From d141e59d67390e1377623dec8178080c289c2b5b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Jul 2023 21:38:45 +0000 Subject: disable-programs.inc: add support for rssguard --- etc/inc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b4a01638f..84f49bfd4 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -334,6 +334,7 @@ blacklist ${HOME}/.config/Riot blacklist ${HOME}/.config/Rocket.Chat blacklist ${HOME}/.config/RogueLegacy blacklist ${HOME}/.config/RogueLegacyStorageContainer +blacklist ${HOME}/.config/RSS Guard 4 blacklist ${HOME}/.config/Seafile blacklist ${HOME}/.config/Signal blacklist ${HOME}/.config/Sinew Software Systems -- cgit v1.2.3-70-g09d2 From 46dc993c56f58840e385c19ed685936e5e706253 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Jul 2023 21:40:57 +0000 Subject: Create rssguard.profile --- etc/profile-m-z/rssguard.profile | 57 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 etc/profile-m-z/rssguard.profile diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile new file mode 100644 index 000000000..bad641eb8 --- /dev/null +++ b/etc/profile-m-z/rssguard.profile @@ -0,0 +1,57 @@ +# Firejail profile for rssguard +# Description: Simple (yet powerful) Qt feed reader +# This file is overwritten after every install/update +# Persistent local customizations +include rssguard.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/RSS Guard 4 + +include allow-nodejs.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/RSS Guard 4 +whitelist ${HOME}/.config/RSS Guard 4 +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +# no3d +nodvd +nogroups +noinput +nonewprivs +noroot +# nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +tracelog + +disable-mnt +private-bin node,rssguard +private-dev +private-etc @network,@sound,@tls-ca,@x11,mime.types +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces -- cgit v1.2.3-70-g09d2 From c0ad9ef6bfd520e5581e1e46a8c96b42e35964fc Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Jul 2023 21:43:59 +0000 Subject: RELNOTES: add rssguard to 'new profiles' section --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index 718ac17a4..68ec2220d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -48,6 +48,7 @@ firejail (0.9.73) baseline; urgency=low * legal: selinux.c: Split Copyright notice & use same license as upstream (#5667) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater + * new profiles: rssguard -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 firejail (0.9.72) baseline; urgency=low -- cgit v1.2.3-70-g09d2 From c6593c8b51a0201d1645e0ff385ba874de48b315 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Jul 2023 21:45:34 +0000 Subject: firecfg.config: add rssguard --- src/firecfg/firecfg.config | 1 + 1 file changed, 1 insertion(+) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index dac5794b4..2755968c9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -734,6 +734,7 @@ ripperx ristretto rocketchat rpcs3 +rssguard rtorrent runenpass.sh sayonara -- cgit v1.2.3-70-g09d2 From c96ac104f66bc93160bf879f5be349b1a15e9740 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Jul 2023 22:25:44 +0000 Subject: disable-programs.inc: fix rssguard entree Apparently a path containing whitespace and ending with a single digit breaks CI: https://github.com/netblue30/firejail/actions/runs/5448790502. --- etc/inc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 84f49bfd4..1e6a765c9 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -334,7 +334,7 @@ blacklist ${HOME}/.config/Riot blacklist ${HOME}/.config/Rocket.Chat blacklist ${HOME}/.config/RogueLegacy blacklist ${HOME}/.config/RogueLegacyStorageContainer -blacklist ${HOME}/.config/RSS Guard 4 +blacklist ${HOME}/.config/RSS Guard* blacklist ${HOME}/.config/Seafile blacklist ${HOME}/.config/Signal blacklist ${HOME}/.config/Sinew Software Systems -- cgit v1.2.3-70-g09d2 From 5fa4a70d0c340990e71d7e3647deee4bdab4647f Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Jul 2023 22:31:37 +0000 Subject: disable-programs.inc: fix ordering rssguard entree Grrrr --- etc/inc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 1e6a765c9..33bcbc51b 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -329,12 +329,12 @@ blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc blacklist ${HOME}/.config/Quotient +blacklist ${HOME}/.config/RSS Guard 4 blacklist ${HOME}/.config/Rambox blacklist ${HOME}/.config/Riot blacklist ${HOME}/.config/Rocket.Chat blacklist ${HOME}/.config/RogueLegacy blacklist ${HOME}/.config/RogueLegacyStorageContainer -blacklist ${HOME}/.config/RSS Guard* blacklist ${HOME}/.config/Seafile blacklist ${HOME}/.config/Signal blacklist ${HOME}/.config/Sinew Software Systems -- cgit v1.2.3-70-g09d2 From 698935530d4ed2cfa5fa057879abf9a136cdb48c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 4 Jul 2023 12:29:08 +0000 Subject: rssguard.profile: add seccomp.block-secondary --- etc/profile-m-z/rssguard.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile index bad641eb8..ab42718b0 100644 --- a/etc/profile-m-z/rssguard.profile +++ b/etc/profile-m-z/rssguard.profile @@ -43,6 +43,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary tracelog disable-mnt -- cgit v1.2.3-70-g09d2 From e447e630d36ed3c881be871a04e916760c14abea Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 5 Jul 2023 22:40:46 +0000 Subject: rssguard.profile: add netlink to protocol --- etc/profile-m-z/rssguard.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile index ab42718b0..81381c205 100644 --- a/etc/profile-m-z/rssguard.profile +++ b/etc/profile-m-z/rssguard.profile @@ -41,7 +41,7 @@ noroot notv nou2f novideo -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary tracelog -- cgit v1.2.3-70-g09d2 From a164c239bbe6d39b0cc6ef0ea693d58627c8b760 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 6 Jul 2023 17:15:26 +0000 Subject: RELNOTES: revert adding rssguard to new profiles section As per review https://github.com/netblue30/firejail/pull/5881#pullrequestreview-1515652336 --- RELNOTES | 1 - 1 file changed, 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 68ec2220d..718ac17a4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -48,7 +48,6 @@ firejail (0.9.73) baseline; urgency=low * legal: selinux.c: Split Copyright notice & use same license as upstream (#5667) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater - * new profiles: rssguard -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 firejail (0.9.72) baseline; urgency=low -- cgit v1.2.3-70-g09d2 From 590dbc499cac317f40655b6a3cd7017cc0e18af4 Mon Sep 17 00:00:00 2001 From: pirate486743186 <> Date: Wed, 12 Jul 2023 04:30:06 +0200 Subject: refresh feh.profile --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/feh.profile | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b4a01638f..0364d03be 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -432,6 +432,7 @@ blacklist ${HOME}/.config/equalx blacklist ${HOME}/.config/evince blacklist ${HOME}/.config/evolution blacklist ${HOME}/.config/falkon +blacklist ${HOME}/.config/feh blacklist ${HOME}/.config/filezilla blacklist ${HOME}/.config/flameshot blacklist ${HOME}/.config/flaska.net diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 82b3f7645..2efd10ba2 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile @@ -7,23 +7,33 @@ include feh.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/feh + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +include disable-proc.inc include disable-programs.inc include disable-shell.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc + # Add the next line to your feh.local to enable network access. #include feh-network.inc.profile +apparmor caps.drop all +ipc-namespace +machine-id net none no3d nodvd nogroups noinput nonewprivs +noprinters noroot nosound notv @@ -31,6 +41,8 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary +tracelog private-bin feh,jpegexiforient,jpegtran private-cache -- cgit v1.2.3-70-g09d2 From 580283d74b4e6cd425960d336cb0a5296ae36a68 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 1 Oct 2022 11:23:56 -0300 Subject: disable-common.inc: blacklist sudo/doas paths in /etc Commands used to find the relevant paths in /etc: $ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort /etc/pam.d/ is owned by sudo 1.9.14.p1-1 /etc/sudo.conf is owned by sudo 1.9.14.p1-1 /etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1 /etc/sudoers is owned by sudo 1.9.14.p1-1 /etc/sudoers.d/ is