From c86cae2d08da10eaec01964654c505387ee51eac Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 4 Sep 2021 19:08:32 +0200 Subject: Add new condition ALLOW_TRAY --- contrib/vim/syntax/firejail.vim | 2 +- etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 2 ++ src/firejail/firejail.h | 1 + src/firejail/profile.c | 5 +++++ src/man/firejail-profile.txt | 2 +- 6 files changed, 13 insertions(+), 2 deletions(-) diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index d07690ee2..fa80a9c00 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim @@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained " Conditionals grabbed from: src/firejail/profile.c " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' -syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained +syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained " A line is either a command, a conditional or a comment syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..5111bb769 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -2,6 +2,9 @@ # keyword-argument pairs, one per line. Most features are enabled by default. # Use 'yes' or 'no' as configuration values. +# Allow programs to display a tray icon +# allow-tray no + # Enable AppArmor functionality, default enabled. # apparmor yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 06e6f0ccb..e5d837bbb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -58,6 +58,7 @@ int checkcfg(int val) { cfg_val[CFG_XPRA_ATTACH] = 0; cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; + cfg_val[CFG_ALLOW_TRAY] = 0; // open configuration file const char *fname = SYSCONFDIR "/firejail.config"; @@ -122,6 +123,7 @@ int checkcfg(int val) { PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") + PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") #undef PARSE_YESNO // netfilter diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a7d88575..46985d89e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -801,6 +801,7 @@ enum { CFG_NAME_CHANGE, CFG_SECCOMP_ERROR_ACTION, // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv + CFG_ALLOW_TRAY, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b7c7185a6..7c7c7a025 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -175,6 +175,10 @@ static int check_allow_drm(void) { return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; } +static int check_allow_tray(void) { + return checkcfg(CFG_ALLOW_TRAY) != 0; +} + Cond conditionals[] = { {"HAS_APPIMAGE", check_appimage}, {"HAS_NET", check_netoptions}, @@ -184,6 +188,7 @@ Cond conditionals[] = { {"HAS_X11", check_x11}, {"BROWSER_DISABLE_U2F", check_disable_u2f}, {"BROWSER_ALLOW_DRM", check_allow_drm}, + {"ALLOW_TRAY", check_allow_tray}, { NULL, NULL } }; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6280026e6..adb79234b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -174,7 +174,7 @@ Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" This example will load the profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM +Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled or disabled globally in Firejail's configuration file. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. -- cgit v1.2.3-54-g00ecf From d452e45a9196aa2f4d34706fcfb7907707a19ff9 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 8 Sep 2021 23:21:07 +0200 Subject: Add profiles for build-systems (/package-managers) Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby --- etc/inc/allow-common-devel.inc | 5 ++- etc/inc/allow-ruby.inc | 1 + etc/inc/disable-interpreters.inc | 1 + etc/inc/disable-programs.inc | 3 +- etc/profile-a-l/build-systems-common.profile | 65 ++++++++++++++++++++++++++++ etc/profile-a-l/bundle.profile | 24 ++++++++++ etc/profile-a-l/cargo.profile | 61 +++----------------------- etc/profile-a-l/cmake.profile | 15 +++++++ etc/profile-m-z/make.profile | 13 ++++++ etc/profile-m-z/meson.profile | 16 +++++++ etc/profile-m-z/pip.profile | 20 +++++++++ 11 files changed, 168 insertions(+), 56 deletions(-) create mode 100644 etc/profile-a-l/build-systems-common.profile create mode 100644 etc/profile-a-l/bundle.profile create mode 100644 etc/profile-a-l/cmake.profile create mode 100644 etc/profile-m-z/make.profile create mode 100644 etc/profile-m-z/meson.profile create mode 100644 etc/profile-m-z/pip.profile diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 011bbe226..4e460fc10 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history noblacklist ${HOME}/.python_history noblacklist ${HOME}/.pythonhist +# Ruby +noblacklist ${HOME}/.bundle + # Rust -noblacklist ${HOME}/.cargo/* +noblacklist ${HOME}/.cargo diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc index a8c701219..00276cac7 100644 --- a/etc/inc/allow-ruby.inc +++ b/etc/inc/allow-ruby.inc @@ -4,3 +4,4 @@ include allow-ruby.local noblacklist ${PATH}/ruby noblacklist /usr/lib/ruby +noblacklist /usr/lib64/ruby diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 5d8a236fb..804869e2a 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc @@ -48,6 +48,7 @@ blacklist /usr/share/php* # Ruby blacklist ${PATH}/ruby blacklist /usr/lib/ruby +blacklist /usr/lib64/ruby # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus # Python 2 diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..694e62a5f 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime blacklist ${HOME}/.bitcoin blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter +blacklist ${HOME}/.bundle blacklist ${HOME}/.bzf -blacklist ${HOME}/.cargo/* +blacklist ${HOME}/.cargo blacklist ${HOME}/.claws-mail blacklist ${HOME}/.cliqz blacklist ${HOME}/.clion* diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..159593eb7 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile @@ -0,0 +1,65 @@ +# Firejail profile for build-systems-common +# This file is overwritten after every install/update +# Persistent local customizations +include build-systems-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +ignore noexec ${HOME} +ignore noexec /tmp + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allows files commonly used by IDEs +include allow-common-devel.inc + +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +whitelist ${HOME}/Projects +whitelist /usr/share/pkgconfig +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +# net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..269bfd130 --- /dev/null +++ b/etc/profile-a-l/bundle.profile @@ -0,0 +1,24 @@ +# Firejail profile for bundle +# Description: Ruby Dependency Management +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include bundle.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.bundle + +# Allow ruby (blacklisted by disable-interpreters.inc) +include allow-ruby.inc + +mkdir ${HOME}/.bundle +whitelist ${HOME}/.bundle +whitelist /usr/share/gems +whitelist /usr/share/ruby +whitelist /usr/share/rubygems + +private-bin bundle,bundler,ruby,ruby-mri + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..af188e7f9 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -7,66 +7,19 @@ include cargo.local # Persistent global definitions include globals.local -ignore noexec ${HOME} -ignore noexec /tmp - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} +ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -# Allows files commonly used by IDEs -include allow-common-devel.inc - -# Allow ssh (blacklisted by disable-common.inc) -#include allow-ssh.inc - -include disable-common.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-xdg.inc - -#mkdir ${HOME}/.cargo -#whitelist ${HOME}/YOUR_CARGO_PROJECTS -#whitelist ${HOME}/.cargo -#whitelist ${HOME}/.rustup -#include whitelist-common.inc -whitelist /usr/share/pkgconfig -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc +mkdir ${HOME}/.cargo +whitelist ${HOME}/.cargo +whitelist ${HOME}/.rustup -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -seccomp.block-secondary -shell none -tracelog - -disable-mnt #private-bin cargo,rustc -private-cache -private-dev private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl -private-tmp - -dbus-user none -dbus-system none memory-deny-write-execute -read-write ${HOME}/.cargo/bin + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..1fb893f86 --- /dev/null +++ b/etc/profile-a-l/cmake.profile @@ -0,0 +1,15 @@ +# Firejail profile for cargo +# Description: The Rust package manager +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cargo.local +# Persistent global definitions +include globals.local + +private-bin cmake + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile @@ -0,0 +1,13 @@ +# Firejail profile for make +# Description: GNU make utility to maintain groups of programs +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include make.local +# Persistent global definitions +include globals.local + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..43109e771 --- /dev/null +++ b/etc/profile-m-z/meson.profile @@ -0,0 +1,16 @@ +# Firejail profile for meson +# Description: A high productivity build system +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +private-bin meson,python3* + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..54d95e335 --- /dev/null +++ b/etc/profile-m-z/pip.profile @@ -0,0 +1,20 @@ +# Firejail profile for pip +# Description: package manager for Python packages +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +ignore read-only ${HOME}/.local/lib + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +whitelist ${HOME}/.local/lib/python* + +private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* + +# Redirect +include build-systems-common.profile -- cgit v1.2.3-54-g00ecf From 2712dd7274a59727b3118982044c7c9426099232 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 14:38:18 +0200 Subject: build-systems-common: Make whitelist opt-in --- etc/profile-a-l/build-systems-common.profile | 5 +++-- etc/profile-a-l/bundle.profile | 5 +++-- etc/profile-a-l/cargo.profile | 5 ++--- etc/profile-m-z/pip.profile | 2 +- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index 159593eb7..1b199d612 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile @@ -28,9 +28,10 @@ include disable-shell.inc include disable-X11.inc include disable-xdg.inc -whitelist ${HOME}/Projects +#whitelist ${HOME}/Projects +#include whitelist-common.inc + whitelist /usr/share/pkgconfig -include whitelist-common.inc include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index 269bfd130..a3a3e3cde 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -12,8 +12,9 @@ noblacklist ${HOME}/.bundle # Allow ruby (blacklisted by disable-interpreters.inc) include allow-ruby.inc -mkdir ${HOME}/.bundle -whitelist ${HOME}/.bundle +#whitelist ${HOME}/.bundle +#whitelist ${HOME}/.gem +#whitelist ${HOME}/.local/share/gem whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index af188e7f9..