From 5e479df5a9cdd46883ede64fd7ac5d4d710b20e5 Mon Sep 17 00:00:00 2001 From: Eduard Tolosa Date: Mon, 29 Jul 2019 22:16:35 -0500 Subject: Fix issue when opening a file from file manager I can confirm https://github.com/netblue30/firejail/pull/2837#issuecomment-511334363 when opening a file from `pcmanfm`, it doesn't open if qpdfview contains `nodbus` --- etc/qpdfview.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index abbd76aff..7f2af83ed 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -22,7 +22,6 @@ include whitelist-var-common.inc caps.drop all machine-id -nodbus nodvd nogroups nonewprivs -- cgit v1.2.3-54-g00ecf From 511cad9ed24a544f607193d74bfef8a449fe3a0b Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sun, 25 Aug 2019 19:12:00 +0200 Subject: Use new seccomp syntax from #2926 --- etc/akregator.profile | 2 +- etc/bibletime.profile | 2 +- etc/falkon.profile | 2 +- etc/firefox-common.profile | 2 +- etc/kiwix-desktop.profile | 2 +- etc/qutebrowser.profile | 2 +- etc/skypeforlinux.profile | 2 +- etc/start-tor-browser.profile | 2 +- etc/teamspeak3.profile | 2 +- etc/torbrowser-launcher.profile | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -36,7 +36,7 @@ nou2f novideo protocol unix,inet,inet6,netlink # chroot syscalls are needed for setting up the built-in sandbox -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -42,7 +42,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/falkon.profile b/etc/falkon.profile index ddcda6228..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile @@ -34,7 +34,7 @@ notv nou2f protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks falkon -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # tracelog private-dev diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -46,7 +46,7 @@ notv ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. #tracelog diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile index db8f7880c..8b7b12882 100644 --- a/etc/kiwix-desktop.profile +++ b/etc/kiwix-desktop.profile @@ -39,7 +39,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index a7ba18292..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -36,5 +36,5 @@ noroot notv protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks qt webengine -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # tracelog diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 8a45f2465..fe9ededa4 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -25,7 +25,7 @@ nonewprivs noroot notv protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile @@ -28,7 +28,7 @@ notv nou2f novideo protocol unix,inet,inet6 -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # tracelog may cause issues, see github issue #1930 #tracelog diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index b34d15731..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -33,7 +33,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 8485c0c4c..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile @@ -42,7 +42,7 @@ notv nou2f novideo protocol unix,inet,inet6 -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # tracelog may cause issues, see github issue #1930 #tracelog -- cgit v1.2.3-54-g00ecf From 569149a46e88924fa11b107d905cdc6b889934c3 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Mon, 26 Aug 2019 09:59:10 +0200 Subject: Use new seccomp syntax from #2926 in more profiles --- etc/akonadi_control.profile | 2 +- etc/baloo_file.profile | 2 +- etc/brackets.profile | 2 +- etc/clementine.profile | 2 +- etc/kmail.profile | 2 +- etc/mpd.profile | 2 +- etc/qgis.profile | 2 +- etc/simple-scan.profile | 2 +- etc/skanlite.profile | 2 +- etc/standardnotes-desktop.profile | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 904c784c6..ffc613f1e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile @@ -47,7 +47,7 @@ notv nou2f novideo # protocol unix,inet,inet6,netlink -# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set tracelog private-dev diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index f46987cc7..6f7638fa3 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile @@ -39,7 +39,7 @@ nou2f novideo protocol unix # blacklisting of ioprio_set system calls breaks baloo_file -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +seccomp !ioprio_set shell none # x11 xorg diff --git a/etc/brackets.profile b/etc/brackets.profile index b7d560bbc..13a3bef79 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -27,7 +27,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot,!ioperm shell none private-cache diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..4d92157d0 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -27,7 +27,7 @@ nou2f novideo protocol unix,inet,inet6 # blacklisting of ioprio_set system calls breaks clementine -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +seccomp !ioprio_set private-dev private-tmp diff --git a/etc/kmail.profile b/etc/kmail.profile index 0b602c79a..e174cf2bf 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -51,7 +51,7 @@ nou2f novideo protocol unix,inet,inet6,netlink # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot,!io_getevents,!io_submit,!io_submit,!ioprio_set # tracelog private-dev diff --git a/etc/mpd.profile b/etc/mpd.profile index 0b5ebf705..6c5963793 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -31,7 +31,7 @@ novideo protocol unix,inet,inet6 # blacklisting of ioprio_set system calls breaks auto-updating of # MPD's database when files in music_directory are changed -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +seccomp !ioprio_set shell none #private-bin bash,mpd diff --git a/etc/qgis.profile b/etc/qgis.profile index 80a10efce..88ed0cd81 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile @@ -45,7 +45,7 @@ notv nou2f novideo # blacklisting of mbind system calls breaks old version -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice +seccomp !mbind protocol unix,inet,inet6,netlink shell none tracelog diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 64441483d..a0c9e8303 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile @@ -27,7 +27,7 @@ notv # novideo protocol unix,inet,inet6,netlink # blacklisting of ioperm system calls breaks simple-scan -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !ioperm shell none tracelog diff --git a/etc/skanlite.profile b/etc/skanlite.profile index c10be717b..6f9bfd201 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -27,7 +27,7 @@ notv # novideo protocol unix,inet,inet6,netlink # blacklisting of ioperm system calls breaks skanlite -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !ioperm shell none # private-bin kbuildsycoca4,kdeinit4,skanlite diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5703f932a..aa6902854 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile @@ -34,7 +34,7 @@ nosound notv nou2f protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot disable-mnt private-dev -- cgit v1.2.3-54-g00ecf From 3d8f587cd8e2604df928be21c4dd201bd0b818fc Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Mon, 26 Aug 2019 10:29:45 +0200 Subject: Use new seccomp syntax (#2926) in more profiles Rules for redirecting profiles: - add exceptions: just add 'seccomp !SYSCALL' - remove exception: ``` seccomp ignore seccomp ``` --- etc/basilisk.profile | 2 +- etc/palemoon.profile | 2 +- etc/riot-desktop.profile | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5bc91dc74..8dc3847a0 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile @@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk whitelist ${HOME}/.moonchild productions # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) -ignore seccomp.drop seccomp +ignore seccomp #private-bin basilisk # private-etc must first be enabled in firefox-common.profile diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 11464e6cf..acb2ce176 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon whitelist ${HOME}/.moonchild productions # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) -ignore seccomp.drop seccomp +ignore seccomp #private-bin palemoon # private-etc must first be enabled in firefox-common.profile diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index e6af4c2cb..4372fabe1 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile @@ -7,8 +7,7 @@ include riot-desktop.local # added by included profile #include globals.local -ignore seccomp -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # Redirect include riot-web.profile -- cgit v1.2.3-54-g00ecf From f1a2a8f084c26240468922c7fa3d10168bc5313c Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Mon, 26 Aug 2019 20:32:47 +0200 Subject: fix #2669 --- etc/Viber.profile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/etc/Viber.profile b/etc/Viber.profile index ecc500769..925e130de 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -28,12 +28,10 @@ nonewprivs noroot notv protocol unix,inet,inet6 -seccomp +seccomp !chroot shell none disable-mnt private-bin awk,bash,dig,sh,Viber private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 private-tmp - -env QTWEBENGINE_DISABLE_SANDBOX=1 -- cgit v1.2.3-54-g00ecf From 0c98761dec22e39ec11ca4f12231fd71fc1b31db Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Fri, 30 Aug 2019 20:57:18 +0200 Subject: fixup! Use new seccomp syntax from #2926 in more profiles --- etc/kmail.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kmail.profile b/etc/kmail.profile index e174cf2bf..198b05a11 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -51,7 +51,7 @@ nou2f novideo protocol unix,inet,inet6,netlink # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls -seccomp !chroot,!io_getevents,!io_submit,!io_submit,!ioprio_set +seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set # tracelog private-dev -- cgit v1.2.3-54-g00ecf From 3adae2e04bfc86c689db1c07055c7c2767674dfa Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Tue, 3 Sep 2019 12:02:38 +0300 Subject: Revert changes in #2928 to seccomp group @default Reconstruct @default by not relying on the changed system call groups @privileged and @resources. --- src/fseccomp/syscall.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 5d83786bb..