owned by sudo 1.9.14.p1-1 Environment: Artix Linux. Also, add missing paths sudo/doas to etc/ids.config and jailcheck. See also commit dbebd71db ("disable-common.inc: blacklist doas binary", 2022-10-05). Relates to #5385. Reported-by: Dieter Plaetinck --- Makefile | 2 +- etc/ids.config | 1 + etc/inc/disable-common.inc | 3 +++ src/jailcheck/main.c | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 53b57a0e1..fdf83beb4 100644 --- a/Makefile +++ b/Makefile @@ -362,7 +362,7 @@ scan-build: clean .PHONY: codespell codespell: clean - codespell --ignore-regex "UE|creat|shotcut|ether" src test + codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test .PHONY: print-env print-env: diff --git a/etc/ids.config b/etc/ids.config index 880ec6ab5..4b75c701c 100644 --- a/etc/ids.config +++ b/etc/ids.config @@ -139,6 +139,7 @@ ${HOME}/.local/share/autostart /etc/security /etc/selinux /etc/shadow* +/etc/sudo*.conf /etc/sudoers* /etc/tripwire ${HOME}/.config/firejail diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 4277100ce..ce4f08958 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -416,6 +416,7 @@ blacklist /tmp/ssh-* # top secret blacklist /.fscrypt blacklist /etc/davfs2/secrets +blacklist /etc/doas.conf blacklist /etc/group+ blacklist /etc/group- blacklist /etc/gshadow @@ -428,6 +429,8 @@ blacklist /etc/shadow+ blacklist /etc/shadow- blacklist /etc/ssh blacklist /etc/ssh/* +blacklist /etc/sudo*.conf +blacklist /etc/sudoers* blacklist /home/.ecryptfs blacklist /home/.fscrypt blacklist ${HOME}/*.kdb diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 27da309ea..93d334c7a 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c @@ -120,6 +120,7 @@ int main(int argc, char **argv) { // basic sysfiles sysfiles_setup("/etc/shadow"); sysfiles_setup("/etc/gshadow"); + sysfiles_setup("/usr/bin/doas"); sysfiles_setup("/usr/bin/mount"); sysfiles_setup("/usr/bin/su"); sysfiles_setup("/usr/bin/ksu"); -- cgit v1.2.3-70-g09d2 From 0440911064611f9c414c13a6fe053da5018c36fa Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 14 Jul 2023 08:48:26 -0300 Subject: firecfg: rename get_user to get_sudo_user To make it match the function used in src/jailcheck/utils.c. --- src/firecfg/main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index da962c35d..ccb55457c 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -288,7 +288,7 @@ static void set_links_homedir(const char *homedir) { free(firejail_exec); } -static char *get_user(void) { +static char *get_sudo_user(void) { char *user = getenv("SUDO_USER"); if (!user) { user = getpwuid(getuid())->pw_name; @@ -326,7 +326,7 @@ int main(int argc, char **argv) { int bindir_set = 0; // user setup - char *user = get_user(); + char *user = get_sudo_user(); assert(user); uid_t uid; gid_t gid; -- cgit v1.2.3-70-g09d2 From 03a01071970a21b306b9916feb95c0993356d902 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 14 Jul 2023 09:06:57 -0300 Subject: firecfg: add const to a few functions/variables To make it clearer that they are not modified later. --- src/firecfg/desktop_files.c | 2 +- src/firecfg/firecfg.h | 2 +- src/firecfg/main.c | 13 ++++++------- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 963e05ff3..7ac60f70c 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c @@ -108,7 +108,7 @@ static int have_profile(const char *filename, const char *homedir) { return rv; } -void fix_desktop_files(char *homedir) { +void fix_desktop_files(const char *homedir) { assert(homedir); struct stat sb; diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 825bf8d03..8f74a1198 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h @@ -49,6 +49,6 @@ int is_link(const char *fname); void sound(void); // desktop_files.c -void fix_desktop_files(char *homedir); +void fix_desktop_files(const char *homedir); #endif diff --git a/src/firecfg/main.c b/src/firecfg/main.c index ccb55457c..a6cae995e 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -288,8 +288,8 @@ static void set_links_homedir(const char *homedir) { free(firejail_exec); } -static char *get_sudo_user(void) { - char *user = getenv("SUDO_USER"); +static const char *get_sudo_user(void) { + const char *user = getenv("SUDO_USER"); if (!user) { user = getpwuid(getuid())->pw_name; if (!user) { @@ -301,13 +301,13 @@ static char *get_sudo_user(void) { return user; } -static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { +static const char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { // find home directory struct passwd *pw = getpwnam(user); if (!pw) goto errexit; - char *home = pw->pw_dir; + const char *home = pw->pw_dir; if (!home) goto errexit; @@ -326,12 +326,11 @@ int main(int argc, char **argv) { int bindir_set = 0; // user setup - char *user = get_sudo_user(); + const char *user = get_sudo_user(); assert(user); uid_t uid; gid_t gid; - char *home = get_homedir(user, &uid, &gid); - + const char *home = get_homedir(user, &uid, &gid); // check for --bindir for (i = 1; i < argc; i++) { -- cgit v1.2.3-70-g09d2 From e7225b64469b6ada187764ee9f663ad1039f20b0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 14 Jul 2023 04:23:58 -0300 Subject: feature: add doas support in firecfg and jailcheck Closes #5899. Suggested-by: @shaggonit --- src/firecfg/main.c | 5 ++++- src/jailcheck/main.c | 2 +- src/jailcheck/utils.c | 5 ++++- src/man/firecfg.1.in | 4 +++- src/man/jailcheck.1.in | 5 ++--- 5 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index a6cae995e..4ec81c5b3 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -289,7 +289,10 @@ static void set_links_homedir(const char *homedir) { } static const char *get_sudo_user(void) { - const char *user = getenv("SUDO_USER"); + const char *doas_user = getenv("DOAS_USER"); + const char *sudo_user = getenv("SUDO_USER"); + const char *user = doas_user ? doas_user : sudo_user; + if (!user) { user = getpwuid(getuid())->pw_name; if (!user) { diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 93d334c7a..6cc5cf904 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c @@ -86,7 +86,7 @@ int main(int argc, char **argv) { // user setup if (getuid() != 0) { - fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); + fprintf(stderr, "Error: you need to be root (via sudo or doas) to run this program\n"); exit(1); } user_name = get_sudo_user(); diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c index 97fe8833b..930820604 100644 --- a/src/jailcheck/utils.c +++ b/src/jailcheck/utils.c @@ -26,7 +26,10 @@ #define BUFLEN 4096 char *get_sudo_user(void) { - char *user = getenv("SUDO_USER"); + char *doas_user = getenv("DOAS_USER"); + char *sudo_user = getenv("SUDO_USER"); + char *user = doas_user ? doas_user : sudo_user; + if (!user) { user = getpwuid(getuid())->pw_name; if (!user) { diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index 42add6a41..a85fbc5da 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in @@ -23,7 +23,9 @@ The integration covers: - programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE desktop managers are supported in this moment .RE - +.PP +Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported. +.PP To set it up, run "sudo firecfg" after installing Firejail software. The same command should also be run after installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin diff --git a/src/man/jailcheck.1.in b/src/man/jailcheck.1.in index e889ea91b..eea5987b7 100644 --- a/src/man/jailcheck.1.in +++ b/src/man/jailcheck.1.in @@ -24,9 +24,8 @@ them from inside the sandbox. \fB5. Seccomp test .TP \fB6. Networking test -.TP -The program is started as root using sudo. - +.PP +The program should be started using \fBsudo\fR or \fBdoas\fR. .SH OPTIONS .TP \fB\-\-debug -- cgit v1.2.3-70-g09d2 From 154ffadef96744a123950626cb341df7cfae01a4 Mon Sep 17 00:00:00 2001 From: ydididodat Date: Sat, 15 Jul 2023 14:50:09 +0000 Subject: bleachbit.profile: allow erasing Trash contents Bleachbit is used to permanently delete files by overwriting the memory. So the most popular feature of Bleachbit is emptying the Trash. Relates to #5337. --- etc/profile-a-l/bleachbit.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index 45ae345c3..52d970d89 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile @@ -7,6 +7,9 @@ include bleachbit.local # Persistent global definitions include globals.local +# Necessary for BleachBit to erase Trash contents. +noblacklist ${HOME}/.local/share/Trash + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc -- cgit v1.2.3-70-g09d2