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -12,9 +12,8 @@ ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -mkdir ${HOME}/.cargo -whitelist ${HOME}/.cargo -whitelist ${HOME}/.rustup +#whitelist ${HOME}/.cargo +#whitelist ${HOME}/.rustup #private-bin cargo,rustc private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 54d95e335..1f551b718 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -12,7 +12,7 @@ ignore read-only ${HOME}/.local/lib # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -whitelist ${HOME}/.local/lib/python* +#whitelist ${HOME}/.local/lib/python* private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* -- cgit v1.2.3-54-g00ecf From f0d23924c185f4692d34d591a146ab8ea1186dad Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 19:45:26 +0200 Subject: Drop private-bin from build-systems --- etc/profile-a-l/bundle.profile | 2 -- etc/profile-a-l/cmake.profile | 2 -- etc/profile-m-z/meson.profile | 2 -- etc/profile-m-z/pip.profile | 2 -- 4 files changed, 8 deletions(-) diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index a3a3e3cde..bb82022b1 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -19,7 +19,5 @@ whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems -private-bin bundle,bundler,ruby,ruby-mri - # Redirect include build-systems-common.profile diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile index 1fb893f86..26cc2a00a 100644 --- a/etc/profile-a-l/cmake.profile +++ b/etc/profile-a-l/cmake.profile @@ -7,8 +7,6 @@ include cargo.local # Persistent global definitions include globals.local -private-bin cmake - memory-deny-write-execute # Redirect diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile index 43109e771..b4909a9d8 100644 --- a/etc/profile-m-z/meson.profile +++ b/etc/profile-m-z/meson.profile @@ -10,7 +10,5 @@ include globals.local # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -private-bin meson,python3* - # Redirect include build-systems-common.profile diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 1f551b718..a0926371f 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -14,7 +14,5 @@ include allow-python3.inc #whitelist ${HOME}/.local/lib/python* -private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* - # Redirect include build-systems-common.profile -- cgit v1.2.3-54-g00ecf From f9620708e0f512a3264309fd49979d19c13e5fc6 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 17 Sep 2021 07:44:41 -0300 Subject: bug_report.md: use LC_ALL instead of LANG This overrides all `LC_*` variables (and LANG) rather than just LANG. From Section 8.2, Internationalization Variables of POSIX.1-2017[1]: > LANG > This variable shall determine the locale category for native > language, local customs, and coded character set in the absence of > the LC_ALL and other LC_* (LC_COLLATE, LC_CTYPE, LC_MESSAGES, > LC_MONETARY, LC_NUMERIC, LC_TIME) environment variables. This can > be used by applications to determine the language to use for error > messages and instructions, collating sequences, date formats, and > so on. > > LC_ALL > This variable shall determine the values for all locale > categories. The value of the LC_ALL environment variable has > precedence over any of the other environment variables starting > with LC_ (LC_COLLATE, LC_CTYPE, LC_MESSAGES, LC_MONETARY, > LC_NUMERIC, LC_TIME) and the LANG environment variable. [1] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 0f13afc51..dc5ebcee0 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -15,7 +15,7 @@ _Describe the bug_ _Steps to reproduce the behavior_ -1. Run in bash `LANG=C firejail PROGRAM` (`LANG=C` to get English messages that can be understood by everybody) +1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) 2. Click on '....' 3. Scroll down to '....' 4. See error `ERROR` -- cgit v1.2.3-54-g00ecf From 2b2df6604773f6c5a424456f43bb8200c6d33ab2 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 17 Sep 2021 07:46:01 -0300 Subject: bug_report.md: use LC_ALL where appropriate --- .github/ISSUE_TEMPLATE/bug_report.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index dc5ebcee0..dd7c4b220 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -30,7 +30,7 @@ _What actually happened_ ### Behavior without a profile -_What changed calling `firejail --noprofile /path/to/program` in a terminal?_ +_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ### Additional context @@ -55,7 +55,7 @@ _Any other detail that may help to understand/debug the problem_ ### Log
-Output of firejail /path/to/program +Output of LC_ALL=C firejail /path/to/program

``` @@ -66,7 +66,7 @@ output goes here

-Output of firejail --debug /path/to/program +Output of LC_ALL=C firejail --debug /path/to/program