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { #endif }, { .name = "@default", .list = + "@clock," "@cpu-emulation," "@debug," + "@module," "@obsolete," - "@privileged," - "@resources," + "@raw-io," + "@reboot," + "@swap," #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif @@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_request_key "request_key," #endif +#ifdef SYS_mbind + "mbind," +#endif +#ifdef SYS_migrate_pages + "migrate_pages," +#endif +#ifdef SYS_move_pages + "move_pages," +#endif #ifdef SYS_keyctl "keyctl," #endif @@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_remap_file_pages "remap_file_pages," #endif +#ifdef SYS_set_mempolicy + "set_mempolicy" +#endif #ifdef SYS_vmsplice "vmsplice," #endif @@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_userfaultfd "userfaultfd," #endif +#ifdef SYS_acct + "acct," +#endif +#ifdef SYS_bpf + "bpf," +#endif +#ifdef SYS_chroot + "chroot," +#endif +#ifdef SYS_mount + "mount," +#endif +#ifdef SYS_nfsservctl + "nfsservctl," +#endif +#ifdef SYS_pivot_root + "pivot_root," +#endif +#ifdef SYS_setdomainname + "setdomainname," +#endif +#ifdef SYS_sethostname + "sethostname," +#endif +#ifdef SYS_umount2 + "umount2," +#endif +#ifdef SYS_vhangup + "vhangup" +#endif //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem // "mincore" //#endif -- cgit v1.2.3-54-g00ecf From 27c136dcf4e84daee0c8886c869720ec9be7a594 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 5 Sep 2019 16:15:16 +0200 Subject: fix FIREJAIL_FILE_COPY_LIMIT larger than 2GB --- src/fcopy/main.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 3f507a361..a08cc66b3 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -28,11 +28,10 @@ int arg_quiet = 0; int arg_debug = 0; static int arg_follow_link = 0; -static int copy_limit = 500 * 1024 *1024; // 500 MB -#define COPY_LIMIT ( +static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB +static unsigned long long size_cnt = 0; static int size_limit_reached = 0; static unsigned file_cnt = 0; -static unsigned size_cnt = 0; static char *outpath = NULL; static char *inpath = NULL; @@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str // recalculate size if ((s.st_size + size_cnt) > copy_limit) { - fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024); + fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024); size_limit_reached = 1; free(outfname); return 0; @@ -392,9 +391,9 @@ int main(int argc, char **argv) { // extract copy limit size from env variable, if any char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); if (cl) { - copy_limit = atoi(cl) * 1024 * 1024; + copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024; if (arg_debug) - printf("file copy limit %d bytes\n", copy_limit); + printf("file copy limit %llu bytes\n", copy_limit); } // copy files -- cgit v1.2.3-54-g00ecf From fa9d0ea8933a55c6b88ffe511c48cbc7c201ab33 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 5 Sep 2019 17:47:17 +0200 Subject: explain removal of nodbus in qpdfview.profile see previous commit, #2879 --- etc/qpdfview.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 7f2af83ed..863f57ba4 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -22,6 +22,8 @@ include whitelist-var-common.inc caps.drop all machine-id +# needs D-Bus when started from a file manager +#nodbus nodvd nogroups nonewprivs -- cgit v1.2.3-54-g00ecf From 880fd16254fd137d05d991ed980c132b5be4bd5f Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 5 Sep 2019 17:49:32 +0200 Subject: remove ~/.config/dconf from whitelist-common.inc - dconf database is read-only (fde6e04b) and accessed over dbus, there are no reasons to keep it in the sandbox --- etc/qupzilla.profile | 2 -- etc/seahorse.profile | 2 -- etc/whitelist-common.inc | 4 ---- 3 files changed, 8 deletions(-) diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 3f3270dd6..7aa71c848 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -21,7 +21,5 @@ mkdir ${HOME}/.config/qupzilla whitelist ${HOME}/.cache/qupzilla whitelist ${HOME}/.config/qupzilla -# private-tmp - interferes with the opening of downloaded files - # Redirect include falkon.profile diff --git a/etc/seahorse.profile b/etc/seahorse.profile index b9a0fd149..fe29a6731 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile @@ -20,10 +20,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -mkdir ${HOME}/.config/dconf mkdir ${HOME}/.gnupg mkdir ${HOME}/.ssh -whitelist ${HOME}/.config/dconf whitelist ${HOME}/.gnupg whitelist ${HOME}/.ssh whitelist /tmp/ssh-* diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9c1b7b92c..717c82379 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -20,10 +20,6 @@ whitelist ${HOME}/.local/share/icons whitelist ${HOME}/.local/share/mime whitelist ${HOME}/.mime.types -# dconf -mkdir ${HOME}/.config/dconf -whitelist ${HOME}/.config/dconf - # fonts whitelist ${HOME}/.cache/fontconfig whitelist ${HOME}/.config/fontconfig -- cgit v1.2.3-54-g00ecf From 80aab3d21b70545da66e5aa954be0e5928ba9266 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 