fBnoinput
+Disable input devices.
+.TP
 \fBnosound
 Disable sound system.
 .TP
@@ -743,9 +751,6 @@ Disable U2F devices.
 \fBnovideo
 Disable video capture devices.
 .TP
-\fBnoinput
-Disable input devices.
-.TP
 \fBshell none
 Run the program directly, without a shell.
 
-- 
cgit v1.2.3-70-g09d2