``` -- cgit v1.2.3-54-g00ecf From b39ef34e0a9b17b736dacf1e6f7e6a1799a83c82 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 18 Sep 2021 06:14:51 -0300 Subject: bug_report.md: add checked item example It is not uncommon for people to use other characters to try to mark an item as checked (which usually screws up the html output), so be sure to include an example with "[x]". --- .github/ISSUE_TEMPLATE/bug_report.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index dd7c4b220..14d887e8b 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -44,6 +44,12 @@ _Any other detail that may help to understand/debug the problem_ ### Checklist + + - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) -- cgit v1.2.3-54-g00ecf From 20727361b203f38bf9534a96e65957733bc6ebf1 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 20 Sep 2021 08:22:12 -0300 Subject: bug_report.md: link to markdown formatting help As suggested by @rusty-snake. --- .github/ISSUE_TEMPLATE/bug_report.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 14d887e8b..eb485b8a2 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -7,6 +7,13 @@ assignees: '' --- + + ### Description _Describe the bug_ -- cgit v1.2.3-54-g00ecf From 5805c1c8fd440b69a96bd9e205c09a178a13e6ba Mon Sep 17 00:00:00 2001 From: dm9pZCAq <46228973+dm9pZCAq@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:52:56 +0300 Subject: fix compilation on musl (#4578) --- src/firejail/env.c | 1 + src/firejail/main.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/firejail/env.c b/src/firejail/env.c index ad16de037..4c0d729a1 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -22,6 +22,7 @@ #include #include #include +#include typedef struct env_t { struct env_t *next; diff --git a/src/firejail/main.c b/src/firejail/main.c index 81d148257..2db17f4af 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -32,7 +32,7 @@ #include #include #include -//#include +#include #include #include #include -- cgit v1.2.3-54-g00ecf From 2d6ea74d9586179e6dc250f14fc3b7321e03999e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 27 Sep 2021 23:42:08 -0300 Subject: main.c: remove unnecessary limits.h include Relates to #4578. --- src/firejail/main.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 81d148257..a99249be9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -32,7 +32,6 @@ #include #include #include -//#include #include #include #include -- cgit v1.2.3-54-g00ecf From ac78207f7c578cb1464bf7abcf9f605a675a7164 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 27 Sep 2021 23:42:43 -0300 Subject: Remove unnecessary linux/limits.h include None of the files affected use any macros from linux/limits.h: $ git grep -Fl 'NGROUPS_MAX ARG_MAX LINK_MAX MAX_CANON MAX_INPUT NAME_MAX PATH_MAX PIPE_BUF XATTR_NAME_MAX XATTR_SIZE_MAX XATTR_LIST_MAX RTSIG_MAX' -- src src/firejail/cmdline.c src/firejail/firejail.h src/libtrace/libtrace.c src/libtracelog/libtracelog.c Environment: $ grep '^NAME' /etc/os-release NAME="Artix Linux" $ pacman -Qo /usr/include/linux/limits.h /usr/include/linux/limits.h is owned by linux-api-headers 5.12.3-1 Note: This include has been present on all of the affected files since their inception. For restrict_users.c, that's on commit 4f003daec ("prevent leaking user information by modifying /home directory, /etc/passwd and /etc/group") and for every other file, it's on commit 137985136 ("Baseline firejail 0.9.28"). Relates to #4578. --- src/firejail/fs.c | 1 - src/firejail/fs_dev.c | 1 - src/firejail/fs_home.c | 1 - src/firejail/fs_hostname.c | 1 - src/firejail/fs_trace.c | 1 - src/firejail/fs_var.c | 1 - src/firejail/restrict_users.c | 1 - 7 files changed, 7 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index dd4c2139d..7e0a6e347 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -23,7 +23,6 @@ #include #include #include -#include #include #include #include diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 8cc3ecc62..d8bb1aded 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -20,7 +20,6 @@ #include "firejail.h" #include #include -#include #include #include #include diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 0ed476063..45889b27f 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -19,7 +19,6 @@ */ #include "firejail.h" #include -#include #include #include #include diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 7d320e90b..f7ce8c18f 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -20,7 +20,6 @@ #include "firejail.h" #include #include -#include #include #include #include diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 475a391ec..9463fbcd0 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -20,7 +20,6 @@ #include "firejail.h" #include #include -#include #include #include #include diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 20e262d80..5ba38d46c 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -20,7 +20,6 @@ #include "firejail.h" #include #include -#include #include #include #include diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 6f17231a4..59077dada 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -21,7 +21,6 @@ #include "../include/firejail_user.h" #include #include -#include #include #include #include -- cgit v1.2.3-54-g00ecf From 579f856c56c41153a45ae3529224a01babf2aa6a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 27 Sep 2021 23:51:36 -0300 Subject: firejail.h: add missing linux/limits.h include firejail.h uses PATH_MAX when defining a macro. Note that ARG_MAX and PATH_MAX are not guaranteed to be (and potentially should not be) defined. From POSIX.1-2017's limits.h(0p)[1]: > A definition of one of the symbolic constants in the following list > shall be omitted from the header on specific > implementations where the corresponding value is equal to or greater > than the stated minimum, but where the value can vary depending on the > file to which it is applied. The actual