From aac16b9d3659ac3831a4448c930db436852e586b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Oct 2015 09:14:22 -0400 Subject: cleanup --- README.md | 22 ++++++++++++++++++++-- chromium-whitelist.png | Bin 0 -> 47978 bytes etc/chromium.profile | 5 ++--- etc/firefox.profile | 4 ---- src/firejail/protocol.c | 5 +++++ src/firejail/usage.c | 9 ++++++++- src/man/firejail.txt | 22 +++++++++++++++++++++- 7 files changed, 56 insertions(+), 11 deletions(-) create mode 100644 chromium-whitelist.png diff --git a/README.md b/README.md index d0cabc2c4..3d82f29a7 100644 --- a/README.md +++ b/README.md @@ -51,17 +51,35 @@ whitelist ~/Downloads whitelist ~/dwhelper whitelist ~/.zotero whitelist ~/.lastpass +whitelist ~/.gtkrc-2.0 +whitelist ~/.vimperatorrc +whitelist ~/.vimperator ````` I intend to bring in all files and directories used by Firefox addons and plugins. So far I have [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), -[Zotero](https://www.zotero.org/download/) and -[LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/). +[Zotero](https://www.zotero.org/download/) +[LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/), +and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) If you're using a anything else, please let me know. +### Whitelisting in default Cromium profile + +![Whitelisted home directory](chromium-whitelist.png?raw=true) + ### --ignore option Ignore commands in profile files. Example: ````` $ firejail --ignore=seccomp wine ````` + +### --protocol option + +Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. +Recognized values: unix, inet, inet6, netlink and packet. Example: +````` +$ firejail --protocol=unix,inet,inet6 firefox +````` + + diff --git a/chromium-whitelist.png b/chromium-whitelist.png new file mode 100644 index 000000000..a90f2aa1f Binary files /dev/null and b/chromium-whitelist.png differ diff --git a/etc/chromium.profile b/etc/chromium.profile index f493e1b96..a66578436 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -5,6 +5,5 @@ include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc netfilter - - - +whitelist ~/Downloads +whitelist ~/.config/chromium diff --git a/etc/firefox.profile b/etc/firefox.profile index aee97073d..d81f6a9e1 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -16,7 +16,3 @@ whitelist ~/.lastpass whitelist ~/.gtkrc-2.0 whitelist ~/.vimperatorrc whitelist ~/.vimperator - - - - diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 5f730afef..8e75277c2 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -74,6 +74,11 @@ static struct sock_filter *find_protocol_domain(const char *p) { // --debug-protocols void protocol_list(void) { +#ifndef SYS_socket + fprintf(stderr, "Warning: --protocol not supported on this platform\n"); + return; +#endif + int i = 0; while (protocol[i] != NULL) { printf("%s, ", protocol[i]); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3cad1e63..c829b94f2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -70,6 +70,8 @@ void usage(void) { printf("\t\tFirejail software build and exit.\n\n"); printf("\t--debug-errnos - print all recognized error numbres in the current\n"); printf("\t\tFirejail software build and exit.\n\n"); + printf("\t--debug-protocols - print all recognized protocols in the current\n"); + printf("\t\tFirejail software build and exit.\n\n"); printf("\t--debug-syscalls - print all recognized system calls in the current\n"); printf("\t\tFirejail software build and exit.\n\n"); printf("\t--defaultgw=address - use this address as default gateway in the new\n"); @@ -192,6 +194,10 @@ void usage(void) { printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); printf("\t--profile=filename - use a custom profile.\n\n"); + + printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); + printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); + printf("\t--quiet - turn off Firejail's output.\n\n"); printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); @@ -218,7 +224,8 @@ void usage(void) { printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); - printf("\t\tmigrate_pages, move_pages, vmsplice, and perf_event_open.\n\n"); + printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); + printf("\t\tkexec_file_load.\n\n"); printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 12c32f4c7..52b75afaa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -23,7 +23,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} Miscellaneous: .PP .RS -firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-help | \-\-version} +firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} .RE .SH DESCRIPTION Firejail is a SUID sandbox program that reduces the risk of security breaches by @@ -258,6 +258,15 @@ Example: .br $ firejail \-\-debug-errnos .TP +\fB\-\-debug-protocols +Print all recognized protocols in the current Firejail software build and exit. +.br + +.br +Example: +.br +$ firejail \-\-debug-protocols +.TP \fB\-\-debug-syscalls Print all recognized system calls in the current Firejail software build and exit. .br @@ -842,6 +851,17 @@ For more information, see SECURITY PROFILES section below. Example: .br $ firejail \-\-profile=myprofile + +.TP +\fB\-\-protocol=protocol,protocol,protocol +Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. +Recognized values: unix, inet, inet6, netlink and packet. +.br + +.br +Example: +.br +$ firejail \-\-protocol=unix,inet,inet6 firefox .TP \fB\-\-quiet Turn off Firejail's output. -- cgit v1.2.3-54-g00ecf