From b7828e463f868e66e1d5fc6fc48328b6437e0504 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 16 Oct 2017 07:46:06 -0400 Subject: enable private-etc on firefox browser --- etc/firefox.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/firefox.profile b/etc/firefox.profile index 1f4a8e3f6..80cdb6ab0 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -76,7 +76,7 @@ tracelog # firefox requires a shell to launch on Arch. We can possibly remove sh though. # private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash private-dev -# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-tmp noexec ${HOME} -- cgit v1.2.3-54-g00ecf From d0e335e6000259dc4ae31f8fcacf36354cc81fe1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 16 Oct 2017 07:49:55 -0400 Subject: fixed make deb --- platform/debian/conffiles | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index b597bbef4..c24e13b61 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -197,7 +197,6 @@ /etc/firejail/luminance-hdr.profile /etc/firejail/lximage-qt.profile /etc/firejail/lxmusic.profile -/etc/firejail/lxterminal.profile /etc/firejail/lynx.profile /etc/firejail/mate-calc.profile /etc/firejail/mate-calculator.profile @@ -416,3 +415,8 @@ /etc/firejail/xmr-stak-cpu.profile /etc/firejail/zart.profile /etc/firejail/xcalc.profile +/etc/firejail/aosp.profile +/etc/firejail/gnome-ring.profile +/etc/firejail/pdfmod.profile +/etc/firejail/signal-desktop.profile +/etc/firejail/zaproxy.profile -- cgit v1.2.3-54-g00ecf From 63ca6d22c2d2e74b8c6e95fa9c35013d5886a5e7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 16 Oct 2017 08:14:33 -0400 Subject: speed up travis --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index a52c34bd2..0484f0d4d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,8 +10,6 @@ script: - ( sudo dpkg -P firejail ) - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) - - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) - - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) # If successful, build release tarball - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 -- cgit v1.2.3-54-g00ecf From f25fa5cbc2859e4b9f13fcfea79942e1056e1a89 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 16 Oct 2017 08:58:30 -0400 Subject: added private-lib to eog, eom, file, gpicview, less, strings, and tar --- RELNOTES | 4 +- etc/eog.profile | 1 + etc/eom.profile | 1 + etc/file.profile | 1 + etc/gpicview.profile | 1 + etc/less.profile | 3 +- etc/strings.profile | 3 +- etc/tar.profile | 1 + test/apps/apps.sh | 2 +- test/apps/hexchat.exp | 83 +++++++++++++++++++++++++++++++++++++++++ test/private-lib/eog.exp | 83 +++++++++++++++++++++++++++++++++++++++++ test/private-lib/eom.exp | 83 +++++++++++++++++++++++++++++++++++++++++ test/private-lib/gpicview.exp | 83 +++++++++++++++++++++++++++++++++++++++++ test/private-lib/hexchat.exp | 83 ----------------------------------------- test/private-lib/private-lib.sh | 2 +- 15 files changed, 346 insertions(+), 88 deletions(-) create mode 100755 test/apps/hexchat.exp create mode 100755 test/private-lib/eog.exp create mode 100755 test/private-lib/eom.exp create mode 100755 test/private-lib/gpicview.exp delete mode 100755 test/private-lib/hexchat.exp diff --git a/RELNOTES b/RELNOTES index 026c67f9b..9a15686db 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,13 +3,15 @@ firejail (0.9.51) baseline; urgency=low * enhancement: support Firejail user config directory in firecfg * enhancement: disable DBus activation in firecfg * enhancement; enumerate root directories in apparmor profile + * enhancement: enable private-lib in Firefox profile * feature: systemd-resolved integration * feature: whitelisting /var directory in most profiles * feature: GTK2, GTK3 and Qt4 private-lib support * feature: test deployment of private-lib for the following applications: evince, galculator, gnome-calculator, leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, - atril, mate-color-select + atril, mate-color-select, tar, file, strings, gpicview, + eom, eog * feature: --writable-run-user * feature: profile build tool (--build) -- netblue30 Thu, 14 Sep 2017 20:00:00 -0500 diff --git a/etc/eog.profile b/etc/eog.profile index 5ff926371..112ec7c98 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -34,6 +34,7 @@ shell none private-bin eog private-dev private-etc fonts +private-lib private-tmp memory-deny-write-execute diff --git a/etc/eom.profile b/etc/eom.profile index 802578959..af7ded91a 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -35,6 +35,7 @@ tracelog private-bin eom private-dev private-etc fonts +private-lib private-tmp memory-deny-write-execute diff --git a/etc/file.profile b/etc/file.profile index a83b2cf7d..2316b8e9b 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -31,6 +31,7 @@ x11 none private-bin file private-dev private-etc magic.mgc,magic,localtime +private-lib memory-deny-write-execute noexec ${HOME} diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 1842c9cb1..b37af2843 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -31,4 +31,5 @@ tracelog private-bin gpicview private-dev private-etc fonts +private-lib private-tmp diff --git a/etc/less.profile b/etc/less.profile index e1c42ed76..0935f8945 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -20,8 +20,9 @@ tracelog writable-var-log # The user can have a custom coloring scritps configured in ~/.lessfilter. -# Enable private-bin if you are not using any filter. +# Enable private-bin and private-lib if you are not using any filter. # private-bin less +# private-lib private-dev memory-deny-write-execute diff --git a/etc/strings.profile b/etc/strings.profile index 90bb35ecd..83561cae5 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -18,8 +18,9 @@ novideo shell none tracelog -# private-bin strings - breaking on Debian +private-bin strings private-dev +private-lib memory-deny-write-execute diff --git a/etc/tar.profile b/etc/tar.profile index c8c0b2cae..92ddaa2f3 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -23,5 +23,6 @@ tracelog private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev private-etc passwd,group,localtime +private-lib include /etc/firejail/default.profile diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 5e2397c2d..04b6f0c85 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -7,7 +7,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird " -LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent" +LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat" for app in $LIST; do which $app diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp new file mode 100755 index 000000000..35e12ea87 --- /dev/null +++ b/test/apps/hexchat.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail hexchat\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/hexchat.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "hexchat" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail hexchat" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail hexchat" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp new file mode 100755 index 000000000..23af4e793 --- /dev/null +++ b/test/private-lib/eog.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail eog\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/eog.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "eog" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail eog" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail eog" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp new file mode 100755 index 000000000..aaedf8c86 --- /dev/null +++ b/test/private-lib/eom.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail eom\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/eom.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "eom" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail eom" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail eom" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp new file mode 100755 index 000000000..ed566a892 --- /dev/null +++ b/test/private-lib/gpicview.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gpicview\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gpicview.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gpicview" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail gpicview" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gpicview" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/hexchat.exp b/test/private-lib/hexchat.exp deleted file mode 100755 index 35e12ea87..000000000 --- a/test/private-lib/hexchat.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2017 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail hexchat\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/hexchat.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "hexchat" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail hexchat" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail hexchat" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 7e17f4eda..2449e91d7 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh @@ -5,7 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -LIST="evince galculator gnome-calculator hexchat leafpad mousepad transmission-gtk xcalc atril" +LIST="evince galculator gnome-calculator hexchat leafpad mousepad transmission-gtk xcalc atril gpicview eom eog" for app in $LIST; do -- cgit v1.2.3-54-g00ecf