value supported for a > specific pathname shall be provided by the pathconf() function. Use linux/limits.h instead of limits.h because glibc's limits.h deliberately undefines ARG_MAX. See glibc commit f96853beaf ("* sysdeps/unix/sysv/linux/bits/local_lim.h: Undefined ARG_MAX if", 2008-03-27)[2]. From /usr/include/bits/local_lim.h (glibc 2.33-5 on Artix Linux): #ifndef ARG_MAX # define __undef_ARG_MAX #endif /* The kernel sources contain a file with all the needed information. */ #include /* [...] */ /* Have to remove ARG_MAX? */ #ifdef __undef_ARG_MAX # undef ARG_MAX # undef __undef_ARG_MAX #endif So if a file uses ARG_MAX (currently only cmdline.c) and limits.h (or a firejail.h that includes limits.h) is included before linux/limits.h, then the build will fail on glibc. Build log from using limits.h (instead of linux/limits.h) on firejail.h: $ make clean >/dev/null && make >/dev/null cmdline.c:145:12: error: use of undeclared identifier 'ARG_MAX'; did you mean 'CFG_MAX'? if (len > ARG_MAX) { ^~~~~~~ CFG_MAX ./firejail.h:805:2: note: 'CFG_MAX' declared here CFG_MAX // this should always be the last entry ^ [...] Fixes #4578. [1] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html [2] https://sourceware.org/git/?p=glibc.git;a=commit;h=f96853beafc26d4f030961b0b67a79b5bfad5733 --- src/firejail/firejail.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a7d88575..f554a3204 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -22,6 +22,7 @@ #include "../include/common.h" #include "../include/euid_common.h" #include "../include/rundefs.h" +#include // Note: Plain limits.h may break ARG_MAX (see #4583) #include #include -- cgit v1.2.3-54-g00ecf From 23d723149d6096cd584fe2ced62aefd59a79496e Mon Sep 17 00:00:00 2001 From: Christian Pinedo Date: Thu, 24 Jun 2021 20:19:57 +0200 Subject: Comment to use UPnP with amule.profile In order UPnP to work netlink protocol must be enabled. --- etc/profile-a-l/amule.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index e3c4164ee..f6e399e9f 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile @@ -33,6 +33,7 @@ nosound notv nou2f novideo +# Add netlink protocol to use UPnP protocol unix,inet,inet6 seccomp shell none -- cgit v1.2.3-54-g00ecf From 8e0172529de792e0bc1e3cf06eaac11e85a22195 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 4 Oct 2021 02:09:14 -0300 Subject: vscodium.profile: fix wrong program name in the comments Added on commit 4bb7dee49 ("small changes", 2019-02-07). --- etc/profile-m-z/vscodium.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index a4a4fb7d8..176d00822 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile @@ -1,4 +1,4 @@ -# Firejail profile alias for Visual Studio Code +# Firejail profile alias for VSCodium # This file is overwritten after every install/update # Persistent local customizations include vscodium.local -- cgit v1.2.3-54-g00ecf From 186b32cf2ea2aa1866c80b25d1c3ab7a16fff88e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 4 Oct 2021 02:01:07 -0300 Subject: vscodium.profile: add missing paths It creates the following directories on startup: * ~/.config/VSCodium * ~/.vscode-oss Environment: $ grep '^NAME' /etc/os-release NAME="Artix Linux" $ pacman -Q vscodium-bin vscodium-bin 1.60.2-2 Note: The following entry is already on disable-programs.inc: noblacklist ${HOME}/.vscode-oss It was added on commit de90834a8 ("Update disable-programs.inc", 2019-03-02). Relates to #3871. --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/vscodium.profile | 2 ++ 2 files changed, 3 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 511d8730e..e11df4e64 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -142,6 +142,7 @@ blacklist ${HOME}/.config/SubDownloader blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/Twitch blacklist ${HOME}/.config/Unknown Organization +blacklist ${HOME}/.config/VSCodium blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/Whalebird blacklist ${HOME}/.config/Wire diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index 176d00822..9c0a887b2 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile @@ -7,6 +7,8 @@ include vscodium.local #include globals.local noblacklist ${HOME}/.VSCodium +noblacklist ${HOME}/.config/VSCodium +noblacklist ${HOME}/.vscode-oss # Redirect include code.profile -- cgit v1.2.3-54-g00ecf From 94ab0ec71b3c550ff8ce0d6458d3257a3d3d1ed7 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 4 Oct 2021 02:14:07 -0300 Subject: Add codium.profile as a redirect to vscodium.profile Both base names are valid: $ grep '^NAME' /etc/os-release NAME="Artix Linux" $ pacman -Q vscodium-bin vscodium-bin 1.60.2-2 $ pacman -Qlq vscodium-bin | grep -v -e '/$' -e /resources/ | grep /bin/ /usr/bin/codium /usr/bin/vscodium /usr/share/vscodium-bin/bin/codium Note: The first two paths are symlinks to the third one. Fixes #3871. --- etc/profile-a-l/codium.profile | 10 ++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 11 insertions(+) create mode 100644 etc/profile-a-l/codium.profile diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile new file mode 100644 index 000000000..9ff87ed8a --- /dev/null +++ b/etc/profile-a-l/codium.profile @@ -0,0 +1,10 @@ +# Firejail profile alias for VSCodium +# This file is overwritten after every install/update +# Persistent local customizations +include codium.