From 979fcbdc2e83f8d9541e49108511b2b40487d879 Mon Sep 17 00:00:00 2001 From: Rafael Cavalcanti Date: Sat, 15 Oct 2016 18:40:39 -0300 Subject: Whitelist Arch's chromium-flags.conf to Chromium --- etc/chromium.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/chromium.profile b/etc/chromium.profile index 0d383aebf..4109af9a4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx whitelist ~/.lastpass whitelist ~/.config/lastpass +# specific to Arch +whitelist ~/.config/chromium-flags.conf + include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From f88f8c638f8178d07af3e7df6257727d88709fd5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 16 Oct 2016 08:51:52 -0400 Subject: merges --- README | 9 ++++++--- RELNOTES | 6 ++++-- src/firejail/fs_whitelist.c | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/README b/README index 46c314a64..f9933f592 100644 --- a/README +++ b/README @@ -77,6 +77,12 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +valoq (https://github.com/valoq) + - LibreOffice profile fixes + - cherrytree profile fixes + - added support for /srv in --whitelist feature +Rafael Cavalcanti (https://github.com/rccavalcanti) + - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile vismir2 (https://github.com/vismir2) @@ -84,9 +90,6 @@ vismir2 (https://github.com/vismir2) Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix -valoq (https://github.com/valoq) - - LibreOffice profile fixes - - cherrytree profile fixes vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - lots of profile fixes diff --git a/RELNOTES b/RELNOTES index 4c191fc82..0206e5433 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,9 +1,10 @@ -firejail (0.9.43) baseline; urgency=low +firejail (0.9.44~rc1) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich * development version * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev + * modifs: /srv supported by --whitelist * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit @@ -15,11 +16,12 @@ firejail (0.9.43) baseline; urgency=low * feature: X11 security extension (--x11=xorg) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands + * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf * bugfixes - -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 + -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b1c2774e2..8bbdbe5d3 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -822,6 +822,7 @@ void fs_whitelist(void) { if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); + } if (new_name) free(new_name); -- cgit v1.2.3-70-g09d2 From bb6c744fd4f59d0f407c37955ba36f8d40cc60cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 08:41:39 -0400 Subject: allow user access to /sys/fs (--noblacklist=/sys/fs) --- RELNOTES | 1 + configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/fs.c | 6 +++++- test/fs/fs.sh | 3 +++ test/fs/sys_fs.exp | 44 ++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 63 insertions(+), 11 deletions(-) create mode 100755 test/fs/sys_fs.exp diff --git a/RELNOTES b/RELNOTES index 0206e5433..23e44a14f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,6 +5,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev * modifs: /srv supported by --whitelist + * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit diff --git a/configure b/configure index 48b891c40..9a33f0401 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44~rc1' -PACKAGE_STRING='firejail 0.9.44~rc1' +PACKAGE_VERSION='0.9.44~rc2' +PACKAGE_STRING='firejail 0.9.44~rc2' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";; + short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44~rc1 +firejail configure 0.9.44~rc2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44~rc1, which was +It was created by firejail $as_me 0.9.44~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44~rc1, which was +This file was extended by firejail $as_me 0.9.44~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44~rc1 +firejail config.status 0.9.44~rc2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 108b558d4..4496550fd 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a5f12c7df..6c566bd90 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/sys/firmware"); disable_file(BLACKLIST_FILE, "/sys/hypervisor"); - disable_file(BLACKLIST_FILE, "/sys/fs"); + { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line + EUID_USER(); + profile_add("blacklist /sys/fs"); + EUID_ROOT(); + } disable_file(BLACKLIST_FILE, "/sys/module"); disable_file(BLACKLIST_FILE, "/sys/power"); disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d45ef48bd..3139b8eae 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -6,6 +6,9 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" +./sys_fs.exp + echo "TESTING: kmsg access (test/fs/kmsg.exp)" ./kmsg.exp diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp new file mode 100755 index 000000000..f512776d9 --- /dev/null +++ b/test/fs/sys_fs.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /sys/fs\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "firejail --noblacklist=/sys/fs\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /sys/fs\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "cgroup" +} +after 100 +send -- "exit\r" +after 100 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From a35b70acbd4794452596a74ed165d0b5feb7fa8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:14:26 -0400 Subject: virtualbox profile --- README.md | 2 +- RELNOTES | 2 +- etc/virtualbox.profile | 12 ++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 etc/virtualbox.profile diff --git a/README.md b/README.md index 1038e1ef8..3e765e556 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox diff --git a/RELNOTES b/RELNOTES index 23e44a14f..69d0a9b75 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim, xpdf + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile new file mode 100644 index 000000000..148b7efc8 --- /dev/null +++ b/etc/virtualbox.profile @@ -0,0 +1,12 @@ +# VirtualBox profile + +noblacklist ${HOME}/.VirtualBox +noblacklist ${HOME}/VirtualBox VMs +noblacklist ${HOME}/.config/VirtualBox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all + + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a8ed6f691..90f4839a2 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -161,3 +161,4 @@ /etc/firejail/emacs.profile /etc/firejail/vim.profile /etc/firejail/xpdf.profile +/etc/firejail/virtualbox.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 31f6b2fd5..aec0dc8a5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -76,6 +76,7 @@ unbound mupen64plus wine dosbox +virtualbox # games 0ad -- cgit v1.2.3-70-g09d2 From dbec13243bde95b488fe0e77d1c472b72d09ba43 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:36:54 -0400 Subject: openshot profile --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3e765e556..e0e283e2b 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot diff --git a/RELNOTES b/RELNOTES index 69d0a9b75..bc7d657d4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 369e4813c..dda36abfe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -35,6 +35,7 @@ blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.openshot # Media players diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 90f4839a2..184aef75c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -162,3 +162,4 @@ /etc/firejail/vim.profile /etc/firejail/xpdf.profile /etc/firejail/virtualbox.profile +/etc/firejail/openshot.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index aec0dc8a5..9548d40b4 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -138,6 +138,7 @@ pix xpdf xreader zathura +openshot # other ssh -- cgit v1.2.3-70-g09d2 From 99abcd61b06076d7d371cd1070343e0e317caf5e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:44:41 -0400 Subject: flowblade profile --- README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 3 +++ etc/flowblade.profile | 13 +++++++++++++ etc/openshot.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 etc/flowblade.profile create mode 100644 etc/openshot.profile diff --git a/README.md b/README.md index e0e283e2b..5c061dad8 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade diff --git a/RELNOTES b/RELNOTES index bc7d657d4..7aa3155e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -21,6 +21,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot + * new profiles: Flowblade * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index dda36abfe..1ff486509 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -36,6 +36,9 @@ blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree blacklist ${HOME}/.xpdfrc blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.config/flowblade # Media players diff --git a/etc/flowblade.profile b/etc/flowblade.profile new file mode 100644 index 000000000..e1ec291bd --- /dev/null +++ b/etc/flowblade.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.flowblade +noblacklist ${HOME}/.config/flowblade +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/openshot.profile b/etc/openshot.profile new file mode 100644 index 000000000..f12bd7d11 --- /dev/null +++ b/etc/openshot.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.openshot +noblacklist ${HOME}/.openshot_qt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 184aef75c..2ffa6d035 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -163,3 +163,4 @@ /etc/firejail/xpdf.profile /etc/firejail/virtualbox.profile /etc/firejail/openshot.profile +/etc/firejail/flowblade.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9548d40b4..0c46f2dfa 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -139,6 +139,7 @@ xpdf xreader zathura openshot +flowblade # other ssh -- cgit v1.2.3-70-g09d2 From 994dc7904dc7801c9ad3f0a032961d7bfba7be43 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 Oct 2016 08:40:45 -0400 Subject: typo --- etc/disable-devel.