5 Sep 2019 17:52:53 +0200 Subject: Update syscalls.txt --- etc/templates/profile.template | 1 + etc/templates/syscalls.txt | 142 ++++++++++++++++++++++++++--------------- 2 files changed, 90 insertions(+), 53 deletions(-) diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0d67e222f..10b5ee2ae 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -138,6 +138,7 @@ include globals.local # - packet almost never #protocol unix,inet,inet6,netlink,packet #seccomp +##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) #shell none #tracelog diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index bc45d9f9d..6ab0e72ff 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -1,73 +1,109 @@ -Hints for writing seccomp.drop lines -==================================== +Hints to write own seccomp filters +================================== + + +The different seccomp commands +------------------------------ + +Always have a look at 'man 1 firejail'. + + - seccomp + Blocks all syscalls in the default-group. + - The default-group is @default-nodebuggers, unless allow-debuggers is + specified, then @default is used. + - Listed syscalls and groups are also blocked. + - Exceptions are possible by putting a ! in before the name of a syscall. + - seccomp.block-secondary + Allows only native syscalls, all syscalls for other architectures are blocked. + - seccomp.drop + Blocks all listed syscalls. + - Exceptions are possible by putting a ! in before the name of a syscall. + - seccomp.keep + Allows only listed syscalls. + To write your own seccomp.keep line, see: + - https://firejail.wordpress.com/documentation-2/seccomp-guide/ + - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh Definition of groups -------------------- +@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit +@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev +@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime -@module=delete_module,finit_module,init_module -@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write -@reboot=kexec_file_load,kexec_load,reboot -@swap=swapoff,swapon - -@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup - @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext -@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver -@resources=mbind,migrate_pages,move_pages,set_mempolicy - -@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice - -@default-nodebuggers=@default,personality,process_vm_readv,ptrace - +@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup +@default-nodebuggers=@default,ptrace,personality,process_vm_readv @default-keep=execve,prctl +@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes +@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select +@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget +@keyring=add_key,keyctl,request_key +@memlock=mlock,mlock2,mlockall,munlock,munlockall +@module=delete_module,finit_module,init_module +@mount=chroot,mount,pivot_root,umount,umount2 +@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair +@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver +@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup +@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid +@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write +@reboot=kexec_load,kexec_file_load,reboot +@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy +@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32 +@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend +@swap=swapon,swapoff +@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs +@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice +@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times Inheritance of groups --------------------- -+---------+----------------+---------------+ -| @clock | @cpu-emulation | @default-keep | -| @module | @debug | | -| @raw-io | @obsolete | | -| @reboot | @resources | | -| @swap | | | -+---------+----------------+---------------+ - : : -+-------------+ : -| @privileged | : -+-------------+ : - : : -+----------+ : -| @default |........: -+----------+ - : -+----------------------+ -| @default-nodebuggers | -+----------------------+ - -common used seccomp.drop lines ------------------------------- - -@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice - -@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice - -Building a seccomp.drop line if seccomp breaks a programm ---------------------------------------------------------- ++---------------+ +| @default-keep | +| @mount | ++---------------+ + ++----------------+ +---------+ +--------+ +--------------+ +| @cpu-emulation | | @clock | | @chown | | @aio | +| @debug | | @module | +--------+ | @basic-io | +| @obsolete | | @raw-io | : : | @default | ++----------------+ | @reboot | : : | @file-system | + : | @swap | : : | @io-event | + : +---------+ : : | @ipc | + : : : : : | @keyring | + : ..............: : : : | @memlock | + : : : ........: : | @network-io | + : : : : : | @process | ++----------+ +-------------+ : | @resources | +| @default | | @privileged | : | @setuid | ++----------+ +-------------+ : | @signal | + : : : | @sync | + : : : | @timer | + : :........................... : +--------------+ + : : : : + : : : : ++----------------------+ +-----------------+ +| @default-nodebuggers | | @system-service | ++----------------------+ +-----------------+ + + +What to do if seccomp breaks a program +-------------------------------------- ``` $ journalctl --grep=syscall --follow <...