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include vscodium.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a544e25f2..aad22ec7a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -151,6 +151,7 @@ clocks cmus code code-oss +codium cola colorful com.github.bleakgrey.tootle -- cgit v1.2.3-54-g00ecf From 84d5469a40bdc65aa5607d11a9060bb710bfd9b9 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 5 Oct 2021 16:21:09 +0200 Subject: simplify recursive remounting --- src/firejail/firejail.h | 2 +- src/firejail/fs.c | 38 +++++++++++++++++--------------------- src/firejail/mountinfo.c | 40 ++++++++++++---------------------------- 3 files changed, 30 insertions(+), 50 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a7d88575..e1ba8f48a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -563,7 +563,7 @@ typedef struct { // mountinfo.c MountData *get_last_mount(void); -int get_mount_id(const char *path); +int get_mount_id(int fd); char **build_mount_array(const int mount_id, const char *path); // fs_var.c diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6d01b5e5d..3144156a3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -633,34 +633,30 @@ out: } // remount recursively; requires a resolved path -static void fs_remount_rec(const char *dir, OPERATION op) { +static void fs_remount_rec(const char *path, OPERATION op) { EUID_ASSERT(); - assert(dir); + assert(op < OPERATION_MAX); + assert(path); - struct stat s; - if (stat(dir, &s) != 0) - return; - if (!S_ISDIR(s.st_mode)) { - // no need to search in /proc/self/mountinfo for submounts if not a directory - fs_remount_simple(dir, op); + // no need to search /proc/self/mountinfo for submounts if not a directory + int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd < 0) { + fs_remount_simple(path, op); return; } - // get mount point of the directory - int mountid = get_mount_id(dir); - if (mountid == -1) - return; - if (mountid == -2) { - // falling back to a simple remount on old kernels - static int mount_warning = 0; - if (!mount_warning) { - fwarning("read-only, read-write and noexec options are not applied recursively\n"); - mount_warning = 1; - } - fs_remount_simple(dir, op); + + // get mount id of the directory + int mountid = get_mount_id(fd); + close(fd); + if (mountid < 0) { + // falling back to a simple remount + fwarning("%s %s not applied recursively\n", opstr[op], path); + fs_remount_simple(path, op); return; } + // build array with all mount points that need to get remounted - char **arr = build_mount_array(mountid, dir); + char **arr = build_mount_array(mountid, path); assert(arr); // remount char **tmp = arr; diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 64a94bd84..f1eb9c924 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -151,47 +151,31 @@ MountData *get_last_mount(void) { return &mdata; } -// Extract the mount id from /proc/self/fdinfo and return it. -int get_mount_id(const char *path) { - EUID_ASSERT(); - assert(path); - - int fd = open(path, O_PATH|O_CLOEXEC); - if (fd == -1) - return -1; +// Needs kernel 3.15 or better +int get_mount_id(int fd) { + int rv = -1; - char *fdinfo; - if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) + char *proc; + if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1) errExit("asprintf"); EUID_ROOT(); - FILE *fp = fopen(fdinfo, "re"); + FILE *fp = fopen(proc, "re"); EUID_USER(); - free(fdinfo); if (!fp) goto errexit; - // read the file char buf[MAX_BUF]; - if (fgets(buf, MAX_BUF, fp) == NULL) - goto errexit; - do { + while (fgets(buf, MAX_BUF, fp)) { if (strncmp(buf, "mnt_id:", 7) == 0) { - char *ptr = buf + 7; - while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { - ptr++; - } - if (*ptr == '\0') + if (sscanf(buf + 7, "%d", &rv) != 1) goto errexit; - fclose(fp); - close(fd); - return atoi(ptr); + break; } - } while (fgets(buf, MAX_BUF, fp)); + } - // fallback, kernels older than 3.15 don't expose the mount id in this place + free(proc); fclose(fp); - close(fd); - return -2; + return rv; errexit: fprintf(stderr, "Error: cannot read proc file\n"); -- cgit v1.2.3-54-g00ecf From 2247f58f52802a9726fd6991d61ae1d3cdac07b6 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Wed, 29 Sep 2021 17:44:53 +0200 Subject: trace, tracelog: don't truncate /etc/ld.so.preload --- src/firejail/firejail.h | 3 ++- src/firejail/fs_trace.c | 31 +++++++++++++++++++------------ src/firejail/sandbox.c | 11 +++++++---- 3 files changed, 28 insertions(+), 17 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a7d88575..bcc7e6ed1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -621,7 +621,8 @@ void caps_print_filter(pid_t pid) __attribute__((noreturn)); void caps_drop_dac_override(void); // fs_trace.c -void fs_trace_preload(void); +void fs_trace_touch_preload(void); +void fs_trace_touch_or_store_preload(void); void fs_tracefile(void); void fs_trace(void); diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 475a391ec..718786cdc 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -26,19 +26,26 @@ #include #include -void fs_trace_preload(void) { +// create an empty /etc/ld.so.preload +void fs_trace_touch_preload(void) { + create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); +} + +void fs_trace_touch_or_store_preload(void) { struct stat s; - // create an empty /etc/ld.so.preload - if (stat("/etc/ld.so.preload", &s)) { - if (arg_debug) - printf("Creating an