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 971857710..2ac367f37 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* # clang/llvm blacklist /usr/bin/clang* blacklist /usr/bin/llvm* -blacklist /usb/bin/lldb* +blacklist /usr/bin/lldb* blacklist /usr/lib/llvm* # tcc - Tiny C Compiler -- cgit v1.2.3-70-g09d2 From b11e3ad8156e61ff72e0fe751a99a68feccb553f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 Oct 2016 14:34:41 -0400 Subject: eog and evolution profiles --- README | 1 + README.md | 4 +++- RELNOTES | 2 +- etc/disable-programs.inc | 4 ++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 13 insertions(+), 2 deletions(-) diff --git a/README b/README index f9933f592..10b0ab61b 100644 --- a/README +++ b/README @@ -81,6 +81,7 @@ valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes - added support for /srv in --whitelist feature + - Eye of GNOME and Evolution profiles Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/README.md b/README.md index 5c061dad8..ec95a4e9b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,8 @@ If you keep your Firejail profiles in a public repository, please give us a link * https://github.com/chiraag-nataraj/firejail-profiles * https://github.com/triceratops1/fe + +Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825 ````` ````` @@ -113,5 +115,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade, Eye of GNOME (eog), Evolution diff --git a/RELNOTES b/RELNOTES index 7aa3155e1..f1d6a8da1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -21,7 +21,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot - * new profiles: Flowblade + * new profiles: Flowblade, Eye of GNOME (eog), Evolution * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1ff486509..0094c6d11 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -39,6 +39,7 @@ blacklist ${HOME}/.openshot blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/eog # Media players @@ -78,6 +79,9 @@ blacklist ${HOME}/.config/inox blacklist ${HOME}/.muttrc blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.cache/evolution # Instant Messaging blacklist ${HOME}/.config/hexchat diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2ffa6d035..6d444b90d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -164,3 +164,5 @@ /etc/firejail/virtualbox.profile /etc/firejail/openshot.profile /etc/firejail/flowblade.profile +/etc/firejail/eog.profile +/etc/firejail/evolution.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 0c46f2dfa..2d2c7b20e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -47,6 +47,7 @@ seamonkey-bin thunderbird vivaldi-beta vivaldi +evolution # chat/messaging bitlbee @@ -140,6 +141,7 @@ xreader zathura openshot flowblade +eog # other ssh -- cgit v1.2.3-70-g09d2 From 24f53cde1d2ae75e23b3f82a925592c0c10c789a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 19 Oct 2016 12:27:18 -0400 Subject: replaced exit with _exit in forked child --- src/firejail/fs_mkdir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index b2a5927e6..cffe32a7a 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -81,7 +81,7 @@ void fs_mkdir(const char *name) { // create directory mkdir_recursive(expanded); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); @@ -126,7 +126,7 @@ void fs_mkfile(const char *name) { (void) rv; fclose(fp); } - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); -- cgit v1.2.3-70-g09d2 From eddb9419463e266c79d422ce5c4bbc91e579fbcd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 19 Oct 2016 14:30:30 -0400 Subject: replaced exit with _exit in forked child --- src/faudit/syscall.c | 3 ++- src/firejail/fs_bin.c | 4 +++- src/firejail/fs_etc.c | 4 +++- src/firejail/fs_home.c | 2 +- src/firejail/ls.c | 8 ++++---- src/firejail/main.c | 2 +- src/firejail/netfilter.c | 12 ++++++++---- src/firejail/x11.c | 12 ++++++------ src/firemon/interface.c | 2 +- 9 files changed, 29 insertions(+), 20 deletions(-) diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 9924be00f..3c87305df 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -92,7 +92,8 @@ void syscall_run(const char *name) { errExit("fork"); if (child == 0) { execl(prog, prog, "syscall", name, NULL); - exit(1); + perror("execl"); + _exit(1); } // wait for the child to finish diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index e65474f44..ba0633649 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -192,6 +192,8 @@ static void duplicate(char *fname) { if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) errExit("asprintf"); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); + perror("execlp"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -245,7 +247,7 @@ void fs_private_bin_list(void) { duplicate(ptr); free(dlist); fs_logger_print(); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index fc9e40ca0..de29c312e 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -106,6 +106,8 @@ static void duplicate(char *fname) { if (asprintf(&f, "/etc/%s", fname) == -1) errExit("asprintf"); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); + perror("execlp"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -169,7 +171,7 @@ void fs_private_etc_list(void) { duplicate(ptr); free(dlist); fs_logger_print(); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index bd3c404e9..75cc3e732 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -641,7 +641,7 @@ void fs_private_home_list(void) { fs_logger_print(); // save the current log free(dlist); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 39efaa0a6..dba82be0b 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -358,7 +358,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { fprintf(stderr, "Error: Cannot read %s\n", fname1); exit(1); } - exit(0); + _exit(0); } // wait for the child to finish @@ -391,7 +391,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { exit(1); } fclose(fp); - exit(0); + _exit(0); } // wait for the child to finish @@ -445,7 +445,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { fprintf(stderr, "Error: Cannot read %s\n", src_fname); exit(1); } - exit(0); + _exit(0); } // wait for the child to finish @@ -494,7 +494,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { } } - exit(0); + _exit(0); } // wait for the child to finish diff --git a/src/firejail/main.c b/src/firejail/main.c index 987a79d1c..0872a11bb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2506,7 +2506,7 @@ int main(int argc, char **argv) { network_main(child); if (arg_debug) printf("Host network configured\n"); - exit(0); + _exit(0); } // wait for the child to finish diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index b50d61039..c1f9a2c37 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -145,7 +145,8 @@ void netfilter(const char *fname) { // wipe out environment variables environ = NULL; execl(iptables_restore, iptables_restore, NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -163,7 +164,8 @@ void netfilter(const char *fname) { errExit("setregid"); environ = NULL; execl(iptables, iptables, "-vL", NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -256,7 +258,8 @@ void netfilter6(const char *fname) { // wipe out environment variables environ = NULL; execl(ip6tables_restore, ip6tables_restore, NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -269,7 +272,8 @@ void netfilter6(const char *fname) { if (child == 0) { environ = NULL; execl(ip6tables, ip6tables, "-vL", NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index d40d349e1..c79f1a74e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -314,7 +314,7 @@ void x11_start_xephyr(int argc, char **argv) { execvp(server_argv[0], server_argv); perror("execvp"); - exit(1); + _exit(1); } if (arg_debug) @@ -355,7 +355,7 @@ void x11_start_xephyr(int argc, char **argv) { execvp(jail_argv[0], jail_argv); perror("execvp"); - exit(1); + _exit(1); } // cleanup @@ -434,7 +434,7 @@ void x11_start_xpra(int argc, char **argv) { execvp(server_argv[0], server_argv); perror("execvp"); - exit(1); + _exit(1); } // check X11 socket @@ -480,7 +480,7 @@ void x11_start_xpra(int argc, char **argv) { execvp(attach_argv[0], attach_argv); perror("execvp"); - exit(1); + _exit(1); } setenv("DISPLAY", display_str, 1); @@ -536,7 +536,7 @@ void x11_start_xpra(int argc, char **argv) { } execvp(stop_argv[0], stop_argv); perror("execvp"); - exit(1); + _exit(1); } // wait for xpra server to stop, 10 seconds limit @@ -672,7 +672,7 @@ void x11_xorg(void) { execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 5a89e1491..bceed93d3 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -146,7 +146,7 @@ static void print_sandbox(pid_t pid) { return; net_ifprint(); printf("\n"); - exit(0); + _exit(0); } // wait for the child to finish -- cgit v1.2.3-70-g09d2 From 30481f427c2adcfe890916da3724592128c9a932 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 00:26:54 +0300 Subject: fix building on systems without bash --- mkuid.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkuid.sh b/mkuid.sh index c95741043..a59f58143 100755 --- a/mkuid.sh +++ b/mkuid.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh echo "extracting UID_MIN and GID_MIN" echo "#ifndef FIREJAIL_UIDS_H" > uids.h -- cgit v1.2.3-70-g09d2 From 9b693b4a0791584bc8c543bfae71bbcdb167f592 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 00:29:58 +0300 Subject: add missing include --- src/firemon/procevent.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 188c10183..c59c7423d 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -28,6 +28,8 @@ #include #include #include +//#include + #define PIDS_BUFLEN 4096 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA -- cgit v1.2.3-70-g09d2 From 900ffe37394940efb405b16998392d8d69206574 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 01:05:06 +0300 Subject: fix mutt.profile --- etc/disable-programs.inc | 1 + etc/mutt.