> audit[…]: SECCOMP <...> syscall=161 <...> $ firejail --debug-syscalls | grep 161 -161 - chroot +161 - chroot ``` +Profile: `seccomp -> seccomp !chroot` -TODO: write a short explanation -TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible - -see also --------- +Start `journalctl --grep=syscall --follow` in a terminal, then start the broken +program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. +Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You +will see something like `NUMBER - NAME`, because you now know the name of the +syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. - - contrib/syscalls.sh - - https://firejail.wordpress.com/documentation-2/seccomp-guide/ +If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. -- cgit v1.2.3-54-g00ecf From dd0655020b0253d038b7c846cc3c235a9e10f445 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 6 Sep 2019 08:23:29 +0000 Subject: Fix gnome-schedule This fixes #2941. --- etc/gnome-schedule.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index cbeb82465..30ca56094 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile @@ -58,6 +58,5 @@ tracelog disable-mnt private-cache private-dev -private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow writable-var -- cgit v1.2.3-54-g00ecf From 2e64e781bb351448edb6e6f31f7c9085ca580382 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 6 Sep 2019 11:47:55 +0000 Subject: Fix private-bin in tar.profile Fixes #2942. --- etc/tar.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/tar.profile b/etc/tar.profile index cace89965..3fba96eee 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -40,7 +40,7 @@ tracelog x11 none # support compressed archives -private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz +private-bin bash,bzip2,compress,firejail,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz private-cache private-dev private-etc alternatives,group,localtime,passwd -- cgit v1.2.3-54-g00ecf From 4ed69edbc47ea0a3cb6b68b9dfa84cb189ad1faa Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 8 Sep 2019 05:26:21 +0000 Subject: Add ar profile (#2949) * Add ar to firecfg * Create ar.profile --- etc/ar.profile | 43 +++++++++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 44 insertions(+) create mode 100644 etc/ar.profile diff --git a/etc/ar.profile b/etc/ar.profile new file mode 100644 index 000000000..3af81263d --- /dev/null +++ b/etc/ar.profile @@ -0,0 +1,43 @@ +# Firejail profile for ar +# Description: Create, modify, and extract from archives +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ar.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +apparmor +caps.drop all +hostname ar +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +#noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-bin ar +private-cache +private-dev + +memory-deny-write-execute diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 6b2a92ad5..502449839 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -36,6 +36,7 @@ amule android-studio anydesk apktool +ar arch-audit archaudit-report ardour4 -- cgit v1.2.3-54-g00ecf From 1df4bbba52854d2505bcd810e9e72b5e0980ebd3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 10 Sep 2019 17:26:22 -0400 Subject: appimage --trace testing --- test/appimage/appimage-args.exp | 2 +- test/appimage/appimage-trace.exp | 68 ++++++++++++++++++++++++++++++++++++++++ test/appimage/appimage-v1.exp | 2 +- test/appimage/appimage-v2.exp | 2 +- test/appimage/appimage.sh | 3 ++ 5 files changed, 74 insertions(+), 3 deletions(-) create mode 100755 test/appimage/appimage-trace.exp diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index b8c7ee850..4c6a778b2 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp @@ -95,7 +95,7 @@ send -- "firejail --shutdown=appimage-test\r" set spawn_id $appimage_id expect { - timeout {puts "TESTING ERROR 15\n";exit} + timeout {puts "shutdown\n";exit} "AppImage unmounted" } diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp new file mode 100755 index 000000000..574bd5a97 --- /dev/null +++ b/test/appimage/appimage-trace.exp @@ -0,0 +1,68 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 +set appimage_id $spawn_id + +send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "leafpad:socket" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "leafpad:connect" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "X11-unix/X0" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Parent is shutting down, bye" +} +expect { + timeout {puts "shutdown\n"} + "AppImage unmounted" +} +sleep 1 + +send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "leafpad:socket" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "leafpad:connect" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "X11-unix/X0" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "Parent is shutting down, bye" +} +expect { + timeout {puts "shutdown\n"} + "AppImage unmounted" +} +sleep 1 + + +after 100 + +puts "\nall done\n" diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 07f7d0d17..4522afa9b 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp @@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r" set spawn_id $appimage_id expect { - timeout {puts "TESTING ERROR 7\n";exit} + timeout {puts "shutdown\n"} "AppImage unmounted" } diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 7d3ba36c2..50466958d 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp @@ -82,7 +82,7 @@ spawn $env(SHELL) send -- "firejail --shutdown=appimage-test\r" set spawn_id $appimage_id expect { - timeout {puts "TESTING ERROR 7\n";exit} + timeout {puts "shutdown\n"} "AppImage unmounted" } diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index bcd82750e..39c288199 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh @@ -17,3 +17,6 @@ echo "TESTING: AppImage file name (test/appimage/filename.exp)"; echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" ./appimage-args.exp + +echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" +./appimage-args.exp -- cgit v1.2.3-54-g00ecf From 7748916e6a66a586ae999b811a8ebb608120805e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 10 Sep 2019 17:32:30 -0400 Subject: libtrace cleanup --- src/libtrace/libtrace.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 745dd2260..11e98d95e 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -50,10 +50,7 @@ static orig_fopen64_t orig_fopen64 = NULL; // // library constructor/destructor // -// Replacing printf with fprintf to /dev/tty in order to fix #561 -// If you really want to turn it off, comment the following line, but its a -// really bad idea. -#define PRINTF_DEVTTY +// Using fprintf to /dev/tty instead of printf in order to fix #561 static FILE *ftty = NULL; static pid_t mypid = 0; #define MAXNAME 16 @@ -67,11 +64,7 @@ void init(void) { orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); // tty -#ifdef PRINTF_DEVTTY ftty = orig_fopen("/dev/tty", "w"); -#else - ftty = stderr; -#endif tprintf(ftty, "=== tracelib init() === \n"); // pid -- cgit v1.2.3-54-g00ecf From f97598e124e8ab86036d6406c52628e305740fb8 Mon Sep 17 00:00:00 2001 From: Denys Havrysh Date: Fri, 13 Sep 2019 14:46:33 +0300 Subject: Update SkypeForLinux profile for latest version (#2960) Fixes #2933 --- etc/skypeforlinux.profile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index fe9ededa4..341c25a95 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -16,16 +16,13 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc -caps.drop all +caps.keep sys_admin,sys_chroot netfilter nodvd nogroups -nonewprivs -noroot notv -protocol unix,inet,inet6,netlink -seccomp !chroot shell none disable-mnt -- cgit v1.2.3-54-g00ecf From 07815ab182b046c74385e037b0bc8608f56b339c Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Fri, 13 Sep 2019 11:49:42 +0000 Subject: Fix #2945 (Signal 1.27 Fails to Start) --- etc/signal-desktop.profile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 04696a918..f810a37ec 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile @@ -22,16 +22,12 @@ whitelist ${HOME}/.config/Signal include whitelist-common.inc include whitelist-var-common.inc -caps.drop all +caps.keep sys_admin,sys_chroot netfilter nodvd nogroups -nonewprivs -noroot notv nou2f -protocol unix,inet,inet6,netlink -seccomp shell none disable-mnt -- cgit v1.2.3-54-g00ecf From b394115c0396b2cb6e11d7865444d73ba1cfdd7e Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 5 Sep 2019 18:10:42 +0200 Subject: update seccomp in man firejail --- src/man/firejail.txt | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 500850413..ed2f776f2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1762,17 +1762,9 @@ Example: $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp -Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: -_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, -create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, -io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, -kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, -name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, -personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, -query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, -security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, -swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, -vm86, vm86old, vmsplice and vserver. +Enable seccomp filter and blacklist the syscalls in the default list, +which is @default-nodebuggers unless allow-debuggers is specified, +then it is @default. .br To help creating useful seccomp filters more easily, the following @@ -1780,10 +1772,12 