empty /etc/ld.so.preload file\n"); - FILE *fp = fopen("/etc/ld.so.preload", "wxe"); - if (!fp) - errExit("fopen"); - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); - fclose(fp); - fs_logger("touch /etc/ld.so.preload"); + if (stat("/etc/ld.so.preload", &s) != 0) { + fs_trace_touch_preload(); + return; + } + + if (s.st_size == 0) + return; + + // create a copy of /etc/ld.so.preload + if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) { + fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n"); + exit(1); } } @@ -83,7 +90,7 @@ void fs_trace(void) { if (arg_debug) printf("Create the new ld.so.preload file\n"); - FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we"); + FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae"); if (!fp) errExit("fopen"); const char *prefix = RUN_FIREJAIL_LIB_DIR; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 995827fb7..7a1ce737b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -798,7 +798,7 @@ int sandbox(void* sandbox_arg) { // trace pre-install if (need_preload) - fs_trace_preload(); + fs_trace_touch_or_store_preload(); // store hosts file if (cfg.hosts_file) @@ -814,8 +814,11 @@ int sandbox(void* sandbox_arg) { //**************************** // trace pre-install, this time inside chroot //**************************** - if (need_preload) - fs_trace_preload(); + if (need_preload) { + int rv = unlink(RUN_LDPRELOAD_FILE); + (void) rv; + fs_trace_touch_or_store_preload(); + } } else #endif @@ -992,7 +995,7 @@ int sandbox(void* sandbox_arg) { // create /etc/ld.so.preload file again if (need_preload) - fs_trace_preload(); + fs_trace_touch_preload(); // openSUSE configuration is split between /etc and /usr/etc // process private-etc a second time -- cgit v1.2.3-54-g00ecf From 5c39051c2b07d6f4854eca69c37f95066d9fb10f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 5 Oct 2021 19:02:33 -0300 Subject: build_profile.c: fix typo of "begins" Added on commit 9af2c1472 ("Better debug handling."). --- src/fbuilder/build_profile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 0b9a99739..c945d7253 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -92,7 +92,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { if (fp == stdout) - printf("--- Built profile beings after this line ---\n"); + printf("--- Built profile begins after this line ---\n"); fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); -- cgit v1.2.3-54-g00ecf From a78d014660d8a1daaea95f11da399c2e2305cc63 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 5 Oct 2021 18:11:50 +0200 Subject: mountinfo: get mount id from failed call to name_to_handle_at Enables recursive remounting on very old kernels, which has some relevance for SailfishOS community ports. --- src/firejail/mountinfo.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index f1eb9c924..304f80eee 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -19,6 +19,7 @@ */ #include "firejail.h" +#include #include #ifndef O_PATH @@ -151,8 +152,35 @@ MountData *get_last_mount(void) { return &mdata; } -// Needs kernel 3.15 or better -int get_mount_id(int fd) { +// Returns mount id, or -1 if fd refers to a procfs or sysfs file +static int get_mount_id_from_handle(int fd) { + EUID_ASSERT(); + + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + struct file_handle *fh = malloc(sizeof *fh); + if (!fh) + errExit("malloc"); + fh->handle_bytes = 0; + + int rv = -1; + int tmp; + if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) { + fprintf(stderr, "Error: unexpected result from name_to_handle_at\n"); + exit(1); + } + if (errno == EOVERFLOW && fh->handle_bytes) + rv = tmp; + + free(proc); + free(fh); + return rv; +} + +// Returns mount id, or -1 on kernels < 3.15 +static int get_mount_id_from_fdinfo(int fd) { + EUID_ASSERT(); int rv = -1; char *proc; @@ -182,6 +210,13 @@ errexit: exit(1); } +int get_mount_id(int fd) { + int rv = get_mount_id_from_fdinfo(fd); + if (rv < 0) + rv = get_mount_id_from_handle(fd); + return rv; +} + // Check /proc/self/mountinfo if path contains any mounts points. // Returns an array that can be iterated over for recursive remounting. char **build_mount_array(const int mount_id, const char *path) { -- cgit v1.2.3-54-g00ecf From a7e4b9b9b20bc62985e03435e2eee41dd62e0318 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 5 Oct 2021 17:54:03 -0300 Subject: Revert "allow/deny fbuilder" This reverts commit 4438f14f2892b5c88d158ae8fad0a80a2eebfd44. Also, partially revert related commit e4307b409 ("fix whitelist/allow in make test-utils") to keep the tests working. The profiles are being generated using aliases, which are not used on the profiles in the repository. So generate them using the normal commands for consistency. See also commit dd13595b8 ("Revert "allow/deny help and man pages"") / PR #4502. Relates to #4410. Misc: I noticed this on issue #4592. --- src/fbuilder/build_fs.c | 8 ++++---- src/fbuilder/build_home.c | 4 ++-- test/utils/build.exp | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 019c3ac5a..8700e0ba1 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c @@ -182,12 +182,12 @@ static void var_callback(char *ptr) { void build_var(const char *fname, FILE *fp) { assert(fname); - var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/"); + var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/"); process_files(fname, "/var", var_callback); // always