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0094c6d11..edd4ee374 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -77,6 +77,7 @@ blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave blacklist ${HOME}/.config/inox blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc blacklist ${HOME}/.config/evolution diff --git a/etc/mutt.profile b/etc/mutt.profile index cda7fc4bf..b532ded67 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -2,6 +2,7 @@ noblacklist ~/.muttrc noblacklist ~/.mutt +noblacklist ~/.mutt/muttrc noblacklist ~/.mailcap noblacklist ~/.gnupg noblacklist ~/.mail -- cgit v1.2.3-70-g09d2 From 4ac74f0621fbb33a90dd4e3aa181ccd727c57514 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 01:23:26 +0300 Subject: add missing include --- src/firemon/procevent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index c59c7423d..78a3a4fb2 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -28,7 +28,7 @@ #include #include #include -//#include +#include #define PIDS_BUFLEN 4096 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA -- cgit v1.2.3-70-g09d2 From 981ba13ec0b8a88f79b128a09b36bc1474c0f0a1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 21 Oct 2016 09:44:58 -0400 Subject: 0.9.44 testing --- RELNOTES | 7 ++++--- configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/main.c | 1 - src/man/firejail-login.txt | 4 ++++ 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/RELNOTES b/RELNOTES index f1d6a8da1..8617d2db7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,5 @@ -firejail (0.9.44~rc1) baseline; urgency=low +firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich - * development version * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev @@ -18,12 +17,14 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * feature: move files in sandbox (--put) + * feature: accept wildcard patterns in user name field of restricted + shell login feature * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * new profiles: Flowblade, Eye of GNOME (eog), Evolution * bugfixes - -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 + -- netblue30 Fri, 21 Oct 2016 08:00:00 -0500 firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov diff --git a/configure b/configure index 9a33f0401..b92d9071c 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44~rc2' -PACKAGE_STRING='firejail 0.9.44~rc2' +PACKAGE_VERSION='0.9.44' +PACKAGE_STRING='firejail 0.9.44' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";; + short | recursive ) echo "Configuration of firejail 0.9.44:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44~rc2 +firejail configure 0.9.44 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44~rc2, which was +It was created by firejail $as_me 0.9.44, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44~rc2, which was +This file was extended by firejail $as_me 0.9.44, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44~rc2 +firejail config.status 0.9.44 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 4496550fd..da4b31591 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/main.c b/src/firejail/main.c index 0872a11bb..b5a97c71e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2579,7 +2579,6 @@ int main(int argc, char **argv) { g = get_group_id("games"); if (g) { sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); } EUID_ROOT(); diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 691217253..796179d0b 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -13,6 +13,10 @@ Example: netblue:--net=none --protocol=unix +Wildcard patterns are accepted in the user name field: + + user*: --private + .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, -- cgit v1.2.3-70-g09d2 From 08106743010d1b005e8d6cd377d79fdc8fb0af96 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 21 Oct 2016 10:14:08 -0400 Subject: 0.9.44 testing --- test/filters/noroot.exp | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 2a7cb7975..b011f2bf9 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -46,20 +46,20 @@ expect { } send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 8\n";exit} + timeout {puts "TESTING ERROR 7\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} "Bad system call" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 7\n";exit} + timeout {puts "TESTING ERROR 8\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 8\n";exit} - "3" + timeout {puts "TESTING ERROR 9\n";exit} + "5" } puts "\n" @@ -70,59 +70,59 @@ sleep 2 send -- "firejail --name=test --noroot --noprofile\r" expect { - timeout {puts "TESTING ERROR 9\n";exit} + timeout {puts "TESTING ERROR 10\n";exit} "Child process initialized" } sleep 1 send -- "cat /proc/self/status\r" expect { - timeout {puts "TESTING ERROR 10\n";exit} + timeout {puts "TESTING ERROR 11\n";exit} "CapBnd:" } expect { - timeout {puts "TESTING ERROR 11\n";exit} + timeout {puts "TESTING ERROR 12\n";exit} "ffffffff" } expect { - timeout {puts "TESTING ERROR 12\n";exit} + timeout {puts "TESTING ERROR 13\n";exit} "Seccomp:" } expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 14\n";exit} "0" } expect { - timeout {puts "TESTING ERROR 14\n";exit} + timeout {puts "TESTING ERROR 15\n";exit} "Cpus_allowed:" } puts "\n" send -- "whoami\r" expect { - timeout {puts "TESTING ERROR 15\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} $env(USER) } send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 16\n";exit} + timeout {puts "TESTING ERROR 17\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } send -- "ping 0\r" expect { - timeout {puts "TESTING ERROR 17\n";exit} + timeout {puts "TESTING ERROR 18\n";exit} "Operation not permitted" } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 18\n";exit} + timeout {puts "TESTING ERROR 19\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 19\n";exit} - "3" + timeout {puts "TESTING ERROR 20\n";exit} + "5" } @@ -130,31 +130,31 @@ expect { spawn $env(SHELL) send -- "firejail --debug --join=test\r" expect { - timeout {puts "TESTING ERROR 20\n";exit} + timeout {puts "TESTING ERROR 21\n";exit} "User namespace detected" } expect { - timeout {puts "TESTING ERROR 21\n";exit} + timeout {puts "TESTING ERROR 22\n";exit} "Joining user namespace" } sleep 1 send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 22\n";exit} + timeout {puts "TESTING ERROR 23\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} "Permission denied" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 23\n";exit} + timeout {puts "TESTING ERROR 24\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 24\n";exit} - "3" + timeout {puts "TESTING ERROR 25\n";exit} + "5" } after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 7fbb382700760f533dedfe1c370031e1f911f88d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 21 Oct 2016 20:41:12 -0400 Subject: 0.9.44 fixes --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 9574c74bc..dbf53e2cb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -141,7 +141,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" dist: mv config.status config.status.old -- cgit v1.2.3-70-g09d2 From 0b32d832d23b6c2a6f2b800ebd7bb2842bc1d609 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 22 Oct 2016 08:39:55 -0400 Subject: 0.9.44 - build rpm --- platform/rpm/old-mkrpm.sh | 542 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 542 insertions(+) create mode 100755 platform/rpm/old-mkrpm.sh diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh new file mode 100755 index 000000000..017d5e1c3 --- /dev/null +++ b/platform/rpm/old-mkrpm.sh @@ -0,0 +1,542 @@ +#!/bin/bash +VERSION="0.9.44" +rm -fr ~/rpmbuild +rm -f firejail-$VERSION-1.x86_64.rpm + +mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} +cat <~/.rpmmacros +%_topdir %(echo $HOME)/rpmbuild +%_tmppath %{_topdir}/tmp +EOF + +cd ~/rpmbuild +echo "building directory tree" + +mkdir -p firejail-$VERSION/usr/bin +install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. +install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. +install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/. + +mkdir -p firejail-$VERSION/usr/lib/firejail +install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/. +install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. +install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. + +mkdir -p firejail-$VERSION/usr/share/man/man1 +install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. +install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. +install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/. + +mkdir -p firejail-$VERSION/usr/share/man/man5 +install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. +install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. + +mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail +install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. +install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. +install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. + +mkdir -p firejail-$VERSION/etc/firejail +install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/. + + +mkdir -p firejail-$VERSION/usr/share/bash-completion/completions +install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. +install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. +install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/. + +echo "building tar.gz archive" +tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION + +cp firejail-$VERSION.tar.gz SOURCES/. + +echo "building config spec" +cat < SPECS/firejail.spec +%define __spec_install_post %{nil} +%define debug_package %{nil} +%define __os_install_post %{_dbpath}/brp-compress + +Summary: Linux namepaces sandbox program +Name: firejail +Version: $VERSION +Release: 1 +License: GPL+ +Group: Development/Tools +SOURCE0 : %{name}-%{version}.tar.gz +URL: http://firejail.wordpress.com + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root + +%description +Firejail is a SUID sandbox program that reduces the risk of security +breaches by restricting the running environment of untrusted