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, -@resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a -system call can be specified by its number instead of name with prefix -$, so for example $165 would be equal to mount on i386. Exceptions -can be allowed with prefix !. +@resources, @setuid, @swap, @sync, @system-service and @timer. +More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt + +In addition, a system call can be specified by its number instead of +name with prefix $, so for example $165 would be equal to mount on i386. +Exceptions can be allowed with prefix !. .br System architecture is strictly imposed only if flag @@ -1803,7 +1797,7 @@ $ firejail \-\-seccomp .TP \fB\-\-seccomp=syscall,@group,!syscall2 Enable seccomp filter, whitelist "syscall2", but blacklist the default -list (@default) and the syscalls or syscall groups specified by the +list and the syscalls or syscall groups specified by the command. .br @@ -1906,10 +1900,9 @@ rm: cannot remove `testfile': Operation not permitted .TP \fB\-\-seccomp.keep=syscall,@group,!syscall2 -Enable seccomp filter, blacklist "syscall2" but whitelist the -syscalls or the syscall groups specified by the command. The system -calls needed by Firejail (group @default-keep: prctl, execve) are -handled with the preload library. +Enable seccomp filter, blacklist all syscall not listed and "syscall2". +The system calls needed by Firejail (group @default-keep: prctl, execve) +are handled with the preload library. .br .br -- cgit v1.2.3-54-g00ecf From bb4e9da7bfedcf3086682d1c809150c26c302dab Mon Sep 17 00:00:00 2001 From: Barış Ekin Yıldırım <41996771+circuitshaker@users.noreply.github.com> Date: Sun, 15 Sep 2019 00:27:56 +0300 Subject: "Net None" Option Breaks Functionality (#2962) Netfilter is fine but "net none" option breaks functionality of marketplace. --- etc/code.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/code.profile b/etc/code.profile index 7ac4e1619..6f8a25211 100644 --- a/etc/code.profile +++ b/etc/code.profile @@ -18,7 +18,6 @@ include disable-passwdmgr.inc include disable-programs.inc caps.drop all -net none netfilter nodvd nogroups -- cgit v1.2.3-54-g00ecf From 3b32edbe2f282c4d4e5a56960085b725a8931b3c Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sat, 14 Sep 2019 23:31:52 +0200 Subject: typos [skip ci] --- etc/ar.profile | 2 +- etc/templates/syscalls.txt | 24 +++++++++++------------- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/etc/ar.profile b/etc/ar.profile index 3af81263d..6b1fb830c 100644 --- a/etc/ar.profile +++ b/etc/ar.profile @@ -1,5 +1,5 @@ # Firejail profile for ar -# Description: Create, modify, and extract from archives +# Description: Create, modify, and extract from archives # This file is overwritten after every install/update quiet # Persistent local customizations diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 6ab0e72ff..ea3b5a6b0 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -68,22 +68,20 @@ Inheritance of groups +----------------+ +---------+ +--------+ +--------------+ | @cpu-emulation | | @clock | | @chown | | @aio | | @debug | | @module | +--------+ | @basic-io | -| @obsolete | | @raw-io | : : | @default | -+----------------+ | @reboot | : : | @file-system | - : | @swap | : : | @io-event | - : +---------+ : : | @ipc | - : : : : : | @keyring | - : ..............: : : : | @memlock | - : : : ........: : | @network-io | - : : : : : | @process | -+----------+ +-------------+ : | @resources | -| @default | | @privileged | : | @setuid | -+----------+ +-------------+ : | @signal | - : : : | @sync | +| @obsolete | | @raw-io | : : | @file-system | ++----------------+ | @reboot | : : | @io-event | + : | @swap | : : | @ipc | + : +---------+ : : | @keyring | + : : : : : | @memlock | + : ..............: : : : | @network-io | + : : : ........: : | @process | + : : : : : | @resources | ++----------+ +-------------+ : | @setuid | +| @default | | @privileged | : | @signal | ++----------+ +-------------+ : | @sync | : : : | @timer | : :........................... : +--------------+ : : : : - : : : : +----------------------+ +-----------------+ | @default-nodebuggers | | @system-service | +----------------------+ +-----------------+ -- cgit v1.2.3-54-g00ecf From 91b1788d264328baeb8c141f272fd32b1321da31 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Tue, 10 Sep 2019 12:27:44 +0000 Subject: Fix #2899 --- etc/keepassxc.profile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 6ef02ad47..3e1e0a2ce 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -29,7 +29,9 @@ machine-id net none no3d nodvd -nodbus +# Breaks 'Lock database when session is locked or lid is closed' (#2899), +# you can safely uncomment it or add to keepassxc.local if you don't need this feature. +#nodbus nogroups nonewprivs noroot @@ -46,8 +48,5 @@ private-dev private-etc alternatives,fonts,ld.so.cache,machine-id private-tmp -# 2.2.4 crashes on database open -# memory-deny-write-execute - # Mutex is stored in /tmp by default, which is broken by private-tmp join-or-start keepassxc -- cgit v1.2.3-54-g00ecf