whitelist /var if (var_out) - filedb_print(var_out, "allow /var/", fp); + filedb_print(var_out, "whitelist /var/", fp); fprintf(fp, "include whitelist-var-common.inc\n"); } @@ -222,12 +222,12 @@ static void share_callback(char *ptr) { void build_share(const char *fname, FILE *fp) { assert(fname); - share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/"); + share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/"); process_files(fname, "/usr/share", share_callback); // always whitelist /usr/share if (share_out) - filedb_print(share_out, "allow /usr/share/", fp); + filedb_print(share_out, "whitelist /usr/share/", fp); fprintf(fp, "include whitelist-usr-share-common.inc\n"); } diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index c85474779..0fe0ffef6 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c @@ -140,7 +140,7 @@ void build_home(const char *fname, FILE *fp) { assert(fname); // load whitelist common - db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/"); + db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/"); // find user home directory struct passwd *pw = getpwuid(getuid()); @@ -168,7 +168,7 @@ void build_home(const char *fname, FILE *fp) { // print the out list if any if (db_out) { - filedb_print(db_out, "allow ${HOME}/", fp); + filedb_print(db_out, "whitelist ${HOME}/", fp); fprintf(fp, "include whitelist-common.inc\n"); } else diff --git a/test/utils/build.exp b/test/utils/build.exp index 104ac037c..b9733c137 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp @@ -13,7 +13,7 @@ after 100 send -- "firejail --build cat ~/_firejail-test-file\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "allow $\{HOME\}/_firejail-test-file" + "whitelist $\{HOME\}/_firejail-test-file" } expect { timeout {puts "TESTING ERROR 1\n";exit} -- cgit v1.2.3-54-g00ecf From a68fc0a040da498b3c01b6b9a281024c2dafe193 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 8 Oct 2021 00:48:14 +0200 Subject: profile parsing fixes results from a systematic search for strncmp calls with a suspicious (non-fitting) integer literal as third argument --- src/firejail/profile.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 059100fcb..2daa968f7 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -630,7 +630,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #endif return 0; } - else if (strncmp(ptr, "netns ", 6) == 0) { + else if (strncmp(ptr, "netns ", 6) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { arg_netns = ptr + 6; @@ -981,10 +981,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { warning_feature_disabled("seccomp"); return 0; } - if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { + if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) { if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; - cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); + cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16); } else warning_feature_disabled("seccomp"); @@ -1001,10 +1001,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { warning_feature_disabled("seccomp"); return 0; } - if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { + if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) { if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; - cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); + cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16); } else warning_feature_disabled("seccomp"); -- cgit v1.2.3-54-g00ecf From 29af7daf50fd02a730e318e7d773ccacc9ec7238 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 8 Oct 2021 00:57:22 +0200 Subject: update relnotes --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index f52ce09f1..b50fcd559 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.67) baseline; urgency=low * work in progress + * exit code: distinguish fatal signals by adding 128 * deprecated --disable-whitelist at compile time * deprecated whitelist=yes/no in /etc/firejail/firejail.config * remove (some) environment variables with auth-tokens -- cgit v1.2.3-54-g00ecf From 3558c830baf37784f9e88b41b7cc49e840bd7952 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 9 Oct 2021 14:59:20 +0200 Subject: Update README.md RELNOTES --- README.md | 3 ++- RELNOTES | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0623d9463..40c6e9d98 100644 --- a/README.md +++ b/README.md @@ -267,4 +267,5 @@ $ ./profstats *.profile ### New profiles: -clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp +clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, +cmake, make, meson, pip, codium diff --git a/RELNOTES b/RELNOTES index b50fcd559..3f92c89c7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,12 +3,14 @@ firejail (0.9.67) baseline; urgency=low * exit code: distinguish fatal signals by adding 128 * deprecated --disable-whitelist at compile time * deprecated whitelist=yes/no in /etc/firejail/firejail.config + * new condition: ALLOW_TRAY * remove (some) environment variables with auth-tokens * new includes: whitelist-run-common.inc, disable-X11.inc * removed includes: disable-passwordmgr.inc * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl - * new profiles: yt-dlp + * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake + * new profiles: make, meson, pip, codium -- netblue30 Thu, 29 Jul 2021 09:00:00 -0500 firejail (0.9.66) baseline; urgency=low -- cgit v1.2.3-54-g00ecf