applications +using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. + +%prep +%setup -q + +%build + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot} + +cp -a * %{buildroot} + + +%clean +rm -rf %{buildroot} + + +%files +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile +%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile +%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/atom.profile +%config(noreplace) %{_sysconfdir}/%{name}/atril.profile +%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile +%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile +%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile +%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile +%config(noreplace) %{_sysconfdir}/%{name}/brave.profile +%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile +%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile +%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile +%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile +%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile +%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile +%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile +%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile +%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile +%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile +%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile +%config(noreplace) %{_sysconfdir}/%{name}/default.profile +%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile +%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile +%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc +%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc +%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc +%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc +%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile +%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile +%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile +%config(noreplace) %{_sysconfdir}/%{name}/eom.profile +%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile +%config(noreplace) %{_sysconfdir}/%{name}/evince.profile +%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile +%config(noreplace) %{_sysconfdir}/%{name}/file.profile +%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile +%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile +%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile +%config(noreplace) %{_sysconfdir}/%{name}/firejail.config +%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile +%config(noreplace) %{_sysconfdir}/%{name}/franz.profile +%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile +%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile +%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile +%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile +%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile +%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile +%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile +%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile +%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile +%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile +%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile +%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile +%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile +%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile +%config(noreplace) %{_sysconfdir}/%{name}/inox.profile +%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile +%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile +%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile +%config(noreplace) %{_sysconfdir}/%{name}/less.profile +%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile +%config(noreplace) %{_sysconfdir}/%{name}/localc.profile +%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile +%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile +%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile +%config(noreplace) %{_sysconfdir}/%{name}/login.users +%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile +%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile +%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile +%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile +%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile +%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile +%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile +%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile +%config(noreplace) %{_sysconfdir}/%{name}/midori.profile +%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile +%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile +%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile +%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net +%config(noreplace) %{_sysconfdir}/%{name}/okular.profile +%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/opera.profile +%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile +%config(noreplace) %{_sysconfdir}/%{name}/parole.profile +%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile +%config(noreplace) %{_sysconfdir}/%{name}/pix.profile +%config(noreplace) %{_sysconfdir}/%{name}/polari.profile +%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile +%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile +%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile +%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile +%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile +%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile +%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile +%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile +%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile +%config(noreplace) %{_sysconfdir}/%{name}/server.profile +%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile +%config(noreplace) %{_sysconfdir}/%{name}/skype.profile +%config(noreplace) %{_sysconfdir}/%{name}/slack.profile +%config(noreplace) %{_sysconfdir}/%{name}/snap.profile +%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile +%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile +%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile +%config(noreplace) %{_sysconfdir}/%{name}/steam.profile +%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile +%config(noreplace) %{_sysconfdir}/%{name}/strings.profile +%config(noreplace) %{_sysconfdir}/%{name}/tar.profile +%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile +%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile +%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile +%config(noreplace) %{_sysconfdir}/%{name}/totem.profile +%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile +%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile +%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile +%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile +%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile +%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile +%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile +%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile +%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile +%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile +%config(noreplace) %{_sysconfdir}/%{name}/webserver.net +%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile +%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile +%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile +%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc +%config(noreplace) %{_sysconfdir}/%{name}/wine.profile +%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile +%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile +%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile +%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile +%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile +%config(noreplace) %{_sysconfdir}/%{name}/xz.profile +%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile +%config(noreplace) %{_sysconfdir}/%{name}/7z.profile +%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile +%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile +%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile +%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile +%config(noreplace) %{_sysconfdir}/%{name}/git.profile +%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile +%config(noreplace) %{_sysconfdir}/%{name}/vim.profile +%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile +%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile +%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile +%config(noreplace) %{_sysconfdir}/%{name}/eog.profile +%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile +%config(noreplace) %{_sysconfdir}/%{name}/feh.profile +%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile +%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile +%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile +%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile +%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile +%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile +%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile + +/usr/bin/firejail +/usr/bin/firemon +/usr/bin/firecfg + +/usr/lib/firejail/libtrace.so +/usr/lib/firejail/libtracelog.so +/usr/lib/firejail/libconnect.so +/usr/lib/firejail/faudit +/usr/lib/firejail/ftee +/usr/lib/firejail/firecfg.config +/usr/lib/firejail/fshaper.sh + +/usr/share/doc/packages/firejail/COPYING +/usr/share/doc/packages/firejail/README +/usr/share/doc/packages/firejail/RELNOTES +/usr/share/man/man1/firejail.1.gz +/usr/share/man/man1/firemon.1.gz +/usr/share/man/man1/firecfg.1.gz +/usr/share/man/man5/firejail-profile.5.gz +/usr/share/man/man5/firejail-login.5.gz +/usr/share/bash-completion/completions/firejail +/usr/share/bash-completion/completions/firemon +/usr/share/bash-completion/completions/firecfg + +%post +chmod u+s /usr/bin/firejail + +%changelog +* Fri Oct 21 2016 netblue30 0.9.44-1 + - CVE-2016-7545 submitted by Aleksey Manevich + - modifs: removed man firejail-config + - modifs: --private-tmp whitelists /tmp/.X11-unix directory + - modifs: Nvidia drivers added to --private-dev + - modifs: /srv supported by --whitelist + - feature: allow user access to /sys/fs (--noblacklist=/sys/fs) + - feature: support starting/joining sandbox is a single command + (--join-or-start) + - feature: X11 detection support for --audit + - feature: assign a name to the interface connected to the bridge + (--veth-name) + - feature: all user home directories are visible (--allusers) + - feature: add files to sandbox container (--put) + - feature: blocking x11 (--x11=block) + - feature: X11 security extension (--x11=xorg) + - feature: disable 3D hardware acceleration (--no3d) + - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands + - feature: move files in sandbox (--put) + - feature: accept wildcard patterns in user name field of restricted + shell login feature + - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape + - new profiles: feh, ranger, zathura, 7z, keepass, keepassx, + - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot + - new profiles: Flowblade, Eye of GNOME (eog), Evolution + - bugfixes + +* Thu Sep 8 2016 netblue30 0.9.42-1 + - security: --whitelist deleted files, submitted by Vasya Novikov + - security: disable x32 ABI in seccomp, submitted by Jann Horn + - security: tighten --chroot, submitted by Jann Horn + - security: terminal sandbox escape, submitted by Stephan Sokolow + - security: several TOCTOU fixes submitted by Aleksey Manevich + - modifs: bringing back --private-home option + - modifs: deprecated --user option, please use "sudo -u username firejail" + - modifs: allow symlinks in home directory for --whitelist option + - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" + - modifs: recursive mkdir + - modifs: include /dev/snd in --private-dev + - modifs: seccomp filter update + - modifs: release archives moved to .xz format + - feature: AppImage support (--appimage) + - feature: AppArmor support (--apparmor) + - feature: Ubuntu snap support (/etc/firejail/snap.profile) + - feature: Sandbox auditing support (--audit) + - feature: remove environment variable (--rmenv) + - feature: noexec support (--noexec) + - feature: clean local overlay storage directory (--overlay-clean) + - feature: store and reuse overlay (--overlay-named) + - feature: allow debugging inside the sandbox with gdb and strace + (--allow-debuggers) + - feature: mkfile profile command + - feature: quiet profile command + - feature: x11 profile command + - feature: option to fix desktop files (firecfg --fix) + - compile time: Busybox support (--enable-busybox-workaround) + - compile time: disable overlayfs (--disable-overlayfs) + - compile time: disable whitlisting (--disable-whitelist) + - compile time: disable global config (--disable-globalcfg) + - run time: enable/disable overlayfs (overlayfs yes/no) + - run time: enable/disable quiet as default (quiet-by-default yes/no) + - run time: user-defined network filter (netfilter-default) + - run time: enable/disable whitelisting (whitelist yes/no) + - run time: enable/disable remounting of /proc and /sys + (remount-proc-sys yes/no) + - run time: enable/disable chroot desktop features (chroot-desktop yes/no) + - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice + - profiles: pix, audacity, xz, xzdec, gzip, cpio, less + - profiles: Atom Beta, Atom, jitsi, eom, uudeview + - profiles: tar (gtar), unzip, unrar, file, skypeforlinux, + - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox + - bugfixes + +EOF + +echo "building rpm" +rpmbuild -ba SPECS/firejail.spec +rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm +cd .. +rm -f firejail-$VERSION-1.x86_64.rpm +cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . + -- cgit v1.2.3-70-g09d2 From 4802d8b42393e1128279d43f5ba8dac918ffc1df Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2016 08:20:22 -0400 Subject: starting 0.9.45 devel version --- README.md | 70 +----------------------------------------------------------- RELNOTES | 4 ++++ configure | 18 ++++++++-------- configure.ac | 2 +- 4 files changed, 15 insertions(+), 79 deletions(-) diff --git a/README.md b/README.md index ec95a4e9b..fe7c91f01 100644 --- a/README.md +++ b/README.md @@ -47,73 +47,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ````` -# Current development version: 0.9.43 - -## X11 development -````` - --x11=none - Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the - file specified in ${XAUTHORITY} environment variable. Remove - DISPLAY and XAUTHORITY environment variables. Stop with error - message if X11 abstract socket will be accessible in jail. - - --x11=xorg - Sandbox the application using the untrusted mode implemented by - X11 security extension. The extension is available in Xorg - package and it is installed by default on most Linux distribu‐ - tions. It provides support for a simple trusted/untrusted con‐ - nection model. Untrusted clients are restricted in certain ways - to prevent them from reading window contents of other clients, - stealing input events, etc. - - The untrusted mode has several limitations. A lot of regular - programs assume they are a trusted X11 clients and will crash - or lock up when run in untrusted mode. Chromium browser and - xterm are two examples. Firefox and transmission-gtk seem to be - working fine. A network namespace is not required for this - option. - - Example: - $ firejail --x11=xorg firefox -````` - -## Other command line options -````` - --put=name|pid src-filename dest-filename - Put src-filename in sandbox container. The container is specified by name or PID. - - --allusers - All user home directories are visible inside the sandbox. By default, only current user home - directory is visible. - - Example: - $ firejail --allusers - - --join-or-start=name - Join the sandbox identified by name or start a new one. Same as "firejail --join=name" if - sandbox with specified name exists, otherwise same as "firejail --name=name ..." - Note that in contrary to other join options there is respective profile option. - - --no3d Disable 3D hardware acceleration. - - Example: - $ firejail --no3d firefox - - --veth-name=name - Use this name for the interface connected to the bridge for - --net=bridge_interface commands, instead of the default one. - - Example: - $ firejail --net=br0 --veth-name=if0 - -````` - -## New profile commands - -x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start - -## New profiles - -qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade, Eye of GNOME (eog), Evolution +# Current development version: 0.9.45 diff --git a/RELNOTES b/RELNOTES index 8617d2db7..6e1f502c7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,7 @@ +firejail (0.9.45) baseline; urgency=low + * development version, work in progress + -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 + firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich * modifs: removed man firejail-config diff --git a/configure b/configure index b92d9071c..a470dffba 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44. +# Generated by GNU Autoconf 2.69 for firejail 0.9.45. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44' -PACKAGE_STRING='firejail 0.9.44' +PACKAGE_VERSION='0.9.45' +PACKAGE_STRING='firejail 0.9.45' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.45 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44:";; + short | recursive ) echo "Configuration of firejail 0.9.45:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44 +firejail configure 0.9.45 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44, which was +It was created by firejail $as_me 0.9.45, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44, which was +This file was extended by firejail $as_me 0.9.45, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44 +firejail config.status 0.9.45 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index da4b31591..95947a8e3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From 4bcab4f4e6a53f2b7d402092983ee0d71d555259 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2016 09:02:39 -0400 Subject: appimage type 2 support --- src/firejail/appimage.c | 29 ++++++++- src/firejail/appimage_size.c | 143 +++++++++++++++++++++++++++++++++++++++++++ src/firejail/firejail.h | 4 ++ 3 files changed, 173 insertions(+), 3 deletions(-) create mode 100644 src/firejail/appimage_size.c diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 375d6be24..3f03c28bf 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -39,7 +39,7 @@ void appimage_set(const char *appimage_path) { assert(appimage_path); assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); - + #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h // check appimage_path if (access(appimage_path, R_OK) == -1) { @@ -47,6 +47,12 @@ void appimage_set(const char *appimage_path) { exit(1); } + // get appimage type and ELF size + // a value of 0 means we are dealing with a type1 appimage + long unsigned int size = appimage2_size(appimage_path); + if (arg_debug) + printf("AppImage ELF size %lu\n", size); + // open as user to prevent race condition int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); if (ffd == -1) { @@ -76,6 +82,15 @@ void appimage_set(const char *appimage_path) { fprintf(stderr, "Error: cannot configure the loopback device\n"); exit(1); } + + if (size) { + struct loop_info64 info; + memset(&info, 0, sizeof(struct loop_info64)); + info.lo_offset = size; + if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) + errExit("configure appimage offset"); + } + close(lfd); close(ffd); EUID_USER(); @@ -100,8 +115,16 @@ void appimage_set(const char *appimage_path) { if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) errExit("asprintf"); EUID_ROOT(); - if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) - errExit("mounting appimage"); + + if (size == 0) { + if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) + errExit("mounting appimage"); + } + else { + if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY, mode) < 0) + errExit("mounting appimage"); + } + if (arg_debug) printf("appimage mounted on %s\n", mntdir); EUID_USER(); diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c new file mode 100644 index 000000000..c8b3d28c5 --- /dev/null +++ b/src/firejail/appimage_size.c @@ -0,0 +1,143 @@ +/* +Compile with: +gcc elfsize.c -o elfsize +Example: +ls -l 126584 +Calculation using the values also reported by readelf -h: +Start of section headers e_shoff 124728 +Size of section headers e_shentsize 64 +Number of section headers e_shnum 29 +e_shoff + ( e_shentsize * e_shnum ) = 126584 +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef Elf32_Nhdr Elf_Nhdr; + +static Elf64_Ehdr ehdr; +static Elf64_Phdr *phdr; + +#if __BYTE_ORDER == __LITTLE_ENDIAN +#define ELFDATANATIVE ELFDATA2LSB +#elif __BYTE_ORDER == __BIG_ENDIAN +#define ELFDATANATIVE ELFDATA2MSB +#else +#error "Unknown machine endian" +#endif + +static uint16_t file16_to_cpu(uint16_t val) { + if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) + val = bswap_16(val); + return val; +} + + +static uint32_t file32_to_cpu(uint32_t val) { + if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) + val = bswap_32(val); + return val; +} + + +static uint64_t file64_to_cpu(uint64_t val) { + if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) + val = bswap_64(val); + return val; +} + + +// return 0 if error +static long unsigned int read_elf32(int fd) { + Elf32_Ehdr ehdr32; + ssize_t ret, i; + + ret = pread(fd, &ehdr32, sizeof(ehdr32), 0); + if (ret < 0 || (size_t)ret != sizeof(ehdr)) + return 0; + + ehdr.e_shoff = file32_to_cpu(ehdr32.e_shoff); + ehdr.e_shentsize = file16_to_cpu(ehdr32.e_shentsize); + ehdr.e_shnum = file16_to_cpu(ehdr32.e_shnum); + + return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum)); +} + + +// return 0 if error +static long unsigned int read_elf64(int fd) { + Elf64_Ehdr ehdr64; + ssize_t ret, i; + + ret = pread(fd, &ehdr64, sizeof(ehdr64), 0); + if (ret < 0 || (size_t)ret != sizeof(ehdr)) + return 0; + + ehdr.e_shoff = file64_to_cpu(ehdr64.e_shoff); + ehdr.e_shentsize = file16_to_cpu(ehdr64.e_shentsize); + ehdr.e_shnum = file16_to_cpu(ehdr64.e_shnum); + + return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum)); +} + + +// return 0 if error +// return 0 if this is not an appimgage2 file +long unsigned int appimage2_size(const char *fname) { +/* TODO, FIXME: This assumes that the section header table (SHT) is +the last part of the ELF. This is usually the case but +it could also be that the last section is the last part +of the ELF. This should be checked for. +*/ + ssize_t ret; + int fd; + long unsigned int size = 0; + + fd = open(fname, O_RDONLY); + if (fd < 0) + return 0; + + ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); + if (ret != EI_NIDENT) + goto getout; + + if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && + (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) + goto getout; + + if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { + size = read_elf32(fd); + } + else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) { + size = read_elf64(fd); + } + else { + goto getout; + } + if (size == 0) + goto getout; + + + // look for a LZMA header at this location + unsigned char buf[4]; + ret = pread(fd, buf, 4, size); + if (ret != 4) { + size = 0; + goto getout; + } + if (memcmp(buf, "hsqs", 4) != 0) + size = 0; + +getout: + close(fd); + return size; +} + + diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index dafa5919c..9a9bb1ae7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -681,8 +681,12 @@ void appimage_set(const char *appimage_path); void appimage_clear(void); const char *appimage_getdir(void); +// appimage_size.c +long unsigned int appimage2_size(const char *fname); + // cmdline.c void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); + #endif -- cgit v1.2.3-70-g09d2 From 2399e09e66e94ca473c13a10e45f50bd38594bbe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2016 10:59:06 -0400 Subject: appimage fixes --- src/firejail/appimage.c | 2 +- src/firejail/sandbox.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 3f03c28bf..09b242964 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -96,7 +96,7 @@ void appimage_set(const char *appimage_path) { EUID_USER(); // creates appimage mount point perms 0700 - if (asprintf(&mntdir, "%s/appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) + if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) errExit("asprintf"); EUID_ROOT(); if (mkdir(mntdir, 0700) == -1) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8021ce9a3..f5cca7494 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -488,6 +488,13 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_SECCOMP int enforce_seccomp = 0; #endif + if (arg_appimage) { + enforce_filters(); +#ifdef HAVE_SECCOMP + enforce_seccomp = 1; +#endif + } + #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); -- cgit v1.2.3-70-g09d2 From 81c570e8e975c8ff3f62c45caffa4e5749296e9d Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 23 Oct 2016 14:31:56 -0500 Subject: tightened Spotify profile --- README | 1 + etc/spotify.profile | 26 +++++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/README b/README index 10b0ab61b..f4fd52666 100644 --- a/README +++ b/README @@ -77,6 +77,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement + - tightened Spotify profile valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/etc/spotify.profile b/etc/spotify.profile index 73d427db3..24e5c1023 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# Whitelist the folders needed by Spotify - This is more restrictive -# than a blacklist though, but this is all spotify requires for -# streaming audio +# Whitelist the folders needed by Spotify mkdir ${HOME}/.config/spotify whitelist ${HOME}/.config/spotify mkdir ${HOME}/.local/share/spotify whitelist ${HOME}/.local/share/spotify mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify -include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -27,5 +24,24 @@ protocol unix,inet,inet6,netlink seccomp shell none -#private-bin spotify +private-bin spotify +private-etc fonts,machine-id,pulse,resolv.conf private-dev +private-tmp + +blacklist ${HOME}/.Xauthority +blacklist ${HOME}/.bashrc +blacklist /boot +blacklist /lost+found +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /root +blacklist /sbin +blacklist /srv +blacklist /sys +blacklist /var +blacklist /initrd.img +blacklist /initrd.img.old +blacklist /vmlinuz +blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From 3b8453d5301608386d9a933c0862e5e049c4879e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 24 Oct 2016 15:21:41 -0500 Subject: blacklisted kernel files --- etc/disable-common.inc | 4 ++++ etc/spotify.profile | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..29de8cca9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# kernel files +blacklist /vmlinuz* +blacklist /initrd* diff --git a/etc/spotify.profile b/etc/spotify.profile index 24e5c1023..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -41,7 +41,3 @@ blacklist /sbin blacklist /srv blacklist /sys blacklist /var -blacklist /initrd.img -blacklist /initrd.img.old -blacklist /vmlinuz -blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From 88972056f4eb7919f41ca9412853725e80967240 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 23 Oct 2016 23:23:09 -0500 Subject: squash attempt 2 --- etc/atom-beta.profile | 2 +- etc/atom.profile | 2 +- etc/atril.profile | 2 +- etc/audacity.profile | 2 +- etc/aweather.profile | 2 +- etc/cherrytree.profile | 3 +-- etc/eog.profile | 3 +-- etc/evolution.profile | 2 +- etc/feh.profile | 6 +++--- etc/file.profile | 17 +++++++++-------- etc/filezilla.profile | 5 ++--- etc/flowblade.profile | 2 +- etc/franz.profile | 6 +++--- etc/gajim.profile | 2 +- etc/gimp.profile | 10 ++++++---- etc/git.profile | 4 ++-- etc/gpredict.profile | 2 +- etc/gwenview.profile | 5 +++-- etc/gzip.profile | 14 ++++++++------ etc/inkscape.profile | 10 ++++++---- etc/jitsi.profile | 2 +- etc/kmail.profile | 2 +- etc/less.profile | 6 ++++-- etc/luminance-hdr.profile | 14 ++++++++------ etc/okular.profile | 5 +++-- etc/pidgin.profile | 2 +- etc/pix.profile | 3 +-- etc/psi-plus.profile | 4 ++-- etc/qbittorrent.profile | 4 ++-- etc/qpdfview.profile | 2 +- etc/qtox.profile | 2 +- etc/quiterss.profile | 9 +++++---- etc/ranger.profile | 3 +-- etc/rhythmbox.profile | 2 +- etc/rtorrent.profile | 1 - etc/server.profile | 11 ++++++----- etc/slack.profile | 29 +++++++++++++++-------------- etc/strings.profile | 9 +++++---- etc/synfigstudio.profile | 6 ++++-- etc/tar.profile | 14 +++++++------- etc/telegram.profile | 1 - etc/transmission-gtk.profile | 2 +- etc/transmission-qt.profile | 5 +++-- etc/uget-gtk.profile | 13 ++++++------- etc/unrar.profile | 15 ++++++++------- etc/unzip.profile | 16 ++++++++-------- etc/uudeview.profile | 14 +++++++------- etc/vim.profile | 3 +-- etc/xpdf.profile | 9 +++------ etc/xplayer.profile | 2 +- etc/xzdec.profile | 14 ++++++++------ etc/zathura.profile | 6 +++--- 52 files changed, 171 insertions(+), 160 deletions(-) diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 9a8d93875..fa0b316bb 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6,netlink diff --git a/etc/atom.profile b/etc/atom.profile index 3cb86847e..61930d5c1 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6,netlink diff --git a/etc/atril.profile b/etc/atril.profile index d9e10b072..fbcca0c1b 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix diff --git a/etc/audacity.profile b/etc/audacity.profile index be3fac9be..827fa4301 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix seccomp diff --git a/etc/aweather.profile b/etc/aweather.profile index 4e5c36f50..fa8654f1e 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -11,8 +11,8 @@ whitelist ~/.config/aweather caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index ec6d0d69d..139dec8ec 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot nosound seccomp protocol unix,inet,inet6,netlink tracelog - - diff --git a/etc/eog.profile b/etc/eog.profile index 32b54a042..7eb7fd127 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -9,9 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix seccomp shell none @@ -20,4 +20,3 @@ private-bin eog private-dev private-etc fonts private-tmp - diff --git a/etc/evolution.profile b/etc/evolution.profile index cf581643d..d097c0f34 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -14,9 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp shell none diff --git a/etc/feh.profile b/etc/feh.profile index 5fcb6bf25..e3b1ec528 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix netfilter net none +nogroups nonewprivs noroot -nogroups nosound +protocol unix +seccomp shell none private-bin feh diff --git a/etc/file.profile b/etc/file.profile index 2e54030b1..199a97fad 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,16 +1,17 @@ # file profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname file net none +no3d +nosound +quiet shell none +tracelog + +private-dev private-bin file private-etc magic.mgc,magic,localtime -hostname file -private-dev -nosound -no3d -blacklist /tmp/.X11-unix - diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 551c17a78..fe1d9d20d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -13,10 +13,9 @@ noroot nosound protocol unix,inet,inet6 seccomp - shell none + private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp -whitelist /tmp/.X11-unix private-dev -nosound +whitelist /tmp/.X11-unix diff --git a/etc/flowblade.profile b/etc/flowblade.profile index e1ec291bd..12afdb0aa 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -1,4 +1,4 @@ -# OpenShot profile +# FlowBlade profile noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade include /etc/firejail/disable-common.inc diff --git a/etc/franz.profile b/etc/franz.profile index 3cb7942ab..0b3be551b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -#tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +#tracelog whitelist ${DOWNLOADS} mkdir ~/.config/Franz diff --git a/etc/gajim.profile b/etc/gajim.profile index 04902a734..809378ef9 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/gimp.profile b/etc/gimp.profile index 23361b771..cb441fc9d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp -nogroups -nosound + +private-dev +private-tmp diff --git a/etc/git.profile b/etc/git.profile index 2fb55377d..73122d347 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -quiet caps.drop all netfilter +nogroups nonewprivs noroot -nogroups nosound protocol unix,inet,inet6 +quiet seccomp shell none diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 353ecceae..0cc6c416b 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -11,8 +11,8 @@ whitelist ~/.config/Gpredict caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 67f10c4e1..c866c9e63 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups nonewprivs noroot -nogroups -private-dev protocol unix seccomp nosound +private-dev + #Experimental: #shell none #private-bin gwenview diff --git a/etc/gzip.profile b/etc/gzip.profile index 5e73969c4..d51b9a951 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,12 +1,14 @@ # gzip profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog -net none -shell none + blacklist /tmp/.X11-unix -private-dev -nosound + +net none no3d +nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cf885fba2..a0e86b6c9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp -nogroups -nosound + +private-dev +private-tmp diff --git a/etc/jitsi.profile b/etc/jitsi.profile index c61158f8b..046499abe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/kmail.profile b/etc/kmail.profile index 8c8fd18c4..bc21ba604 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/less.profile b/etc/less.profile index 6dfae027e..08758aead 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -2,8 +2,10 @@ quiet ignore noroot include /etc/firejail/default.profile -tracelog + net none +nosound shell none +tracelog + private-dev -nosound diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6e059ea52..76e864e0c 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +ipc-namespace netfilter -protocol unix +nogroups nonewprivs noroot +nosound +protocol unix seccomp shell none tracelog -private-tmp -private-dev + noexec ${HOME} noexec /tmp -nogroups -nosound -ipc-namespace + +private-tmp +private-dev diff --git a/etc/okular.profile b/etc/okular.profile index df142ccfc..b43a5fbea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot -private-dev protocol unix seccomp nosound +private-dev + #Experimental: #net none #shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 47be2b6ea..850706145 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/pix.profile b/etc/pix.profile index 80c05fd09..e21ddadc6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -20,4 +20,3 @@ tracelog private-bin pix whitelist /tmp/.X11-unix private-dev - diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 22c5bafc5..a9323448b 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+ mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ -include /etc/firejail/whitelist-common.inc - caps.drop all netfilter noroot protocol unix,inet,inet6 seccomp + +include /etc/firejail/whitelist-common.inc diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 138b6db55..67829c9ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -15,6 +15,6 @@ seccomp # there are some problems with "Open destination folder", see bug #536 #shell none #private-bin qbittorrent -whitelist /tmp/.X11-unix private-dev -nosound + +whitelist /tmp/.X11-unix diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 07ea173e6..06c0db206 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -18,5 +18,5 @@ shell none tracelog private-bin qpdfview -private-tmp private-dev +private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 927487037..81d8aa10e 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -11,8 +11,8 @@ whitelist ${DOWNLOADS} caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2ab5d8a8e..2b28fce73 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot -private-bin quiterss -private-dev nosound -#private-etc X11,ssl protocol unix,inet,inet6 seccomp shell none tracelog +private-bin quiterss +private-dev +#private-etc X11,ssl + include /etc/firejail/whitelist-common.inc diff --git a/etc/ranger.profile b/etc/ranger.profile index a040cd6bc..323e64dee 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter net none +nogroups nonewprivs noroot -nogroups protocol unix seccomp nosound private-tmp private-dev - diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0e8527ae7..e5e192486 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 15df2c374..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -16,4 +16,3 @@ shell none private-bin rtorrent whitelist /tmp/.X11-unix private-dev -nosound diff --git a/etc/server.profile b/etc/server.profile index 22cef0a3c..b8a34feb2 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -private -private-dev -nosound -no3d -private-tmp blacklist /tmp/.X11-unix + +no3d +nosound seccomp +private +private-dev +private-tmp diff --git a/etc/slack.profile b/etc/slack.profile index 1009f7ee0..a85a28f03 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,3 +1,4 @@ +# Firejail profile for Slack noblacklist ${HOME}/.config/Slack noblacklist ${HOME}/Downloads @@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -mkdir ${HOME}/.config -mkdir ${HOME}/.config/Slack -whitelist ${HOME}/.config/Slack -whitelist ${HOME}/Downloads - -protocol unix,inet,inet6,netlink -private-dev -private-tmp -private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime -name slack blacklist /var -include /etc/firejail/whitelist-common.inc - caps.drop all -seccomp +name slack netfilter -nonewprivs nogroups +nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp shell none + private-bin slack +private-dev +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +private-tmp + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc diff --git a/etc/strings.profile b/etc/strings.profile index f99a65009..7c464bf88 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,10 +1,11 @@ # strings profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog + net none -shell none -private-dev nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index d46467b99..69b2a0db2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -11,7 +11,9 @@ nonewprivs noroot protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp + +private-dev +private-tmp diff --git a/etc/tar.profile b/etc/tar.profile index 663ac3805..91fdaf48d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,18 +1,18 @@ # tar profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname tar net none +no3d +nosound +quiet shell none +tracelog # support compressed archives private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev -nosound -no3d private-etc passwd,group,localtime -hostname tar -blacklist /tmp/.X11-unix - diff --git a/etc/telegram.profile b/etc/telegram.profile index 8e91e426b..7615c8eef 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -10,4 +10,3 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp - diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0cfa4fcfc..316cdfec6 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,6 +18,6 @@ shell none tracelog private-bin transmission-gtk -whitelist /tmp/.X11-unix private-dev +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 754211a63..51c58e224 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -14,9 +14,10 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none tracelog -shell none private-bin transmission-qt -whitelist /tmp/.X11-unix private-dev + +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 522b4bd1e..f42e6c69a 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -9,17 +9,16 @@ caps.drop all netfilter nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp +shell none +private-bin uget-gtk +private-dev + +whitelist /tmp/.X11-unix whitelist ${DOWNLOADS} mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc - -shell none -private-bin uget-gtk -whitelist /tmp/.X11-unix -private-dev -nosound - diff --git a/etc/unrar.profile b/etc/unrar.profile index f29d1b51b..0700cafe9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,17 +1,18 @@ # unrar profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname unrar net none +no3d +nosound +quiet shell none +tracelog + private-bin unrar private-dev -nosound -no3d private-etc passwd,group,localtime -hostname unrar private-tmp -blacklist /tmp/.X11-unix - diff --git a/etc/unzip.profile b/etc/unzip.profile index 07224855f..a43785795 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,16 +1,16 @@ # unzip profile -quiet ignore noroot include /etc/firejail/default.profile +blacklist /tmp/.X11-unix -tracelog +hostname unzip net none +no3d +nosound +quiet shell none +tracelog + private-bin unzip -private-etc passwd,group,localtime -hostname unzip private-dev -nosound -no3d -blacklist /tmp/.X11-unix - +private-etc passwd,group,localtime diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8ea9d5163..5ba0896ab 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,15 +1,15 @@ # uudeview profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /etc + +hostname uudeview net none +nosound +quiet shell none +tracelog + private-bin uudeview private-dev -private-etc nonexisting_fakefile_for_empty_etc -hostname uudeview -nosound -uudeview - diff --git a/etc/vim.profile b/etc/vim.profile index 3c1fefe41..b161fcbb0 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,5 +1,4 @@ # vim profile - noblacklist ~/.vim noblacklist ~/.vimrc noblacklist ~/.viminfo @@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e036fba21..7ea368bbe 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -7,15 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -shell none +net none nonewprivs noroot protocol unix +shell none seccomp + private-dev private-tmp -net none - - - - diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 54d5ed89b..191d2f67f 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a9d027c38..04f98cef6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,12 +1,14 @@ # xzdec profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog -net none -shell none + blacklist /tmp/.X11-unix -private-dev -nosound + +net none no3d +nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..ab2e99dbc 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix netfilter +nogroups nonewprivs noroot -nogroups nosound shell none +seccomp +protocol unix private-bin zathura private-dev -- cgit v1.2.3-70-g09d2 From b588020b4540480fdd3aaa11da8bd472b2dfdb60 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 25 Oct 2016 12:26:17 -0400 Subject: fixes --- README | 2 ++ etc/disable-common.inc | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/README b/README index f4fd52666..6ed82907f 100644 --- a/README +++ b/README @@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) + - lots of profile fixes - added Vivaldi, Atril profiles - added PaleMoon profile - split Icedove and Thunderbird profiles @@ -83,6 +84,7 @@ valoq (https://github.com/valoq) - cherrytree profile fixes - added support for /srv in --whitelist feature - Eye of GNOME and Evolution profiles + - blacklist suid binaries in disable-common.inc Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -137,6 +137,11 @@ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + # system management blacklist ${PATH}/umount blacklist ${PATH}/mount @@ -149,11 +154,23 @@ blacklist ${PATH}/xev blacklist ${PATH}/strace blacklist ${PATH}/nc blacklist ${PATH}/ncat - -# system directories -blacklist /sbin -blacklist /usr/sbin -blacklist /usr/local/sbin +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -- cgit v1.2.3-70-g09d2 From 7e20af49b10d716154b21d5b19abf3a312a31c7e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 12:23:23 -0500 Subject: Added gpredict, TBB, and xiphos --- etc/gpredict.profile | 8 ++++---- etc/start-tor-browser.profile | 20 ++++++++++++++++++++ etc/xiphos.profile | 30 ++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 etc/start-tor-browser.profile create mode 100644 etc/xiphos.profile diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 0cc6c416b..f62bf11aa 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -6,20 +6,20 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config/Gpredict whitelist ~/.config/Gpredict caps.drop all netfilter -nogroups nonewprivs +nogroups noroot nosound protocol unix,inet,inet6 seccomp -shell none +#shell none tracelog -private-bin gpredict +#private-bin gpredict +private-etc fonts,resolv.conf private-dev private-tmp diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile new file mode 100644 index 000000000..ee19cee25 --- /dev/null +++ b/etc/start-tor-browser.profile @@ -0,0 +1,20 @@ +# Firejail profile for the Tor Brower Bundle +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-etc fonts +private-dev +private-tmp diff --git a/etc/xiphos.profile b/etc/xiphos.profile new file mode 100644 index 000000000..b7fb6ecf3 --- /dev/null +++ b/etc/xiphos.profile @@ -0,0 +1,30 @@ +# Firejail profile for xiphos +noblacklist ~/.sword +noblacklist ~/.xiphos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +blacklist ~/.bashrc +blacklist ~/.Xauthority + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin xiphos +private-etc fonts,resolv.conf,sword +private-dev +private-tmp + +whitelist ${HOME}/.sword +whitelist ${HOME}/.xiphos -- cgit v1.2.3-70-g09d2 From 388e2b9e4c36e65098e7c3ba43dbf1c0e7f4671f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 12:33:15 -0500 Subject: Extra profile files --- README | 3 ++- README.md | 5 +++++ RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README b/README index 6ed82907f..cbd15f02a 100644 --- a/README +++ b/README @@ -70,7 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added audacity profile - fixed Telegram and qtox profiles - added Atom Beta and Atom profiles - - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. + - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles - several private-bin conversions - added jitsi profile - pidgin private-bin conversion @@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added DOSBox profile - evince profile enhancement - tightened Spotify profile + - added xiphos and Tor Browser Bundle profiles valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/README.md b/README.md index fe7c91f01..ff1b2e8ba 100644 --- a/README.md +++ b/README.md @@ -48,4 +48,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` # Current development version: 0.9.45 +````` + +````` +## New Profiles +xiphos, Tor Browser Bundle diff --git a/RELNOTES b/RELNOTES index 6e1f502c7..c0fb8b20b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 + * new profiles: xiphos, Tor Browser Bundle firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index edd4ee374..6e22fe04d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -7,6 +7,8 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.sword +blacklist ${HOME}/.xiphos blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6d444b90d..0c2e85904 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -166,3 +166,5 @@ /etc/firejail/flowblade.profile /etc/firejail/eog.profile /etc/firejail/evolution.profile +/etc/firejail/start-tor-browser.profile +/etc/firejail/xiphos.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2d2c7b20e..e3e333497 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -42,6 +42,7 @@ opera-beta opera palemoon qutebrowser +start-tor-browser seamonkey seamonkey-bin thunderbird @@ -150,6 +151,7 @@ atom ranger keepass keepassx +xiphos # weather/climate aweather -- cgit v1.2.3-70-g09d2 From f7cbeea6b3e3dcdfe2a2b9f92d459913c5fc69a2 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 14:14:06 -0500 Subject: Fixed testing typo --- etc/gpredict.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/gpredict.profile b/etc/gpredict.profile index f62bf11aa..8dcfee2c4 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -16,10 +16,10 @@ noroot nosound protocol unix,inet,inet6 seccomp -#shell none +shell none tracelog -#private-bin gpredict +private-bin gpredict private-etc fonts,resolv.conf private-dev private-tmp -- cgit v1.2.3-70-g09d2 From b1221c082cf5d7423cf3fe58c552a1469cac3d2d Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 14:16:10 -0500 Subject: typo #2 --- etc/gpredict.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 8dcfee2c4..801304c18 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -10,8 +10,8 @@ whitelist ~/.config/Gpredict caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 -- cgit v1.2.3-70-g09d2 From 834da29e4c467ca074209b51effef38f8a238e84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 26 Oct 2016 09:15:50 -0400 Subject: removed ping blacklisting --- etc/disable-common.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3c0b2160c..848513454 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -169,7 +169,6 @@ blacklist ${PATH}/chsh blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry -blacklist ${PATH}/ping blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session -- cgit v1.2.3-70-g09d2